Managing the Third-party portal

  • Release version: Zurich
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Managing the Third-party portal

    The Third-party portal is a dedicated interface where third-party contacts interact with your organization's third-party risk assessment team. It enables external contacts to respond to questionnaires, provide documentation, complete tasks, and address issues related to risk assessments. This portal facilitates streamlined communication and efficient due diligence between your organization and third parties.

    Show full answer Show less

    Third-party Contacts and Roles

    • Primary contacts: Assigned individuals who receive and manage assessment questionnaires; each third party must have at least one primary contact. They can delegate tasks and manage other third-party contacts.
    • Secondary contacts: Can view and respond to assessments assigned to them and manage their passwords.
    • Third-party contacts are assigned two roles: vendorcontact (provides portal access) and sncexternal (restricts access to only the portal to prevent unauthorized entry).
    • Only external contacts should have the third-party contact role, as it restricts access to the ServiceNow AI Platform.
    • The organization name displayed on the portal is configurable via the snvdrriskasmt.company.name property.

    Tasks and Portal Usage

    • Primary contacts can delegate questionnaires, tasks, and issues, update contact info, and manage notification preferences.
    • Secondary contacts can respond to assigned assessments and manage their passwords.
    • Third-party contacts can respond to questionnaires using the portal interface or by downloading, completing, and importing Microsoft Excel templates to simplify responses outside the portal.
    • Third parties can also use the Shared Assessments SIG questionnaire format either by uploading pre-filled spreadsheets or completing imported form-based questionnaires.
    • Questionnaire progress is tracked with states: New, In progress, and Completed. After all requests are completed, the assessment must be submitted from the assessment page.
    • Third-party contacts can reassign questionnaires to other team members but lose access after reassignment.
    • The portal is accessed via a URL formatted as [your instance URL]/svdp, and includes an FAQ section to help third-party users with common questions.

    Managing Third-party Contacts

    • Internal users with the TPR assessor role manage third-party contacts by creating logins, enabling/disabling accounts, resetting passwords, assigning roles, linking contacts to assessments, and accessing completed assessments.
    • Assessors can respond on behalf of third parties if the property snsvdp.allowassessoredit is enabled.

    Assessment Assignments and Engines

    • Each third party can have multiple contacts, but each contact belongs to only one third party. Engagements can have multiple contacts, and contacts can participate in multiple engagements.
    • External assessments are always assigned to primary contacts.
    • Classic assessment engine: Assigns the questionnaire to only the alphabetically first primary contact, who can complete and submit it.
    • Smart Assessment Engine: Assigns questionnaires to all primary contacts; however, only the alphabetically first primary contact (questionnaire owner) can submit the assessment after completion. Ownership can be reassigned if needed.

    Practical Benefits for ServiceNow Customers

    • Enables secure and efficient collaboration with third-party vendors through controlled access and role assignments.
    • Supports flexible response options using the portal or Microsoft Excel templates, accommodating vendors' preferences and improving response rates.
    • Provides clear tracking of questionnaire status and accountability through assignment and reassignment rules aligned with your organization's assessment engine.
    • Allows your internal risk assessment team to manage third-party contacts effectively, ensuring smooth administration of assessments and permissions.

    Third-party contacts respond to questionnaires, requests for documentation, tasks, and issues on the Third-party portal. The portal is the point of interaction between third parties and risk assessors.

    Third-party contacts

    Third-party contacts are the individuals that represent the third party. By using the third-party portal, they can respond to questionnaires, work on tasks, and address issues that your third-party risk assessment team raises. Third-party contacts are either primary or secondary contacts. The primary contact is the assigned individual who receives the assessment questionnaires. Each third party must have at least one primary contact. The Third-party editor [vendor_editor], Third-party Risk (TPR) manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_assessor], or the primary contact can create third-party contacts.

    You assign the primary contact responsibility to the third-party contact who can directly answer assessment questions or assign another contact at the third party to answer the questions. Primary contacts can manage other contacts for the third party.

    Third-party contacts are automatically assigned two roles: vendor_contact and snc_external. The vendor_contact role provides third-party contacts with access to the Third-party portal, while the snc_external role is a safeguard that restricts access only to the portal. The snc_external role helps prevent any unauthorized entry into your instance. For more information, see Set up third-party contacts.

    Note:
    Third-party contacts see your organization's name in all references on the Third-party portal. You specify the name in the sn_vdr_risk_asmt.company.name property setting. See Configure TPRM properties.

    Tasks for third-party contacts

    The primary third-party contact can perform the following tasks:

    • Delegate questionnaires, tasks, and issues to other third-party contacts.
    • View and update the third-party contact information.
    • Update the notification preferences.

