Auditors and enterprise buyers now demand a defensible vendor-risk process. Covenant gives you the register, the questionnaires, the scoring, and the evidence — without the $16,000 platform.
Catalog vendors with category, owner, data-sensitivity, access, and criticality. Bulk-load a sample portfolio to see it working immediately.
Covenant tiers each vendor Critical → Low from sensitivity × access × criticality, with a PHI floor so a business associate is never under-rated.
SIG/CAIQ-lite, a HIPAA Security Rule attestation, and an SMB Lite questionnaire. Each risky answer is weighted and folded into the score.
A composite 0–100 grade where every factor — inherent exposure, questionnaire, findings, BAA gap — is itemized with its delta. No mystery score swings.
Log external-posture findings (TLS, headers, email-auth, breach) with severity and dispute / accept / remediate actions.
Evidence maps to NIST SR, HIPAA, SOC 2 CC9.2, and ISO 27001 A.5.19–23, and publishes to the shared DosanjhLabs evidence graph for Sightline and Bastion.
| Capability | Covenant | Spreadsheet | Enterprise TPRM |
|---|---|---|---|
| Flat price, no per-vendor fee | Yes | Free | $79–$2,000/vendor |
| HIPAA BAA lifecycle | Native | Manual | Add-on / none |
| Explainable scoring | Itemized | None | Often opaque |
| Self-serve, no sales call | Yes | — | Quote-only |
| Cross-product evidence graph | Yes | No | No |
Start with 10 vendors free, then grow without paying per vendor.
Start free →