> ## Documentation Index
> Fetch the complete documentation index at: https://docs.vendexlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Vendors & products

> How VendexLabs models vendors, profiles, products, and vendor lists.

Understanding how VendexLabs represents vendors makes everything else — scoring, assessments, imports, and the API — easier to follow.

## Vendors

A **vendor** is a third-party company you depend on. Vendors are global entities in VendexLabs: the same 1Password or AWS record is shared across the platform, which is what lets enrichment and monitoring be done once and reused.

When you add a vendor VendexLabs already knows, it's recognized instantly. When you add one it hasn't seen, VendexLabs creates a new vendor record and enriches it from public sources.

## Vendor profiles

Each vendor has a **profile** — the researched dossier that powers scoring and the vendor detail pages. A profile includes:

* Company description, industry, headquarters, and business type
* Security posture and compliance certifications
* Privacy controls and the data the vendor collects
* Breach and threat history
* Business and financial maturity signals
* Risk scores and the latest GRC assessment

Profiles are generated automatically and refreshed on a schedule, so the picture stays current rather than freezing at the moment of onboarding.

## Products

A vendor can offer more than one product, and you may use them differently. VendexLabs lets you track **products** as separate line items under a vendor — for example, Automox's "Autonomous Endpoint Management" appears as a product row beneath the Automox vendor.

<img src="https://mintcdn.com/vendex-labs/cF_gRQxu5ZE_JthB/images/portfolio-products.png?fit=max&auto=format&n=cF_gRQxu5ZE_JthB&q=85&s=f177d967af2bba4b4e16a8585ae5d5ec" alt="Vendors page showing a vendor expanded to reveal its product line" width="2560" height="1656" data-path="images/portfolio-products.png" />

Products are optional. If you don't need product-level tracking, a single vendor row is enough.

## Vendor lists

Your organization's tracked vendors live on a **vendor list**. Every account has a default list called `master-list`. A list holds:

* **Membership** — which vendors (and products) you track
* **Dependency tier** — how critical each vendor is to you
* **Alert settings** — whether incident monitoring is on for that vendor

Because tier and alert settings live on the *list membership*, two organizations can track the same vendor with completely different context.

<Note>
  Custom vendors — ones not already in the shared catalog — are enriched when you add them. Each organization can add up to **500** distinct custom vendors.
</Note>

## How this maps to the API

| Concept         | API object         | Notes                                       |
| --------------- | ------------------ | ------------------------------------------- |
| Vendor          | `Vendor`           | Global; `id`, `name`, `website_url`         |
| Profile         | `VendorProfile`    | Enriched dossier and scores                 |
| Product         | `VendorProduct`    | Global (enriched) or org-scoped (custom)    |
| Vendor list     | `VendorList`       | Per account; `master-list` by default       |
| List membership | `VendorListVendor` | Carries `dependency_tier`, `alerts_enabled` |

See the [Data models](/api/data-models) reference for full field lists.
