Important notice
The Classic Experience will be sunset on
Aug. 1.
If you have questions, contact your Customer Success and Implementation Manager,
Account Manager, or
support@trustarc.com.
Third-party records are divided into two sub-types: vendor records and partner records. These records are the owning entities of System records, which process or store data used in your business processes. For example, your organization may use Gmail (System), which is owned by Google (Vendor).
Set up your Third-Party records before creating System records, as System records may reference a Third Party as their owning entity. This article walks through all tabs of the Third-Party record setup.
What you can do
✓Create
and configure a third-party record with all required details
✓Upload
and manage contracts and compliance documentation
✓Review
Data Processing, Data Transfer, and AI Risk scores and complete
assessments
✓Add
third-party and internal contacts
Prerequisites
✓Primary
Entity record already set up
✓Active
TrustArc account with Data Mapping & Risk Manager access
✓Assessment
Manager access (required for risk assessments in Step 6)
Creating a Third-Party Record
📋 Notes — Record-Level Features
The Upload Logo (1), Record Link (2), Activity Log (3), and Tags (4) features are available in the top navigation of every third-party record and can be used at any step of the record creation.
Upload Logo
Click Upload Logo
to upload the third party's logo. Once uploaded, right-click
the logo to replace or delete it.
Activity Log
Click the Activity Log icon to open a panel on the
right side of the page showing the record's activity history.
Tags
Click the Tags link to open a panel on the right
side of the page showing the tags and tag groups associated
with the record. You can also create and save new tags from
this panel.
To create a third-party record, follow these steps:
1
From the left side of the page, hover over the
Data Mapping & Risk Manager icon, then select
Data Inventory.
📋 Note: The
All Records tab is selected by default.
2
Click the
Third Party Records
tab.
3
In the top-right corner of the page, click
Add New, then select
Third Party Record.
Complete the Details tab. At minimum, you must enter
the third-party name, type, and the entities that should
have access to the record before the remaining tabs become
enabled.
You can also complete the following optional sections in the Details tab:
General Information
•Website
URL
•Annual
revenue
•Number
of employees
•Stock
symbol
•Whether
the company is publicly traded
📋 Note: After you
enter the website URL, the company logo is populated automatically
in the Upload Logo field.
Third Party Locations
Add the third party's operating locations.
Organization Entities Managing & Using Third Party
Select the entities responsible for managing the third-party
relationship and the entities that use the third party.
Third Party Headquarters
•Address
•State
/ Province
•City
•Country
•Zip
Code
•Email
Address
•Phone
Number
Attachments
Add or delete file attachments to support the record.
Step 5 — Contracts Tab
5
Click the Contracts tab to upload and manage third-party
contracts, and to attach documents supporting compliance
certifications, agreements, or policies.
You can upload documents for the following agreement and certification types:
•Compliance
Certification or Attestation
•DPA
/ Privacy Agreement
•Client
Policy
•Non-Disclosure
Agreement
•Insurance
Certificates
To add a contract, click Add Contract, complete the following fields, then upload a copy of the contract or supporting document:
•Contract
Name
•Contract
Start Date
•Contract
End Date
Step 6 — Risk & Assessments Tab
6
Click the Risk & Assessments tab to review Data
Processing Risk, Data Transfer Risk, and AI Risk scores for
the third party and its associated System records, then complete
the recommended assessments.
At the bottom of the tab, charts show how many assessments are in Open, In Progress, In Review, and Approved states.
📋 Notes: By default,
only 10 assessment records are shown. Use the
Search Assessment Name field to locate a record not
visible on the first page. All table columns are sortable. You
must have Assessment Manager access to create an assessment —
clicking Create Assessment
opens the Assessment Manager in a new browser tab.
Data Processing Risk
Reviewing the Data Processing Risk Score
Go to the Data Processing Risk subtab. Under Step 1: Review Inherent Risk Score, click Review Score, then select Third Party Score or System Score. The System Score option is only available if the record is linked to a System record.
The Review Inherent Risk Score modal appears.
Complete the following, then click Save Changes:
•Review
the Risk Factors
•Define the Inherent Risk
— review and confirm whether the suggested Inherent Risk
Score is accurate before saving
•Explain
your Risk Score Selection
Starting a Residual Risk Assessment
After the inherent risk has been evaluated, start the impact assessment to evaluate control effectiveness and calculate residual risk.
