Managing the Third-party portal

  • Release version: Australia
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Managing the Third-party portal

    The Third-party portal in ServiceNow’s Third-party Risk Management (TPRM) application serves as the primary interface for third-party contacts to respond to questionnaires, document requests, tasks, and issues raised by your risk assessment team. It facilitates efficient communication and collaboration between your organization and external third parties during risk assessments.

    Show full answer Show less

    Third-party Contacts

    Third-party contacts represent the external organization and interact via the portal. Contacts are categorized as either primary or secondary:

    • Primary contacts receive assessment questionnaires and can delegate tasks, manage contact info, and update notification preferences. Each third party must have at least one primary contact.
    • Secondary contacts can view and respond to assigned assessments and manage password requests.

    Third-party contacts are assigned the vendorcontact role for portal access and the sncexternal role to restrict their access to only the portal, protecting your instance from unauthorized access.

    Tasks and Interaction in the Portal

    • Third-party contacts can view and respond to assessments, delegate questionnaires, and update their information.
    • Issue indicators appear only after issues are submitted and marked visible on the issue record.
    • Assessment requests and document requests progress through states: New, In progress, and Completed.
    • Comments in the portal automatically save when focus is moved away from the comment field.
    • Third-party contacts can respond to questionnaires either directly in the portal or by uploading a Microsoft Excel template or a SIG (Shared Assessments Standardized Information Gathering) questionnaire.
    • Questionnaires can be reassigned to other contacts within the same vendor or assessment team, with reassignment removing access for the previous owner.

    Assessment Assignments and Roles

    Third parties and engagements can have multiple contacts, but each contact belongs to one third party. Assignments and submission responsibilities differ based on the assessment engine:

    • Classic Assessment Engine: Assigns the questionnaire to a single primary contact (alphabetically first). That contact can complete and submit the questionnaire.
    • Smart Assessment Engine: Assigns the questionnaire to all primary contacts, but only the alphabetically first primary contact (the questionnaire owner) can submit it. Ownership can be reassigned as needed.

    Managing Third-party Contacts

    Your organization’s users with the TPR assessor role manage third-party contacts by creating logins, enabling/disabling access, resetting passwords, assigning roles, and linking contacts to assessments. They can also respond on behalf of third parties if the appropriate property is enabled.

    Launching and Support

    Third-party contacts access the portal via a URL specific to your ServiceNow instance. The portal includes an FAQ section to assist third-party users with common questions, such as inviting additional users and managing contacts.

    Why This Matters

    Using the Third-party portal enables streamlined, secure, and transparent communication between your risk assessment team and external third parties. It helps ensure timely responses to assessments and documentation requests, facilitates delegation within third-party organizations, and enforces role-based access to safeguard sensitive information.

    Third-party contacts respond to questionnaires, requests for documentation, tasks, and issues on the Third-party portal. The portal is the point of interaction between third parties and risk assessors.

    Third-party contacts

    Third-party contacts are the individuals that represent the third party. By using the third-party portal, they can respond to questionnaires, work on tasks, and address issues that your third-party risk assessment team raises. Third-party contacts are either primary or secondary contacts. The primary contact is the assigned individual who receives the assessment questionnaires. Each third party must have at least one primary contact. The Third-party editor [vendor_editor], Third-party Risk (TPR) manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_assessor], or the primary contact can create third-party contacts.

    You assign the primary contact responsibility to the third-party contact who can directly answer assessment questions or assign another contact at the third party to answer the questions. Primary contacts can manage other contacts for the third party.

    Third-party contacts are automatically assigned two roles: vendor_contact and snc_external. The vendor_contact role provides third-party contacts with access to the Third-party portal, while the snc_external role is a safeguard that restricts access only to the portal. The snc_external role helps prevent any unauthorized entry into your instance. For more information, see Set up third-party contacts.

    Note:
    Third-party contacts see your organization's name in all references on the Third-party portal. You specify the name in the sn_vdr_risk_asmt.company.name property setting. See Configure TPRM properties.

    Tasks for third-party contacts

    The primary third-party contact can perform the following tasks:

    • Delegate questionnaires, tasks, and issues to other third-party contacts.
    • View and update the third-party contact information.
    • Update the notification preferences.

    Secondary third-party contacts can use the portal to perform the following tasks:

    • View and respond to "assigned to me" assessments.
    • Change a password or request a new password.
    Important:
    The third-party contact role should be used only for external contacts. The role prohibits access to the ServiceNow AI Platform and grants access only to the Third-party portal.

