Skip to content
English
Customer portal
  • There are no suggestions because the search field is empty.

Software security posture and certifications

How to record a vendor's certifications (SOC 2, ISO 27001, and more), track their expiry, capture operational security details, and export a Vendor Security Profile. For security, compliance, and software owners.

Before You Begin

  • You need edit permission for software applications to add or edit certifications and operational fields.
  • You need view permission to download the Vendor Security Profile.
  • The application must already exist. See Getting Started with Software Applications.
Step-by-Step Instructions

Step 1: Open the Security Posture tab

  1. Open the application.
  2. Click the Security Posture tab.

The tab has two sections: Operational Security at the top and Certifications below.

Step 2: Record operational security details

In the Operational Security card, set:

  • SSO Supported — whether the vendor supports single sign-on.
  • MFA Supported — whether the vendor supports multi-factor authentication.
  • Data Residency Region — where the vendor stores your data (US, EU, APAC, Other, or Unknown).
  • Sub-Processor List URL — a link to the vendor's published sub-processor list. Enter the URL and click Save.

Toggles and dropdowns save as you change them.

Step 3: Add a certification

  1. In the Certifications card, click Add Certification.
  2. Fill in the form:
    • Certification Type — SOC 2 Type II, ISO 27001, HIPAA, GDPR, PCI, FedRAMP, or Custom (enter a name).
    • Certification Status — for example Certified or Not Certified.
    • Impact Level — None, Low, Medium, or High.
    • Effective Date, Expiry Date, and Period End Date.
    • Auditor / Certifying Body.
    • Reference URL.
    • Evidence file — drag a report or certificate into the upload area (PDF, image, or document).
  3. Click Save.

Each certification appears as a card showing its status badge, dates, auditor, impact, reference link, and a Download Evidence link.

Note: When a certification is Certified with an Expiry Date, Expiration Reminder automatically creates a reminder so you're warned before it lapses. Editing the status or expiry updates that reminder.

Step 4: Use the SOC 2 saved view

  1. Open Software → Software List.
  2. Click the SOC 2 expiring or missing tab.

This view surfaces every application whose SOC 2 Type II is expiring within 90 days or is missing — your at-a-glance compliance gap list. The SOC 2 Type II column shows each application's status and expiry.

Step 5: Request an updated SOC 2 in bulk

  1. On the Software List, select one or more applications using the row checkboxes.
  2. Click Request updated SOC 2 in the grid toolbar.

Expiration Reminder sends one email per selected application to the best available contact (the vendor's primary contact, the invoice sender, or the owner). A summary tells you how many were sent, skipped, and failed.

Step 6: Export the Vendor Security Profile

  1. On the Security Posture tab, click Download Security Profile.

A PDF is generated and downloaded with the application's certifications and operational security details — useful for audits and vendor reviews.

Tracking Vulnerabilities (CVEs)

The Vulnerabilities tab shows known security issues (CVEs) reported for the application.

  1. Open the application and click the Vulnerabilities tab.
  2. You'll see the current severity badge, the number of open CVEs, the highest CVSS score, and when the data was last checked.
  3. The Open CVEs list shows each CVE's ID (linked to the public NVD entry), CVSS score, severity, publish date, and description.

To pause alerts for a vulnerability you've assessed and accepted:

  1. Click Suppress.
  2. Enter a required reason and a suppress until date.
  3. Click Suppress. The reason is recorded in the Audit Log. Click Unsuppress to resume alerts.

Note: CVE data is refreshed automatically each day. If it can't be refreshed, the tab shows a stale data warning with the date the problem started.

Tips & Best Practices
  • Attach the actual report as the Evidence file so auditors can open it directly from the record.
  • Set the Expiry Date on every certification so the renewal reminder can do its job.
  • Use the SOC 2 expiring or missing view before audits to close gaps early.
  • When you suppress a CVE, write a clear reason — it becomes part of your audit trail.
Troubleshooting
  • Issue: I didn't get a certification-expiry reminder. Solution: The certification must be Certified with an Expiry Date set. Open the certification and confirm both.
  • Issue: The Download Security Profile button is missing. Solution: It requires view permission for software applications.
  • Issue: The Vulnerabilities tab shows a stale-data warning. Solution: The automated CVE refresh has been failing. Contact your administrator — this is usually a back-end configuration issue.
Related Articles