Creating a Third Party Record

Overview

Third-party records are divided into two sub-types: vendor records and partner records. These records are the owning entities of System records, which process or store data used in your business processes. For example, your organization may use Gmail (System), which is owned by Google (Vendor).

Set up your Third-Party records before creating System records, as System records may reference a Third Party as their owning entity. This article walks through all tabs of the Third-Party record setup.

What you can do
Create and configure a third-party record with all required details
Upload and manage contracts and compliance documentation
Review Data Processing, Data Transfer, and AI Risk scores and complete assessments
Add third-party and internal contacts
Prerequisites
Primary Entity record already set up
Active TrustArc account with Data Mapping & Risk Manager access
Assessment Manager access (required for risk assessments in Step 6)
Creating a Third-Party Record
📋 Notes — Record-Level Features

The Upload Logo (1), Record Link (2), Activity Log (3), and Tags (4) features are available in the top navigation of every third-party record and can be used at any step of the record creation.

Third-party record top navigation showing Upload Logo, Record Link, Activity Log, and Tags icons

Upload Logo

Click Upload Logo to upload the third party's logo. Once uploaded, right-click the logo to replace or delete it.

Upload Logo area with right-click context menu showing Replace and Delete options

Activity Log

Click the Activity Log icon to open a panel on the right side of the page showing the record's activity history.

Third-party record with the Activity Log panel open on the right showing a list of logged actions

Tags

Click the Tags link to open a panel on the right side of the page showing the tags and tag groups associated with the record. You can also create and save new tags from this panel.

Third-party record with the Tags panel open on the right showing associated tags and a field to add new ones

To create a third-party record, follow these steps:

1
From the left side of the page, hover over the Data Mapping & Risk Manager icon, then select Data Inventory.
Data Mapping and Risk Manager navigation showing Data Inventory selected
📋 Note: The All Records tab is selected by default.
2
Click the Third Party Records tab.
Data Inventory page with the Third Party Records tab selected
3
In the top-right corner of the page, click Add New, then select Third Party Record.
Data Inventory Third Party Records page with Add New dropdown showing Third Party Record option
📋 Tip: You can also create a third-party record using AI. See Creating a Third Party Record using AI for more information.
Step 4 — Details Tab
4
Complete the Details tab. At minimum, you must enter the third-party name, type, and the entities that should have access to the record before the remaining tabs become enabled.
Third-party record Details tab showing required fields including name, type, and owning entities
📋 Tip: Use the AI Autofill Search feature to automatically populate the Details tab. See Completing the Details Page of the Third Party Record Using the AI Autofill Search Feature for more information.

You can also complete the following optional sections in the Details tab:

General Information

Website URL
Annual revenue
Number of employees
Stock symbol
Whether the company is publicly traded
📋 Note: After you enter the website URL, the company logo is populated automatically in the Upload Logo field.

Third Party Locations

Add the third party's operating locations.

Organization Entities Managing & Using Third Party

Select the entities responsible for managing the third-party relationship and the entities that use the third party.

Third Party Headquarters

Address
State / Province
City
Country
Zip Code
Email Address
Phone Number

Attachments

Add or delete file attachments to support the record.

Step 5 — Contracts Tab
5
Click the Contracts tab to upload and manage third-party contracts, and to attach documents supporting compliance certifications, agreements, or policies.
Third-party record Contracts tab showing the contract list and Add Contract button

You can upload documents for the following agreement and certification types:

Compliance Certification or Attestation
DPA / Privacy Agreement
Client Policy
Non-Disclosure Agreement
Insurance Certificates

To add a contract, click Add Contract, complete the following fields, then upload a copy of the contract or supporting document:

Contract Name
Contract Start Date
Contract End Date
Step 6 — Risk & Assessments Tab
6
Click the Risk & Assessments tab to review Data Processing Risk, Data Transfer Risk, and AI Risk scores for the third party and its associated System records, then complete the recommended assessments.
Risk and Assessments tab showing Data Processing Risk, Data Transfer Risk, and AI Risk subtabs

At the bottom of the tab, charts show how many assessments are in Open, In Progress, In Review, and Approved states.

Assessment status charts at the bottom of the Risk and Assessments tab showing counts per status
📋 Notes: By default, only 10 assessment records are shown. Use the Search Assessment Name field to locate a record not visible on the first page. All table columns are sortable. You must have Assessment Manager access to create an assessment — clicking Create Assessment opens the Assessment Manager in a new browser tab.
Data Processing Risk
Reviewing the Data Processing Risk Score

Go to the Data Processing Risk subtab. Under Step 1: Review Inherent Risk Score, click Review Score, then select Third Party Score or System Score. The System Score option is only available if the record is linked to a System record.

Data Processing Risk subtab showing the Review Score button and Third Party Score and System Score options

The Review Inherent Risk Score modal appears.

Review Inherent Risk Score modal showing Risk Factors, Inherent Risk, and Explain Your Selection fields

Complete the following, then click Save Changes:

Review the Risk Factors
Define the Inherent Risk — review and confirm whether the suggested Inherent Risk Score is accurate before saving
Explain your Risk Score Selection
Starting a Residual Risk Assessment

After the inherent risk has been evaluated, start the impact assessment to evaluate control effectiveness and calculate residual risk.

