Table of Contents
How To Import New or Existing Relationships
Importing Relationships
The Import Relationship feature lets you create a large number of relationships at once instead of running each through the New Relationship Wizard. You can also import existing relationships along with their prior assessment data.
Choose a Template
From the Import Relationship screen, download one of two CSV templates:
- New Relationship template — for relationships you have not yet assessed in VISO TRUST. Excludes legacy assessment fields.
- Existing Relationship template — for relationships you have already assessed elsewhere. Includes the additional (Legacy) Assessment fields so prior assessment data is preserved.
Important: The downloaded template includes one example row. Delete the example row before adding your own data.
Upload Rules
- Do not modify, rearrange, or delete the column headers — the importer matches by exact header text.
- Complete every column marked (Required).
- Formulas are not supported. Paste values, not formulas.
- Business Unit values are case-sensitive and must match a Business Unit that already exists in your org (or one consistently spelled across your file, which will be created on import).
- All Yes/No columns accept
Yes,No, or blank. Blank is treated asNo.
Column Reference
Relationship & Contact Columns
Column | Description | Requirement |
Client Username (Required) | Email address of the user who is creating the relationship in VISO TRUST. Must be an existing user in your org. | Required |
External ID (Optional) | Identifier from your own system (e.g., Jira ticket, GRC tool ID) for cross-referencing. | Optional |
Vendor Name (Required) | Legal or commonly used name of the third party. | Required |
Vendor Description (Optional) | Short description of the product, service, or relationship purpose. | Optional |
Vendor Website (Required) | Vendor’s primary URL. | Required |
Vendor Industry (Optional) | Industry classification of the vendor. | Optional |
Business Owner Email Address (Required) | Email of the internal business owner who will be contacted about this relationship. | Required |
Business Owner First Name (Required) | Business owner’s first name. | Required |
Business Owner Last Name (Required) | Business owner’s last name. | Required |
Business Owner Business Unit (Required) | Department the business owner belongs to (e.g., Engineering, IT, InfoSec, Finance). Case-sensitive. | Required |
Primary Third Party Contact Email Address (Optional) | Email of the vendor-side primary contact. | Optional* |
Primary Third Party Contact First Name (Optional) | Vendor contact first name. | Optional* |
Primary Third Party Contact Last Name (Optional) | Vendor contact last name. | Optional* |
Tag(s) (Optional - separated by commas) | Comma-separated tags. Letters, numbers, and spaces only. New tags are created automatically if they do not already exist. | Optional |
*Required when importing Existing Relationships with Automatic recertification — VISO TRUST needs the third-party contact to drive the recertification cadence.
Relationship Context
These columns describe how the third party interacts with your organization. Mark each with Yes if it applies to the relationship, No if it does not, or leave blank (treated as No). They drive how VISO TRUST scopes the assessment.
Column | Applies When |
Vendor Data Processing | The third party transmits, stores, or processes your organization’s data on systems they own or control (e.g., cloud-hosted data pipelines, payment processors, outsourced analytics). |
Network Integration | Your organization’s network is directly connected to the third party’s network (e.g., site-to-site VPNs, dedicated point-to-point circuits, AWS Direct Connect, Azure ExpressRoute). |
Third-Party Data Hosting | The third party physically hosts your data or equipment containing your data, without logical access to it (e.g., data center colocation, offsite backup tape storage, managed facility hosting). |
On-Site Physical Access | Third-party personnel physically enter your facilities that house IT infrastructure or systems (e.g., server rooms, telecom closets, data center floors). |
Vendor Logical Access | Third-party personnel require logical access to your computers, networks, or information systems (e.g., vendor staff with VPN credentials, contractors using internal tools, managed service providers). |
Technology Provider | The third party develops or supplies technology products for use by your organization or your customers (e.g., commercial software, SaaS, PaaS, IaaS, hardware appliances, firmware, embedded components). |
Personal Data Privacy | The third party processes, stores, or accesses personal or sensitive personal data on your behalf (e.g., employee PII, customer personal data, health records, GDPR / CCPA / HIPAA-regulated data). |
AI Systems | The third party develops, deploys, or integrates AI or machine learning systems that may affect your products, operations, customers, or data (e.g., LLMs, generative AI, automated decision-making, AI-powered analytics, inference APIs). |
Data Type Columns
Mark each Data Type column with Yes if that data type is involved in the relationship, No if it is not, or leave blank (treated as No). Each header in the spreadsheet is prefixed with Data Type - .
