Vendor Due Diligence Platform

Every exam includes
vendor oversight.

Reg S-P requires RIAs to document oversight of third-party service providers. There's no standard tooling — most firms are managing it with spreadsheets and email. Redan provides the structure: DDQ workflow, risk classification, signed CCO memo, and Blue Folio §4.

Book a Demo
Redan — Vendor Due Diligence Platform
×
Product screenshot
Signed Determination MemoDocument Expiry TrackingBlue Folio §4WORM-CompliantUnlimited Vendors

What It Does

Four capabilities. One complete vendor record.

Vendor Portal & DDQ

Vendors complete a structured DDQ at a unique URL — no Redan account required on their side. SOC 2 reports, insurance certs, and policy docs attach per question, already organized for your review.

Expiry & Renewal Tracking

Contract end dates, SOC 2 expiry, and cert renewals compute a live status for every vendor. When something lapses, it surfaces immediately — not on exam day.

CCO Determination Memo

CCO reviews responses, notes gaps, attaches cure conditions, and signs. The memo is sealed — immutable, tamper-evident, and exportable. This is the exam artifact.

No Gap in the Record

Initial intake, annual review, material change, and incident response each have a structured workflow. Every situation produces a signed memo. Nothing falls through.

The Record

Three steps. Vendor on file. Every time.

01

Add vendor + classify risk

Enter the vendor. Critical, High, Medium, or Low assigned from operational criticality and data sensitivity. No judgment calls.

02

Send DDQ — vendor self-reports

A unique URL goes to the vendor. They complete the questionnaire and attach SOC 2 reports, certs, and policy docs per question. No Redan account required.

03

CCO reviews + signs memo

CCO reviews responses, notes gaps, attaches cure conditions if needed, and signs. Record is sealed — immutable, timestamped, exam-ready.

Use Cases

How CCOs manage vendor oversight.

Annual Vendor Review

21 vendors. Renewal window opens 90 days out. CCO starts annual assessments, sends DDQs. All 21 re-determined and current before the governing date.

New Vendor Intake

Trading platform onboarded. DDQ completed. SOC 2 attached. CCO determination signed. Blue Folio §4 updated. On file in 48 hours.

Security Incident

Vendor reports a data exposure. Incident logged with context. DDQ sent same day. CCO determination with required remediation steps on file.

SEC Exam

Examiner requests vendor oversight evidence. Export Blue Folio §4 — every vendor with its DDQ, signed memo, and any cure conditions in force.

Get Started

Every vendor reviewed. The record is sealed.

Initial intake to annual review to security incident — every situation produces a signed CCO memo and an updated Blue Folio §4.

Book a Demo