> ## Documentation Index
> Fetch the complete documentation index at: https://docs.vendexlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How VendexLabs works

> The moving parts of VendexLabs — vendors, tiers, scoring, and assessments — and how they fit together.

VendexLabs turns a scattered vendor program into a single, always-current system of record. This page explains the main building blocks and how they connect, so the rest of the documentation makes sense.

## The model in one picture

<Steps>
  <Step title="You maintain a list of vendors">
    Everything starts with your **vendor list** — the third parties your organization depends on. You add vendors from a shared catalog or import them from a spreadsheet. See [Vendors & products](/concepts/vendors-and-products).
  </Step>

  <Step title="VendexLabs enriches and scores each vendor">
    For every vendor, VendexLabs gathers public evidence and produces a **risk posture**: an aggregate score across five trust domains, plus a recommendation. See [Risk scoring](/concepts/risk-scoring).
  </Step>

  <Step title="You add context with a dependency tier">
    You tell VendexLabs how critical each vendor is with a **dependency tier**. Tiers weight how much each vendor moves your overall portfolio posture. See [Dependency tiers](/concepts/dependency-tiers).
  </Step>

  <Step title="You record a decision in an assessment">
    An **assessment** captures your review: business context, data collected, compliance notes, evidence, and an approval status. See [Assessments](/concepts/assessments).
  </Step>

  <Step title="VendexLabs keeps watch">
    Once a vendor is tracked, VendexLabs monitors public sources for incidents and surfaces them in **Recent Events**, and it snapshots your posture over time so you can see trends.
  </Step>
</Steps>

## Key terms

<ResponseField name="Vendor" type="global entity">
  A third-party company (e.g. 1Password, AWS). Vendors are shared across VendexLabs; your account references them through your vendor list.
</ResponseField>

<ResponseField name="Vendor profile" type="enriched data">
  The researched dossier for a vendor: company details, security and privacy posture, breach history, and scores. Generated automatically and refreshed over time.
</ResponseField>

<ResponseField name="Product" type="optional">
  A specific offering from a vendor (e.g. "Autonomous Endpoint Management" from Automox). Vendors can have one or more products, each tracked separately on a list.
</ResponseField>

<ResponseField name="Vendor list" type="per organization">
  Your organization's set of tracked vendors. The default list is called `master-list`. Membership on a list carries the vendor's dependency tier and alert settings.
</ResponseField>

<ResponseField name="Dependency tier" type="Core | Standard | Minimal">
  How critical a vendor is to your operations. Tiers weight each vendor's contribution to your portfolio posture.
</ResponseField>

<ResponseField name="Assessment" type="your decision">
  The record of your review of a vendor: context, data handling, compliance status, evidence, and approval decision — with a full audit log.
</ResponseField>

<ResponseField name="Portfolio posture" type="tier-weighted score">
  The tier-weighted average of your vendors' latest scores — a single number for the health of your whole program.
</ResponseField>

## How the pieces relate

* A **vendor** can appear on many organizations' lists, but each organization keeps its own **dependency tier**, **assessment**, and **alert settings** for that vendor.
* The **risk score** comes from public evidence about the vendor and is the same underlying research everywhere; the **recommendation** is sharpened by *your* integration depth.
* Your **portfolio posture** is derived from the latest scores of the vendors on your list, weighted by tier.

<Card title="Ready to try it" icon="rocket" href="/quickstart">
  Follow the Quickstart to add a vendor, review its posture, and record a decision.
</Card>
