Products & Services: Vendor Relationship Scoping
Products & Services: Vendor Relationship Scoping
Overview
The Products & Services feature allows you to assess vendors at the level of an individual product or service. When you work with a vendor that offers multiple distinct products — such as a cloud platform, a productivity suite, or an AI tool — you can create a separate relationship for each one, each representing its own assessment context with its own notion of artifact relevance.
This means that artifacts discovered or collected under one product relationship are evaluated for relevance to that specific product or service, giving you a more accurate and focused risk picture than a single undifferentiated vendor relationship would provide.
Vendor organization metadata (such as company details and profile information) is shared across all relationships that reference the same organization, so there's no need to duplicate profile information — the product-level scoping is layered on top of the shared organizational foundation.
Key Capabilities
- Product/Service Management Define products or services that are a part of any organization. Products are specific to your VISO TRUST tenant and can be created on the fly when setting up a new relationship. A simple search-or-create pattern lets you reuse existing products across multiple relationships.
- Product-Scoped Relationships When creating a relationship, you can associate it with a specific product. Each relationship represents a distinct scope of engagement with that vendor.
- Artifact Relevance Classification When a product is associated with a relationship, the platform automatically classifies discovered artifacts as:
- Relevant to the specific product/service
- Relevant to the parent organization only
- Not relevant to the assessment
These classifications are predicted automatically using AI and can be reviewed and overridden by your team, with structured reasons recorded for audit purposes.
- Artifact Filtering & Navigation The relationship details page includes filter controls for relevance classification, artifact type, and public/private artifacts, making it easy to focus on what's in scope for a given assessment.
How Artifact Relevance Works
A note on how the classification logic behaves: artifact types that are inherently broad in scope (e.g., Terms of Service, Bug Bounty programs, general security whitepapers) are classified as relevant by default, since they typically apply at the organization level. Artifacts that are more commonly product-specific — such as penetration tests or certification reports (SOC 2, ISO certificates) — are evaluated more carefully, with the system attempting to identify whether the specific product is named within the artifact.
Predictions can always be overridden, and the reason for any override (automatic or manual) is recorded. If a product is later removed from a relationship, any previously excluded artifacts will not be automatically re-included, as there may be other reasons for their exclusion — your team would need to manually review those.
