Full Vendor Lifecycle Management

From initial onboarding through procurement, security assessment, continuous monitoring, and annual reviews — every phase is tracked, automated, and audited.

The Vendor Journey

A structured workflow ensures no vendor slips through the cracks.

1

Onboarding

Structured intake form captures vendor metadata, data security questions, and FAIR analysis inputs. Autosave via AJAX prevents data loss. Stakeholders are assigned as owners, reviewers, or observers.

2

Security Assessment

Template-driven questionnaires are sent to vendors via secure UUID links — no account required. ISO 27001 and Tier 2 templates included out of the box. All file uploads are encrypted at rest.

3

FAIR Analysis

Risk analysts run the FAIR calculator to produce ALE figures. Assessment submission auto-creates a draft FAIR analysis, pre-populating data from the vendor's security responses.

4

Continuous Monitoring

Once approved, vendors enter tier-based SRS monitoring. UpGuard and Shodan scores are tracked over time. Score drops and overdue rescores surface in the Cyber Todo dashboard.

5

Annual Review

Reviews are scheduled one year from vendor approval. Email reminders fire at 30 days, on due date, and every 7 days when overdue. Stakeholders complete a structured review form.

6

Ongoing Governance

The Cyber Todo dashboard aggregates action items: expiring certificates, overdue rescores, score drops, unapproved vendors, and custom tasks into one prioritized view.

Structured Vendor Onboarding

The onboarding form is the entry point for every vendor relationship. It captures everything needed to assess risk, assign responsibility, and begin the security evaluation process.

  • Vendor metadata: name, domain, type, industry, contact info
  • Data security: PII/PHI exchange, cross-border transfers, remote access
  • FAIR inputs: record counts, business impact, daily operational costs
  • Stakeholder assignment with owner, stakeholder, and reviewer roles
  • Status workflow: Draft → Submitted → In Review → Approved → Active
  • CSV bulk import with duplicate detection
Form Fields 50+ columns
Autosave Every keystroke
Bulk Import CSV
Permission-Aware Per-role visibility
Stakeholder Roles 3 types

Template-Driven Assessments

Vendors complete security assessments through public-facing forms accessed via unique UUID links. No vendor account is needed, reducing friction while maintaining security through CSRF protection and encrypted file storage.

  • ISO 27001:2022 comprehensive ISMS questionnaire
  • Tier 2 streamlined assessment for lower-risk vendors
  • Custom templates with sections, question types, and file uploads
  • Autosave on every response to prevent data loss
  • All uploaded files encrypted with AES-256-CBC at rest
  • ISO certificate upload option to skip detailed questionnaire
Access Method UUID Link
Built-in Templates 2 default
Question Types 6 types
File Encryption AES-256-CBC
CSRF Protection Token rotation

Automated Annual Reviews

Fair TPRM ensures vendor relationships are re-evaluated on schedule. Reviews are automatically due one year from approval, with a three-tier email reminder system that prevents anything from falling through the cracks.

  • Automatic scheduling one year from vendor approval
  • Email reminders at 30 days, on due date, and weekly when overdue
  • Structured completion form for stakeholders
  • Scope change tracking and updated contact information
  • Complete review history per vendor
  • SMTP delivery with configurable email settings
30-Day Reminder Automated
Due Date Reminder Automated
Overdue Reminders Every 7 days
Review History Full archive
Cron Managed With locking

Enterprise Security & Compliance

Every feature is built with security-first design principles.

🔒

SAML 2.0 SSO

Enterprise IdP support for Okta, Microsoft Entra ID, and other SAML providers. Group mapping syncs IdP groups to local ACL roles automatically on login.

📱

TOTP Two-Factor Auth

RFC 6238 time-based one-time passwords compatible with Google Authenticator and Authy. QR code enrollment makes setup simple for end users.

📋

Complete Audit Trail

Every action is logged with user ID, action type, affected record, old/new values, IP address, and user agent. Full accountability for compliance audits.

👥

User Impersonation

Super admins can "View As" another user for troubleshooting. Original session is preserved, amber banner is displayed, and all actions are audit logged.

Deployment Options

Get running in minutes with Docker or traditional installation.

Docker-Ready or Traditional

Fair TPRM ships with a Docker Compose stack for instant deployment, or can be installed on any Apache + PHP 8.3 server. The 6-step setup wizard handles all configuration without touching code.

  • Docker Compose: PHP 8.3 + Apache + MariaDB
  • MySQL/MariaDB or SQLite database options
  • 6-step setup wizard with no coding required
  • Theme customization: colors, logos, fonts
  • Database backup and restore from admin panel
  • SQL migration system with preview and rollback
# Docker Compose Stack
services:
  tprm-web:
    image: php:8.3-apache
    ports: ["8080:80"]

  tprm-db:
    image: mariadb:10
    volumes: [data:/var/lib/mysql]

Open Source. Enterprise Grade.

Fair TPRM brings data-driven vendor risk management to organizations of every size.

Back to Home FAIR Analysis Security Monitoring