📋 Note: Under
Third Party Assessment, click
Start Assessment. If
a System record is linked to this third party, the
System Assessment option
becomes available. Click
View All Assessments
to assess the associated System records.
2
Select an assessment template based on your company's risk
tolerance and applicable country laws, then click
Start Assessment.
•Select
Mini PIA Controls Assessment
if no (zero) risk factors are triggered.
•Select
PIA Controls Assessment
if one risk factor is triggered.
•Select
DPIA Controls Assessment
if two or more risk factors are triggered.
📋 Note: Risk factors
are determined by which data elements, processing purposes,
individual types, number of individual records, or data subject
volumes are selected in the Business Process or System record.
Multiple selections under a single risk factor count as one
risk factor, except for processing purposes.
3
The system redirects you to the Assessment Manager. From
the Edit Assessment page, complete the following
sections — for more information, see
Creating an Assessment:
→Assessment
Details
→Managers
& Respondents
→Users
→Advanced
Settings
4
Review and publish the assessment.
Downloading the Residual Risk Assessment Report
⚠️ Note: Reports can only be downloaded when
the assessment is in In Review or
Approved state.
Under Step 3: Review Residual Risk Score & Download Report, click Download Risk Report and select Third Party Risk Report or System Risk Report. The report downloads as a .pdf file.
Data Transfer Risk
Reviewing the Data Transfer Risk Score
Go to the Data Transfer Risk subtab. Under Step 1: Review Data Transfer Risk Score, click Review Score.
Select a system record from the list, view its data transfer risk score, then click Done.
Starting a System Data Transfer Risk Assessment
The Data Transfer Residual Risk Score is calculated after a System Data Transfer Risk Assessment is completed, giving you insight into data transfer risk at both record and organization levels.
1
Under
Step 2: Complete Data Transfer Risk Assessment,
click Start Assessment.
2
Select a system record (1), select an assessment template (2), then click Start Assessment.
3
Complete all sections of the Edit Assessment page
in Assessment Manager — see
Creating an Assessment
for details. Then review and publish the assessment.
→Assessment
Details
→Managers
& Respondents
→Users
→Advanced
Settings
Downloading the Data Transfer Risk Assessment Report
⚠️ Note: Reports can only be downloaded when
the assessment is in In Review or
Approved state.
Under Step 3: Review Data Transfer Residual Risk Score & Download Report, click Download Risk Report and select the record type. The report downloads as a .pdf file.
AI Risk
Reviewing the AI Risk Score
Go to the AI Risk subtab. Under Step 1: Review AI Risk Score, click Review Score.
The Review System Risk modal appears.
Select a system record from the dropdown, complete the following, then click Save Changes:
•Review
the Risk Factors
•Define the Inherent Risk
— review and confirm whether the suggested AI Risk Score
is accurate before saving
•Explain
your Risk Score Selection
Starting the AI Risk Assessment
The AI Risk Score is calculated after a System AI Risk Assessment is completed, providing insight into AI Risk at both record and organization levels.
1
Under
Step 2: Complete AI Risk Assessment,
click Start Assessment.
A Start Assessment modal appears.
2
Select a system record, select an assessment template, then
click Start Assessment.
📋 Note: If an AI Risk
assessment has already been created for the selected system record,
the Change Assessment
and View Assessment
buttons become available.
3
Complete all sections of the Edit Assessment page
in Assessment Manager — see
Creating an Assessment
for details.
→Assessment
Details
→Managers
& Respondents
→Users
→Advanced
Settings
4
Review and publish the assessment.
📋 Note: If the third
party owns two or more system records, an assessment must be
completed for each of those records.
Downloading the AI Risk Assessment Report
⚠️ Note: Reports can only be downloaded when
the assessment is in In Review or
Approved state.
Under Step 3: Review Residual AI Risk Score & Download Report, click Download Risk Report. The report downloads as a .pdf file.
Step 7 — Contacts Tab
7
Click the Contacts tab to add third-party contacts
and internal contacts.
→To add a third-party contact, click Add Third Party Contacts and enter the contact's full name, email address, phone number, and location.
→To add an internal contact, go to the Internal Contacts tab (1), click Add Internal Contacts (2), and enter the contact's full name, email address, phone number, and location.