You don't have a GRC analyst, a $16,000 budget, or a quarter to roll out an enterprise platform. You do have an auditor, an enterprise customer, or a regulator asking how you manage vendor risk. Covenant is third-party risk management built for exactly that gap.
A single register of every vendor with owner, category, data sensitivity, and access. Bulk-import from CSV and dedupe by domain.
Auto-tier Critical → Low from sensitivity × access × criticality, with a PHI floor so a business associate is never under-rated.
Send SIG Lite, CAIQ Lite, a HIPAA attestation, or an SMB Lite questionnaire. Risky answers fold into the score with conditional follow-ups.
External-posture checks — TLS, security headers, SPF/DKIM/DMARC, breach signals — on a weekly or daily schedule.
Track findings to closure, accept risk with an expiry, and export an auditor-ready inventory and PDF report.
If you handle PHI, the §164.504(e) BAA lifecycle is built in and free — see the BAA tracking page.
This market is famously opaque, so here are real numbers. Enterprise platforms start in the five figures and bill per vendor; Covenant publishes a flat price and never charges per vendor.
| Option | Entry price | Per-vendor fee | HIPAA BAA |
|---|---|---|---|
| Covenant Free | $0 | none | Yes |
| Covenant Pro | $990/yr | none | Yes |
| UpGuard | ~$19,200/yr | ~$79/mo each | No |
| SecurityScorecard | ~$16,500/yr | ~$1,500+/vendor | No |
| OneTrust TPRM | $10,000/yr floor | — | Add-on |
Figures from public pricing and third-party quotes, 2025–2026. Compare in detail: vs UpGuard · vs SecurityScorecard · vs Vanta VRM.
Free for 10 vendors with full BAA tracking. No card, no sales call.
Start free →