Managing the Third-party portal

  • Release version: Yokohama
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Managing the Third-party portal

    The Third-party portal in ServiceNow's Third-party Risk Management (TPRM) application is the primary interface where third-party contacts interact with your risk assessment team. It allows third-party representatives to respond to questionnaires, submit documentation, handle tasks, and address issues related to third-party risk assessments. This portal is essential for streamlining communication and managing risk assessment workflows with external vendors.

    Show full answer Show less

    Third-party Contacts and Roles

    • Primary Contacts: Assigned individuals who receive assessment questionnaires and can delegate tasks or update contact information. Each third party must have at least one primary contact.
    • Secondary Contacts: Can view and respond to assigned assessments and manage their own portal credentials.
    • Third-party contacts automatically receive the vendorcontact role for portal access and the sncexternal role to restrict access exclusively to the portal, enhancing security.

    Only authorized internal roles (Third-party editor, TPR manager, TPR assessor, or the primary contact) can create and manage these contacts.

    Tasks and Functionalities for Third-party Contacts

    • Respond to questionnaires and document requests through the portal.
    • Delegate questionnaires, tasks, and issues to other contacts (primary contacts only).
    • Manage notification preferences and contact details.
    • Use Microsoft Excel templates to download, complete, and upload questionnaires, enabling offline responses and improving due diligence efficiency.
    • Respond using SIG (Standardized Information Gathering) questionnaires either by uploading pre-filled spreadsheets or completing form-based questionnaires.
    • Reassign questionnaires to other team members, with ownership transfer handled automatically.

    Assessment Progress Tracking

    Questionnaires and document requests move through three states:

    • New: Sent but not yet started.
    • In progress: Responses have begun.
    • Completed: All responses provided and saved.

    Once all requests are completed, the assessment must be submitted from the assessment page to finalize the process.

    Assessment Assignment Rules

    • Third parties can have multiple contacts; engagements can include multiple contacts and allow a contact to participate in multiple engagements.
    • External assessments are assigned only to primary contacts.
    • Classic Assessment Engine: Assigns the questionnaire to the alphabetically first primary contact, who can complete and submit it.
    • Smart Assessment Engine: Assigns questionnaires to all primary contacts but designates the alphabetically first primary contact as the questionnaire owner responsible for submission. Other primary contacts can respond but not submit unless ownership is reassigned.

    Managing Third-party Contacts

    Users with the TPR assessor role can manage third-party contacts by:

    • Creating and disabling logins.
    • Resetting passwords.
    • Assigning roles and assessments.
    • Viewing and updating customer contact information and accessing completed assessments.

    Additionally, internal assessors can respond on behalf of third parties if configured via the property snsvdp.allowassessoredit.

    Accessing and Using the Portal

    • Third-party contacts access the portal via a specific URL pattern ([your instance URL]/svdp).
    • An FAQ page within the portal provides answers to common questions, such as managing users and contacts.
    • The portal displays your organization's name as configured in system properties, reinforcing brand consistency.

    Practical Benefits for ServiceNow Customers

    • Enables efficient and secure collaboration with third parties during risk assessments.
    • Supports multiple contact roles with clear delegation and submission responsibilities.
    • Offers flexible questionnaire response methods, including Excel templates and SIG questionnaires.
    • Tracks assessment progress clearly, ensuring timely completion and submission.
    • Allows internal management of contacts and assessments to maintain control and oversight.

    Third-party contacts respond to questionnaires, requests for documentation, tasks, and issues on the Third-party portal. The portal is the point of interaction between third parties and risk assessors.

    Third-party contacts

    Third-party contacts are the individuals that represent the third party. By using the third-party portal, they can respond to questionnaires, work on tasks, and address issues that your third-party risk assessment team raises. Third-party contacts are either primary or secondary contacts. The primary contact is the assigned individual who receives the assessment questionnaires. Each third party must have at least one primary contact. The Third-party editor [vendor_editor], Third-party Risk (TPR) manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_assessor], or the primary contact can create third-party contacts.

    You assign the primary contact responsibility to the third-party contact who can directly answer assessment questions or assign another contact at the third party to answer the questions. Primary contacts can manage other contacts for the third party.

    Third-party contacts are automatically assigned two roles: vendor_contact and snc_external. The vendor_contact role provides third-party contacts with access to the Third-party portal, while the snc_external role is a safeguard that restricts access only to the portal. The snc_external role helps prevent any unauthorized entry into your instance. For more information, see Set up third-party contacts.

    Note:
    Third-party contacts see your organization's name in all references on the Third-party portal. You specify the name in the sn_vdr_risk_asmt.company.name property setting. See Configure TPRM properties.

