Covenant is flat-priced vendor risk management and HIPAA BAA tracking built for the clinic, the billing company, and the MSP — everyone with third-party risk obligations but no GRC analyst and no five-figure budget.
If you handle PHI, you are legally obligated to execute and track a Business Associate Agreement with every vendor that touches it (45 CFR §164.308(b)). Most small practices run that in a spreadsheet. Covenant ships a BAA library, a §164.504(e) required-clause gap-check, renewal reminders, and a subcontractor flow-down chain — free for up to 10 vendors, with no card.
How BAA tracking works →Catalog every vendor with data-sensitivity, access, and criticality. Covenant auto-tiers each one Critical → Low; PHI vendors are flagged and auto-require a BAA.
Send SIG/CAIQ-lite, HIPAA, or our SMB Lite questionnaire. (Vendor email portal is coming; today you capture answers in-app.) Risky answers itemize into the score.
Every score change is itemized with evidence and a delta — no unexplained letter-grade swings. Dispute, accept, or remediate any finding.
Signed / expiring / overdue / missing flags, 90-60-30-day review reminders, §164.504(e) clause gap-check, and subcontractor flow-down tracking.
A portfolio heatmap by tier, with missing BAAs, expiring reviews, and open findings surfaced at a glance.
Vendor evidence maps to NIST SR, HIPAA §164.308(b)/314, SOC 2 CC9.2, and ISO A.5.19–23 — and feeds the shared DosanjhLabs evidence graph.
Incumbents punish you for growing: UpGuard adds $79/mo per vendor, SecurityScorecard $1,500+/vendor/yr, OneTrust enforces a $10,000/yr floor. Covenant is one flat fee for unlimited vendors at the top tier.
See full pricing →