1
Under Step 2: Complete Risk Assessment, click Start Assessment > Start Assessment.
Step 2 column showing the Start Assessment button and Third Party Assessment and System Assessment options
📋 Note: Under Third Party Assessment, click Start Assessment. If a System record is linked to this third party, the System Assessment option becomes available. Click View All Assessments to assess the associated System records.
Start Assessment modal showing the assessment template selection dropdown
2
Select an assessment template based on your company's risk tolerance and applicable country laws, then click Start Assessment.
Select Mini PIA Controls Assessment if no (zero) risk factors are triggered.
Select PIA Controls Assessment if one risk factor is triggered.
Select DPIA Controls Assessment if two or more risk factors are triggered.
📋 Note: Risk factors are determined by which data elements, processing purposes, individual types, number of individual records, or data subject volumes are selected in the Business Process or System record. Multiple selections under a single risk factor count as one risk factor, except for processing purposes.
3
The system redirects you to the Assessment Manager. From the Edit Assessment page, complete the following sections — for more information, see Creating an Assessment:
Assessment Details
Managers & Respondents
Users
Advanced Settings
4
Review and publish the assessment.
Downloading the Residual Risk Assessment Report
⚠️ Note: Reports can only be downloaded when the assessment is in In Review or Approved state.

Under Step 3: Review Residual Risk Score & Download Report, click Download Risk Report and select Third Party Risk Report or System Risk Report. The report downloads as a .pdf file.

Step 3 column showing the Download Risk Report button with Third Party Risk Report and System Risk Report options
Data Transfer Risk
Reviewing the Data Transfer Risk Score

Go to the Data Transfer Risk subtab. Under Step 1: Review Data Transfer Risk Score, click Review Score.

Data Transfer Risk subtab showing the Review Score button

Select a system record from the list, view its data transfer risk score, then click Done.

Data transfer risk score panel showing system record selection and the risk score details
Starting a System Data Transfer Risk Assessment

The Data Transfer Residual Risk Score is calculated after a System Data Transfer Risk Assessment is completed, giving you insight into data transfer risk at both record and organization levels.

1
Under Step 2: Complete Data Transfer Risk Assessment, click Start Assessment.
Step 2 column for Data Transfer Risk showing the Start Assessment button
2
Select a system record (1), select an assessment template (2), then click Start Assessment.
Start Assessment modal showing system record selector and assessment template selector
3
Complete all sections of the Edit Assessment page in Assessment Manager — see Creating an Assessment for details. Then review and publish the assessment.
Assessment Details
Managers & Respondents
Users
Advanced Settings
Downloading the Data Transfer Risk Assessment Report
⚠️ Note: Reports can only be downloaded when the assessment is in In Review or Approved state.

Under Step 3: Review Data Transfer Residual Risk Score & Download Report, click Download Risk Report and select the record type. The report downloads as a .pdf file.

Step 3 column for Data Transfer Risk showing the Download Risk Report button and record type options
AI Risk
Reviewing the AI Risk Score

Go to the AI Risk subtab. Under Step 1: Review AI Risk Score, click Review Score.

AI Risk subtab showing the Review Score button

The Review System Risk modal appears.

Review System Risk modal showing system record dropdown and risk review fields

Select a system record from the dropdown, complete the following, then click Save Changes:

Review the Risk Factors
Define the Inherent Risk — review and confirm whether the suggested AI Risk Score is accurate before saving
Explain your Risk Score Selection
Starting the AI Risk Assessment

The AI Risk Score is calculated after a System AI Risk Assessment is completed, providing insight into AI Risk at both record and organization levels.

1
Under Step 2: Complete AI Risk Assessment, click Start Assessment. A Start Assessment modal appears.
Step 2 column for AI Risk showing the Start Assessment button
2
Select a system record, select an assessment template, then click Start Assessment.
Start Assessment modal for AI Risk showing system record and template selectors
📋 Note: If an AI Risk assessment has already been created for the selected system record, the Change Assessment and View Assessment buttons become available.
Start Assessment modal showing Change Assessment and View Assessment buttons for a record with an existing assessment
3
Complete all sections of the Edit Assessment page in Assessment Manager — see Creating an Assessment for details.
Assessment Details
Managers & Respondents
Users
Advanced Settings
4
Review and publish the assessment.
📋 Note: If the third party owns two or more system records, an assessment must be completed for each of those records.
Downloading the AI Risk Assessment Report
⚠️ Note: Reports can only be downloaded when the assessment is in In Review or Approved state.

Under Step 3: Review Residual AI Risk Score & Download Report, click Download Risk Report. The report downloads as a .pdf file.

Step 3 column for AI Risk showing the Download Risk Report button
Step 7 — Contacts Tab
7
Click the Contacts tab to add third-party contacts and internal contacts.
Contacts tab showing the Third Party Contacts and Internal Contacts sections
To add a third-party contact, click Add Third Party Contacts and enter the contact's full name, email address, phone number, and location.
To add an internal contact, go to the Internal Contacts tab (1), click Add Internal Contacts (2), and enter the contact's full name, email address, phone number, and location.
Internal Contacts tab with the Add Internal Contacts button highlighted
8
Click Close once the setup is complete.
TrustArc  ·  Creating a Third-Party Record  ·  support.trustarc.com