Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Records Retention: How Long Do You Keep Vendor Documents?

4 min read
Featured Image

Many of us have a tradition of spring cleaning every year by removing clutter from our homes – both physical and digital - that has built up. In most cases, determining how long to keep personal documents is difficult enough, but it can be even more challenging for organizations with exponentially more data to keep. Requirements around records retention are a common concern among vendor risk management professionals, so let's go through the basics.

General Regulatory Guidelines

Consider all the vendor information an organization needs to collect and store. The number of contracts, due diligence and risk assessments increases quickly when you have hundreds or even thousands of vendors. So, how long do you need to keep these documents? A typical retention period for many regulated industries is six years, as stated by the National Archives and Records Administration.


Exact retention periods will depend on the following factors:

  • Geographic location: Various local, state and federal laws determine how long vendor records must be retained. Furthermore, retention requirements will differ by country, with some being more stringent than others.
  • File type: All vendor records aren’t created equally and therefore don’t need to be stored for the same amount of time. For example, expired vendor contracts are usually required to be retained for several years. Other documents, such as due diligence materials, should be retained for a shorter period of at least three years. You should be aware that auditors or examiners may request a copy of your previous vendor risk management process documents to assess its strength or to see what improvements have been made.
  • Industry: Financial institutions, healthcare providers, federal contractors, etc. will each have their own data retention guidelines.

Here are a few examples of specific regulatory requirements:

  • Sarbanes-Oxley Act: "We are adopting rules requiring accounting firms to retain for seven years certain records relevant to their audits and reviews of issuers' financial statements."
  • PCI DSS Software Security Framework: "All Assessment Results and Related Materials must be made available to PCI SSC upon request for a minimum of three (3) years after completion of the applicable SSF Assessment."
  • Bank Secrecy Act: "In general, the BSA requires that a bank maintain most records for at least five years. These records can be maintained in many forms including original, microfilm, electronic, copy, or a reproduction."

6 Tips for Successful Vendor Records Retention

Retaining records can be a demanding task, but one that's necessary to maintain regulatory compliance and ensure that your organization's data remains easily accessible.


These tips will help make the process more efficient:

  1. Create a vendor record and information management (RIM) policy: If your organization doesn't already have a general RIM policy, it’s a good idea to implement one. A well-defined vendor RIM policy should include details on the organization’s information categories and the required length of time to retain them. This retention schedule should consider all regulatory requirements. It's also essential to establish who should access specific data and the disposal method.
  2. Determine business requirements: Developing an RIM policy and process involves more than just complying with regulations. The organization's business requirements must also be considered. Some data may need to be retained for longer than is required by law due to operational requirements.
  3. Be sure to account for records subject to a legal hold: If the organization is involved in litigation, the retention process will likely have to be paused so the subpoenaed data won't be deleted once its retention period is over.
  4. Ensure there is board and senior management oversight: As with any other crucial vendor risk management activity, the board and senior management should approve your organization's vendor records retention strategy.
  5. Collaborate with your IT team: Your IT team should generally establish technical controls over your vendor data. They have the tools to ensure that the policy and procedures are followed.
  6. Consider the risks of over-retention: While it may be tempting to keep everything forever "just in case," retaining too much data for too long can have negative consequences. Storing old and obsolete data can be expensive. And the organization may not have the legal right to store some data beyond a specific period.

Always make sure to review regulatory requirements and any state and federal laws. Also, don’t forget to consult with your organization's legal and compliance teams. With a good vendor record retention policy in place, your organization doesn't have to be buried under mountains of vendor data and records.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo