figma guide

Designing vendor risk assessment and third-party security reviews UI in Figma: questionnaires, scores, and handoff

Design vendor risk assessment and third-party security review UI in Figma with intake forms, questionnaire status, risk scores, app linkage, and Dev Mode specs for enterprise Security admin.

Published
Updated
Jul 18, 2026
Read time
7 min
Level
Intermediate

Quick answer

Vendor risk assessment UI helps Security teams evaluate third-party apps, OAuth integrations, and data processors before approval. Design an intake queue for new vendor requests; questionnaire wizard (SOC2, ISO, custom) with save-and-resume; risk score with tier (Low / Medium / High / Blocked); linkage to app approvals and API keys; annual re-review calendar; and evidence attachment for auditor export via compliance exports. Start from the Figma guides hub and pair with DLP, webhooks, security posture, and Dev Mode handoff.


Who this is for

  • Product designers building vendor intake, security questionnaire, and third-party risk dashboards for enterprise admin consoles.
  • Design system teams aligning risk tiers with badges, progress indicators, and tables.
  • Engineers implementing questionnaire schemas, scoring rules, re-review schedules, and app-install gates.

Vendor intake queue

ColumnContent
VendorName + logo
Request typeNew app / Renewal / Scope change
RequesterMember or Team Admin
Data accessRead / Write / Export / PHI tags
StatusDraft / In review / Approved / Blocked
Risk tierLow / Med / High / —
DueSLA countdown
VendorIntakeQueue
├── Header: Third-party reviews · [ New assessment ] [ Export register ]
├── Filters: Status · Tier · Data class · Overdue
└── Row: Slack OAuth · Scope change · jane@ · High · Due 2 days

Verdict: intake should block app install until review completes when org policy requires it—show blocked state on marketplace approval row.


Assessment detail page layout

VendorAssessmentDetail
├── Header: Acme Analytics · Risk: Medium · Next review: 2027-01-15
├── Tabs: Questionnaire · Evidence · Integrations · History · Notes
├── ScoreSummary: 72/100 · 2 open findings · SOC2 Type II on file
├── LinkedIntegrations: OAuth app · 2 webhooks · 1 API key
└── Actions: [ Approve with conditions ] [ Block ] [ Request more info ]
ZonePurpose
Score summaryComputed tier + trend vs last review
Open findingsFailed controls needing remediation
Integrations tabLive links to app, webhooks, tokens
HistoryPrior assessments and tier changes

Questionnaire wizard

Multi-step form with autosave—vendors or internal owners may complete over days:

StepContent
1. Vendor profileLegal name, HQ, subprocessors list
2. Data handlingCategories, retention, encryption, region
3. CertificationsSOC2, ISO 27001, upload reports
4. Access modelOAuth scopes, API key usage, admin roles
5. Incident historyBreaches last 24 mo, notification SLA
6. Reviewer sign-offSecurity Admin attestation
QuestionnaireStep — Data handling
├── What data categories does this vendor access?
│   ☑ Customer PII  ☐ Payment  ☐ Health  ☐ Source code
├── Data residency: US · EU · Other: ______
├── Encryption at rest: AES-256 ✓ (upload evidence)
└── [ Save draft ] [ Back ] [ Continue ]

Use form patterns with validation states; long questionnaires need progress stepper in sidebar.


Risk scoring and tiers

Transparent scoring—not a black box:

FactorWeightExample signal
Data sensitivity30%PHI / PCI elevates tier
Access breadth25%Org-wide OAuth vs user-level
Certification freshness20%SOC2 > 12 mo old → penalty
Incident history15%Breach in 24 mo → High minimum
Integration count10%Many webhooks + keys
TierPolicy effect
LowAuto-approve with annual review
MediumSecurity Admin approval + conditions
HighOwner approval + enhanced monitoring
BlockedInstall denied; existing integrations flagged
ScoreBreakdownDrawer
├── Data sensitivity: High — customer PII export scope
├── Access: Medium — read/write calendar
├── Certs: SOC2 expires 2026-09-01 ⚠
└── Recommended tier: Medium · Approve with DLP monitor

Surface vendor tier drift on security posture dashboard under Integrations domain.


