While our automated scanning and UpGuard's security questionnaires are key tools for assessing your vendors, existing documentation and information publicly available on a vendors website can often provide a lot of useful information to help you assess your vendors.

Our additional evidence feature allows you to capture, store and review both security or compliance-related documentation, and links to publicly available security information.

Using additional evidence documents as part of your vendor risk assessment , and help make them more comprehensive and efficient.

Organizations who have undergone and audit or security review may have existing certificates, audit reports, questionnaires or other documentation that demonstrate a level of compliance, and / or provide significant detail about their security policies and procedures. These documents can provide insights into the vendor's security posture and attack surface, and can support (or and in some cases may even alleviate) the need for sending a security questionnaire.

Some suggestions for useful documentation to include as additional evidence are: SOC 1 or SOC 2 reports, ISO 27001 certificates, Audit reports, Penetration test results, or Breach or Incident disclosure details.

You can capture and store this security or compliance-related documentation in UpGuard and add any identified risks.

To learn more about how to use this feature see How to capture additional evidence

Many organizations have detailed trust, privacy and security pages on their websites, including details of their security procedures, policies and certifications and links to key reports and certificates. These provide useful information to help you assess and understand the risk and maturity level of an organisation. UpGuard stores trust and security pages against each organisation, to make it easier to source, access and review this information when performing vendor risk assessments.

To learn more about how to use this feature see How to Use Trust and Security Pages in UpGuard