    Secondary third-party contacts can use the portal to perform the following tasks:

    • View and respond to "assigned to me" assessments.
    • Change a password or request a new password.
    Important:
    The third-party contact role should be used only for external contacts. The role prohibits access to the ServiceNow AI Platform and grants access only to the Third-party portal.

    Third-party contacts see the portal as shown in the following example.

    Figure 1. Third-party portal example
    Third-party portal as seen by a third-party contact.

    Questionnaire and document request states

    Progress is tracked in assessment requests and the progress is indicated by the state of the requests within the questionnaires and document requests. Here are the possible states for requests.

    New
    After questionnaires and document requests are sent out, they are in the New state.
    In progress
    After the third-party or engagement contact has started providing responses in a questionnaire or document request, the requests is in the In progress state.
    Completed
    After the third-party or engagement contact has provided responses for all questions in a questionnaire or document request and saved, the request is in the Completed state.
    Note:
    After all requests have entered the Completed state, you must return to the assessment page and submit the assessment.

    Responding to questionnaires using a Microsoft Excel template

    Third-party contacts can use a Microsoft Excel template to respond to questionnaires by downloading the template, completing it, and importing the final version into the Third-party portal. The Microsoft Excel questionnaire template contains instructions for filling out the template. This enables third-party contacts to provide information outside the third-party portal, streamlining the due diligence process. For more information, see Using a Microsoft Excel spreadsheet template for external questionnaires and Respond using a Microsoft Excel template.

    Responding to assessments using a SIG questionnaire

    Third parties can use the Shared Assessments Standardized Information Gathering questionnaire (SIG) to provide assessment documentation in the Third-party Risk Management application. The third-party contact can upload the pre-filled SIG spreadsheet or respond to a form-based questionnaire that is imported to the instance. For more information, see Using the SIG questionnaire for a risk assessment and Respond using the SIG.

    Note:
    Third-party contacts can reassign a questionnaire to another team member by selecting the more actions menu icon and selecting Reassign. After reassigning the questionnaire, they lose access to the questionnaire.

    Launching the portal

    Third-party contacts launch the portal by using [your instance URL]/svdp).

    Learning to use the portal—the FAQ page

    Third-party contacts can select FAQ to view answers to common questions, such as how to invite additional users to the portal and how to assign primary contacts to third-party or engagement records.

    Managing third-party contacts

    Users in your organization with the TPR assessor role [sn_vdr_risk_asmt.vendor_assessor] use TPRM to manage the following third-party contact activities:
    • Create a login for a new third-party contact.
    • Enable or disable a third-party contact login.
    • Reset a password for a third-party contact.
    • Assign a user role to a third-party contact.
    • Assign a third-party contact to an assessment.
    • View and update the customer contact information.
    • Access the completed assessments.

    For more information, see Set up third-party contacts and Manage the access for your third-party contacts.

    Note:
    If necessary, you can respond on behalf of third parties or engagements to questionnaires. See Respond to a questionnaire for a third party or engagement for more information.

    The Allow assessors to answer/edit questionnaires for third-party contacts property (sn_svdp.allow_assessor_edit) must be active. For more information on configuring this property, see Configure TPRM properties.

    Assessment assignments

    Third parties and engagements can each have more than one primary or secondary contact. A third party can have multiple contacts, but each contact belongs to only one third party. Engagements are more flexible; an engagement can include many contacts, and a single contact can participate in multiple engagements. These relationships determine how external assessments are assigned in the Classic assessment engine and the Smart Assessment Engine.

    External assessments are always assigned to primary contacts. When multiple primary contacts exist, the system automatically selects the alphabetically first primary contact as the initial assignee. The rules for who else is assigned and who can submit depend on which assessment engine your organization uses.

    Classic assessment engine

    When a Classic external assessment is generated for a third party or engagement, the system assigns the questionnaire to only one primary contact—the alphabetically first primary contact. Classic assessments don’t designate a questionnaire owner; the assigned primary contact can complete and submit the questionnaire.

    Smart Assessment Engine

    Smart assessments assign the questionnaire to all primary contacts of the third party or engagement. However, the Smart Assessment Engine introduces a questionnaire owner. The questionnaire owner is the alphabetically first primary contact and is responsible for submitting the assessment once all responses are complete.

    • The owner is selected automatically in alphabetical order by name.
    • The owner is the only primary contact who can submit the questionnaire.
    • Other primary contacts can respond to questions but can’t submit unless ownership is reassigned.
    Note:
    If needed, the owner can reassign the questionnaire using the Reassign option in the questionnaire’s more actions menu. After reassignment, the previous owner loses access.