Column (in template) | Description | Examples |
Data Type - Authentication Credentials or Internal Encryption Keys | Credentials used to secure an account, or keys used to protect the most sensitive data in your organization. | Username/password combinations, API keys, TSI keys |
Data Type - PII and Additional Attributable Information | PII combined with any non-PII attributable information that together can put the customer at risk for social engineering. | Customer contact information combined with spending history |
Data Type - Sensitive PII | PII which, if lost, compromised, or disclosed without authorization, could result in substantial harm or inconvenience to an individual. | Customer names, addresses, and phone numbers combined with social security or credit card numbers |
Data Type - PII (Personal Identifiable Information) | Any information that permits the identity of an individual to be reasonably inferred by either direct or indirect means. | Customer names, addresses, and phone numbers not combined with sensitive identifiers |
Data Type - Employee Sensitive PII (Personal Identifiable Information) | Employee PII sensitive in nature, typically requiring breach notification in the event of unauthorized disclosure or loss. | Employee names paired with social security numbers or bank account numbers |
Data Type - Insider Information | A non-public fact regarding the plans or condition of a publicly traded company that could provide a financial advantage. | Acquisition plans, undisclosed earnings |
Data Type - Vulnerabilities | Undisclosed information regarding weaknesses that can be exploited by a threat actor. | Vulnerability scan reports, penetration testing reports |
Data Type - Proprietary and Confidential Information | Information your organization wishes to keep confidential. | Trade secrets, business plans, customer lists, contracts |
Data Type - Source Code | Any collection of code, possibly with comments, or any fully executable description of a software system owned by your organization. | Application source code repositories, internal build artifacts |
Data Type - Unrestricted Information | Information whose unauthorized disclosure, alteration, or destruction would result in little or no impact. | Published research, press releases |
Data Type - Less Sensitive Confidential Information | Information owned by your organization and not made publicly available in bulk, but routinely shared with partners or customers. | Employee work names and contact lists |
Data Type - Customer or Partner Proprietary Information | Information a third party wishes to keep confidential that has been entrusted to your organization. | Customer trade secrets, business plans, customer lists, contracts |
Data Type - Financial Reporting | Information or financial statements used to track, analyze, and report on business income and financial assets. | Accounting system data, monetary asset management system data |
Data Type - PCI (Payment Card Industry) Data | Cardholder Data (CHD), including unique Primary Account Numbers (PANs). | Customer credit or debit card information |
Data Type - Monetary Assets | Cash and cash equivalents, including digital or virtual. | Cash, direct bank account access, cryptocurrency wallets |
Data Type - PHI (Protected Health Information) | Any information about an individual’s health status, medical conditions, or healthcare services that can be linked to a specific individual. | Medical records, lab results, insurance claims |
Legacy Assessment Columns (Existing Relationship template only)
These columns appear only in the Existing Relationship template and capture the prior assessment so it can be loaded into VISO TRUST without re-running the workflow.
Column | Accepted Values | Requirement |
(Legacy) Assessment Start Date (Required) |
| Required |
(Legacy) Assessment Completion Date (Required) |
| Required |
(Legacy) Assessment Review Frequency (Required) |
| Required |
(Legacy) Assessment Recertification Type (Required) |
| Required |
(Legacy) Automatic Artifact Updates (Required) |
| Required |
(Legacy) Assessment Inherent Risk (Required) |
| Required |
(Legacy) Assessment Residual Risk (Required) |
| Required |
After Upload
Once the file is uploaded, VISO TRUST validates every row and reports any errors per line so you can correct them. Rows that pass validation are queued for relationship creation. New Business Owners are invited automatically; the Client Username on each row receives a confirmation when the import job completes.
