Skip to main content
Vendor Assessments are available on the Business plan and above.
A vendor assessment is a structured security questionnaire you send to an AI vendor to understand how they manage data, protect their models, and meet compliance obligations. Completing vendor assessments gives you documented evidence of third-party due diligence — a requirement under many compliance frameworks and an expectation of enterprise procurement processes.

Creating an assessment

To start a new vendor assessment:
  1. Navigate to Governance → Vendor Assessments and select New Assessment
  2. Choose a questionnaire template — templates are organized by vendor type (for example, AI platform, AI-enabled SaaS, or custom model provider)
  3. Enter the vendor’s name and the contact email address of the person who will complete the questionnaire
  4. Optionally link the assessment to a registered system in your registry
  5. Set a response deadline and select Send
The vendor receives an email with a secure link to their response portal. You can monitor submission status from the assessment list.

How the vendor portal works

Vendors do not need an Ayliea account to complete a questionnaire. The secure link in their email takes them directly to a response portal where they can:
  • Read each question and enter their response
  • Save progress and return to finish later — answers are saved automatically
  • Submit when all required questions are answered
The portal does not expose any of your organization’s internal information. Vendors only see the questions and their own responses.

Question categories

Assessment questionnaires cover five areas:
  • Data handling — how the vendor collects, stores, processes, and deletes data; data residency and retention policies
  • Security controls — access controls, encryption practices, vulnerability management, and penetration testing cadence
  • Privacy and compliance — GDPR, CCPA, and other applicable regulatory compliance; privacy impact assessments
  • AI model governance — training data sourcing, model validation, bias testing, and explainability practices
  • Contractual and operational — SLA commitments, subprocessor disclosure, incident notification obligations, and audit rights

Scoring and risk tier

When a vendor submits their responses, Ayliea scores the questionnaire automatically and assigns a risk tier — Low, Medium, High, or Critical — based on the responses across all categories. The scoring reflects both the completeness of responses and the strength of the controls described. You can view the score breakdown by category to identify which areas of the vendor’s posture are weakest.

Reviewing responses

After submission, open the assessment to review the vendor’s responses question by question. You can:
  • Approve the assessment if the responses are satisfactory
  • Reject the assessment with written notes if gaps require follow-up — the vendor is notified and can resubmit
Approval and rejection are recorded in the assessment history along with any notes you add.

Reminder emails

If a vendor has not submitted by a configurable threshold before the deadline, Ayliea automatically sends a reminder email to the contact address on file. You can also trigger a manual reminder at any time from the assessment detail view.
Link vendor assessments to registered systems so that the system detail view shows each vendor’s current assessment status and expiry date. This makes it easy to catch assessments that are approaching renewal without reviewing each vendor separately.