    Third-party contacts see the portal as shown in the following example.

    Figure 1. Third-party portal example
    Third-party portal as seen by a third-party contact.

    Questionnaire and document request states

    Progress is tracked in assessment requests and the progress is indicated by the state of the requests within the questionnaires and document requests. Here are the possible states for requests.

    New
    After questionnaires and document requests are sent out, they are in the New state.
    In progress
    After the third-party or engagement contact has started providing responses in a questionnaire or document request, the requests is in the In progress state.
    Completed
    After the third-party or engagement contact has provided responses for all questions in a questionnaire or document request and saved, the request is in the Completed state.
    Note:
    After all requests have entered the Completed state, you must return to the assessment page and submit the assessment.

    Responding to questionnaires using a Microsoft Excel template

    Third-party contacts can use a Microsoft Excel template to respond to questionnaires by downloading the template, completing it, and importing the final version into the Third-party portal. The Microsoft Excel questionnaire template contains instructions for filling out the template. This enables third-party contacts to provide information outside the third-party portal, streamlining the due diligence process. For more information, see Using a Microsoft Excel spreadsheet template for external questionnaires and Respond using a Microsoft Excel template.

    Responding to assessments using a SIG questionnaire

    Third parties can use the Shared Assessments Standardized Information Gathering questionnaire (SIG) to provide assessment documentation in the Third-party Risk Management application. The third-party contact can upload the pre-filled SIG spreadsheet or respond to a form-based questionnaire that is imported to the instance. For more information, see Using the SIG questionnaire for a risk assessment and Respond using the SIG.

    Note:
    Third-party contacts can reassign a questionnaire to another team member by selecting the more actions menu icon and selecting Reassign. After reassigning the questionnaire, they lose access to the questionnaire.

    Launching the portal

    Third-party contacts launch the portal by using [your instance URL]/svdp).

    Learning to use the portal—the FAQ page

    Third-party contacts can select FAQ to view answers to common questions, such as how to invite additional users to the portal and how to assign primary contacts to third-party or engagement records.

    Managing third-party contacts

    Users in your organization with the TPR assessor role [sn_vdr_risk_asmt.vendor_assessor] use TPRM to manage the following third-party contact activities:
    • Create a login for a new third-party contact.
    • Enable or disable a third-party contact login.
    • Reset a password for a third-party contact.
    • Assign a user role to a third-party contact.
    • Assign a third-party contact to an assessment.
    • View and update the customer contact information.
    • Access the completed assessments.

    For more information, see Set up third-party contacts and Manage the access for your third-party contacts.

    Note:
    If necessary, you can respond on behalf of third parties or engagements to questionnaires. See Respond to a questionnaire for a third party or engagement for more information.

    The Allow assessors to answer/edit questionnaires for third-party contacts property (sn_svdp.allow_assessor_edit) must be active. For more information on configuring this property, see Configure TPRM properties.

    Assessment assignments

    Third parties and engagements can each have more than one primary or secondary contact. A third party can have multiple contacts, but each contact belongs to only one third party. Engagements are more flexible; an engagement can include many contacts, and a single contact can participate in multiple engagements. These relationships determine how external assessments are assigned in the Classic assessment engine and the Smart Assessment Engine.

    External assessments are always assigned to primary contacts. When multiple primary contacts exist, the system automatically selects the alphabetically first primary contact as the initial assignee. The rules for who else is assigned and who can submit depend on which assessment engine your organization uses.

    Classic assessment engine

    When a Classic external assessment is generated for a third party or engagement, the system assigns the questionnaire to only one primary contact—the alphabetically first primary contact. Classic assessments don’t designate a questionnaire owner; the assigned primary contact can complete and submit the questionnaire.

    Smart Assessment Engine

    Smart assessments assign the questionnaire to all primary contacts of the third party or engagement. However, the Smart Assessment Engine introduces a questionnaire owner. The questionnaire owner is the alphabetically first primary contact and is responsible for submitting the assessment once all responses are complete.

    • The owner is selected automatically in alphabetical order by name.
    • The owner is the only primary contact who can submit the questionnaire.
    • Other primary contacts can respond to questions but can’t submit unless ownership is reassigned.
    Note:
    If needed, the owner can reassign the questionnaire using the Reassign option in the questionnaire’s more actions menu. After reassignment, the previous owner loses access.