Compliance & Regulatory Tools
Vendor Risk Tier Calculator
Answer questions about vendor data access to compute risk tier classification and required due diligence level.
No data is transmitted — everything runs locallyTool
About this tool
Vendor Risk Tier Calculator
The Vendor Risk Tier Calculator classifies vendors into Critical, High, Medium, and Low tiers from data access profile and outputs required due diligence requirements.
• Classify a new SaaS vendor before a procurement security review
• Determine if a vendor requires a BAA before contract signing
• Identify which vendors require SOC 2 Type II before an audit
• Build a vendor risk tiering policy for a security program
Affiliate disclosure
Credential and secrets management for teams. 1Password provides enterprise password management and secrets infrastructure for development teams.
View vendor credentials with 1Password
External site · Independent provider · We may receive a commission · Not a recommendation
FAQ
What does this tool tell you?
The Vendor Risk Tier Calculator classifies vendors into Critical, High, Medium, and Low tiers from data access profile and outputs required due diligence requirements.
What affects the result most?
Vendor risk tiering: Critical (PHI/PCI/auth) → High (customer data) → Medium (internal data) → Low (no data). Due diligence by tier: Critical requires SOC 2 Type II + pen test + right-to-audit; Low requires questionnaire only. BAA requirement: any vendor touching PHI requires BAA — non-negotiable under HIPAA.
How should I use the result?
The calculation is deterministic — the same inputs always produce the same output — so the most useful workflow is to vary one input at a time and see which factor moves the result most. That tells you where to focus your attention before committing to a decision.