    Tasks for third-party contacts

    The primary third-party contact can perform the following tasks:

    • Delegate questionnaires, tasks, and issues to other third-party contacts.
    • View and update the third-party contact information.
    • Update the notification preferences.

    Secondary third-party contacts can use the portal to perform the following tasks:

    • View and respond to "assigned to me" assessments.
    • Change a password or request a new password.
    Important:
    The third-party contact role should be used only for external contacts. The role prohibits access to the ServiceNow AI Platform and grants access only to the Third-party portal.

    Third-party contacts see the portal as shown in the following example.

    Figure 1. Third-party portal example
    Third-party portal as seen by a third-party contact.

    Questionnaire and document request states

    Progress is tracked in assessment requests and the progress is indicated by the state of the requests within the questionnaires and document requests. Here are the possible states for requests.

    New
    After questionnaires and document requests are sent out, they are in the New state.
    In progress
    After the third-party or engagement contact has started providing responses in a questionnaire or document request, the requests is in the In progress state.
    Completed
    After the third-party or engagement contact has provided responses for all questions in a questionnaire or document request and saved, the request is in the Completed state.
    Note:
    After all requests have entered the Completed state, you must return to the assessment page and submit the assessment.

    Responding to questionnaires using a Microsoft Excel template

    Third-party contacts can use a Microsoft Excel template to respond to questionnaires by downloading the template, completing it, and importing the final version into the Third-party portal. The Microsoft Excel questionnaire template contains instructions for filling out the template. This enables third-party contacts to provide information outside the third-party portal, streamlining the due diligence process. For more information, see Using a Microsoft Excel spreadsheet template for external questionnaires and Respond using a Microsoft Excel template.

    Responding to assessments using a SIG questionnaire

    Third parties can use the Shared Assessments Standardized Information Gathering questionnaire (SIG) to provide assessment documentation in the Third-party Risk Management application. The third-party contact can upload the pre-filled SIG spreadsheet or respond to a form-based questionnaire that is imported to the instance. For more information, see Using the SIG questionnaire for a risk assessment and Respond using the SIG.

    Note:
    Third-party contacts can reassign a questionnaire to another team member by selecting the more actions menu icon and selecting Reassign. After reassigning the questionnaire, they lose access to the questionnaire.

    Launching the portal

    Third-party contacts launch the portal by using [your instance URL]/svdp).

    Learning to use the portal—the FAQ page

    Third-party contacts can select FAQ to view answers to common questions, such as how to invite additional users to the portal and how to assign primary contacts to third-party or engagement records.

    Managing third-party contacts

    Users in your organization with the TPR assessor role [sn_vdr_risk_asmt.vendor_assessor] use TPRM to manage the following third-party contact activities:
    • Create a login for a new third-party contact.
    • Enable or disable a third-party contact login.
    • Reset a password for a third-party contact.
    • Assign a user role to a third-party contact.
    • Assign a third-party contact to an assessment.
    • View and update the customer contact information.
    • Access the completed assessments.

    For more information, see Set up third-party contacts and Manage the access for your third-party contacts.

    Note:
    If necessary, you can respond on behalf of third parties or engagements to questionnaires. See Respond to a questionnaire for a third party or engagement for more information.

    The Allow assessors to answer/edit questionnaires for third-party contacts property (sn_svdp.allow_assessor_edit) must be active. For more information on configuring this property, see Configure TPRM properties.

    Assessment assignments

    Third parties and engagements can each have more than one primary or secondary contact. A third party can have multiple contacts, but each contact belongs to only one third party. Engagements are more flexible; an engagement can include many contacts, and a single contact can participate in multiple engagements. These relationships determine how external assessments are assigned in the Classic assessment engine and the Smart Assessment Engine.

    External assessments are always assigned to primary contacts. When multiple primary contacts exist, the system automatically selects the alphabetically first primary contact as the initial assignee. The rules for who else is assigned and who can submit depend on which assessment engine your organization uses.

    Classic assessment engine

    When a Classic external assessment is generated for a third party or engagement, the system assigns the questionnaire to only one primary contact—the alphabetically first primary contact. Classic assessments don’t designate a questionnaire owner; the assigned primary contact can complete and submit the questionnaire.

    Smart Assessment Engine

    Smart assessments assign the questionnaire to all primary contacts of the third party or engagement. However, the Smart Assessment Engine introduces a questionnaire owner. The questionnaire owner is the alphabetically first primary contact and is responsible for submitting the assessment once all responses are complete.

    • The owner is selected automatically in alphabetical order by name.
    • The owner is the only primary contact who can submit the questionnaire.
    • Other primary contacts can respond to questions but can’t submit unless ownership is reassigned.
    Note:
    If needed, the owner can reassign the questionnaire using the Reassign option in the questionnaire’s more actions menu. After reassignment, the previous owner loses access.