Approve with conditions

Medium/High tiers often need guardrails—not binary approve/deny:

Condition typeExample UI
Scope limitMax OAuth scopes checkbox list
DLP modeForce monitor on Confidential
Seat capMax 50 connected members
Re-review date6 mo for High, 12 mo for Medium
Owner attestationRequired checkbox for High
ApproveWithConditionsModal
├── Approve Acme Analytics as Medium risk
├── ☑ Restrict to Marketing team only
├── ☑ DLP monitor on Confidential exports
├── Re-review: 2027-01-18
└── [ Confirm approval ] [ Cancel ]

Conditions write to audit log and appear on integration detail pages.


Linkage to app marketplace and API keys

One vendor record may map to multiple technical integrations:

Integration typeLink from assessment
OAuth appApp approval queue
API keyToken list filtered by vendor
WebhookEvent subscriptions
SCIM connectorDirectory sync (if IdP vendor)

When vendor tier drops to Blocked, show kill switch UI: revoke tokens, disable webhooks, uninstall app—with confirmation and audit trail.


Re-review calendar and renewals

SignalUI treatment
Review due in 30 daysWarning badge on queue
SOC2 report expiredAuto-escalate tier
Scope change detectedNew assessment triggered
Overdue > 14 daysPosture gap on dashboard
ReReviewCalendar
├── January: 4 vendors due · 1 overdue (highlight error)
├── Vendor: Legacy CRM · Overdue 18 days · Tier stale
└── [ Send reminder ] [ Start re-review ] [ Block integration ]

Annual vendor register export for auditors—include tier, last review date, conditions, linked integration ids.


Comparison: vendor review vs app approval vs posture gap

SurfaceQuestion answered
Vendor assessment”Is this supplier trustworthy for our data?”
App approval”Can members install this OAuth app?”
Posture gap”What org controls are misconfigured?”

A single OAuth request may spawn both app approval and vendor assessment—show linked records, not duplicate queues.


Common mistakes

MistakeWhy it hurtsFix
Approve/deny only—no conditionsHigh-risk apps run unrestrictedApprove-with-conditions modal
Questionnaire without autosaveLong forms abandonedDraft save per step
Risk score hiddenAdmins don’t trust tierBreakdown drawer
Vendor decoupled from API keysShadow integrationsLink all integration types
No re-review calendarStale SOC2 on fileDue dates + posture gap
Tier change without auditCompliance failureLog tier transitions
Blocked vendor still syncingData exfil riskKill switch with revoke all
Same UI as member app storeWrong mental modelAdmin assessment ≠ marketplace browse
Evidence uploads without virus scan noteSecurity theaterCopy about scan + retention
Vendor register not exportableAudit season scrambleOne-click register PDF

  1. Design intake queue with request types, SLA, and tier badges.
  2. Build questionnaire wizard with progress stepper and evidence uploads.
  3. Add score breakdown and tier recommendation with transparent weights.
  4. Create approve-with-conditions flow linking DLP, scope, and team limits.
  5. Wire integration tab to apps, keys, and webhooks.
  6. Add re-review calendar and overdue escalation to posture gaps.
  7. Annotate install gates and kill switch in Dev Mode.

FAQ

Does every OAuth app need a full vendor assessment?

Policy-dependent—Low-tier internal tools may use abbreviated checklist; PHI/PCI always full questionnaire.

Who fills the questionnaire—vendor or internal owner?

Both flows—external vendor portal link for SOC2 uploads; internal owner completes access-model steps.

Yes—data-handling step should reference org classification labels vendors may access.

Blocked tier vs DLP block?

Vendor block denies integration; DLP block restricts data movement—both can apply; show stacked badges.

Export for SOC2 vendor management evidence?

Vendor register PDF via compliance export—tiers, review dates, conditions, open findings.


Next steps

Share on X

§ Keep reading

Related guides.