💡 Feature requests

The addition of Automated Vendor Risk Assessments to the Vendor Management module would be great to have. This feature should allow for systematic evaluation of vendor security and compliance risks without manual intervention. Key functionalities: Ability to send automated risk assessment forms to vendors. Standardized risk scoring based on responses. Integration with vendor profiles for tracking and reporting. This enhancement would improve efficiency, reduce manual workload, and ensure a more consistent vendor risk evaluation process.

It would be great to have the ability to add custom fields to vendors. This would allow us to track important details such as: Has the contract been signed? Do they delete data within six months? Where is their data located? Where do they process their data?

Users need the ability to manually mark device requirements as completed for instance when the platform does not automatically detect them. Manually confirmed items should have a distinct visual indicator to differentiate them from automatically detected completions Proposed visual labeling: a blue checkmark instead of a green one; an "M" symbol for manual completion Use Case: A security team runs a compliance check, but the platform fails to detect a specific security setting due to a misconfiguration in the detection logic. The team verifies that the setting is correctly configured on the device through an alternative method (e.g., checking system settings directly or running a different security scan). Instead of waiting for a fix in detection logic, they manually mark the requirement as completed to ensure an up-to-date compliance status.

In case the Secfix Agent does not recognize applying one of the security requirements, users want to demonstrate compliance with the security requirements (e.g. PW Manager) & would like to have the option to upload proof. For example, they could provide a screenshot showing that the necessary configurations are in place. Use case: A company with strict BYOD policies allows employees to use personal devices but does not require installing an agent. To verify compliance, employees can manually confirm security settings (e.g. PW manager) and upload screenshots as evidence. This ensures compliance verification without needing automated detection.

Start supporting Leapsome as Human Resources (HR) System

Currently, users can only view mitigations in the risk register by hovering over them or entering edit mode. This makes it difficult to quickly review mitigation details without unnecessary clicks or extra navigation. Allow mitigations to be displayed in a more accessible way, such as: Expanding mitigation details when clicking on a risk. Adding a dedicated "View" mode that shows mitigations without requiring edits. Displaying mitigations in a structured, readable format within the risk register. Benefits: Improves usability by making it easier to review mitigations at a glance. Reduces friction in risk assessment and tracking especially while showing these to the Auditor during the External Audit. Enhances overall user experience in the risk management module.

The risk treatment checkmark is not intuitive enough (when it got overdue, I didn't know what to do, the fact that I should click on/complete the checkmark wasn't clear to me)

Introduce the ability to set a custom review date for policies uploaded to the platform. This feature would allow administrators to define a specific future date when users must review and re-accept policies. If no date is set, policies will remain active without triggering an automatic reset, despite they need to be re-accepted on a yearly basis. Use Case: A customer uploads new policies today but wants all users to review and re-accept them on January 1, 2026. By setting this custom date, the system will automatically remind the administrator and prompt users for re-acceptance on the specified day. This provides greater flexibility and control over policy management, ensuring that periodic reviews happen on the organization’s preferred schedule. If no review date is set, policies will stay in effect without requiring re-acceptance, preventing unnecessary disruptions.

Description: Add an Employee Onboarding Checklist under Monitoring > Manual Evidence, similar to the existing offboarding checklist Manual Evidence [Employee termination checklist]. This would help track InfoSec-related onboarding tasks like MFA setup, policy acknowledgment, and security training during the onboarding process, given we are not using the Secfix Awareness Training. Impact: Enhances compliance tracking for audits Aligns onboarding with security frameworks Ensures consistency between onboarding and offboarding processes

It would be great to have the option to display the Trust Center in multiple languages, such as English and Spanish.