![mineos_white-02_720.png]](https://docs.mineos.ai/hs-fs/hubfs/mineos_white-02_720.png?height=50&name=mineos_white-02_720.png)
Tailor Your Inventory With Custom Fields and Guide Vendor Scout’s Research
Custom fields allow you to capture the vendor information that matters most to your organization. They also guide Vendor Scout, MineOS’s AI agent, to research vendors, populate relevant answers, and help complete your data mapping automatically.
For example, many organizations add custom fields to track things like:
-
Security certifications
-
AI usage
-
Data transfer mechanisms
-
Business ownership
-
Vendor alternatives
This article explains how to:
-
Add custom fields to data sources
-
Write descriptions that help Vendor Scout understand the context
-
Design fields that support TPRM, AI governance, compliance, and RoPA documentation
How to Add a Custom Field
-
Navigate to Settings → Data Mapping → Customization
-
Click New field in the bottom section under custom fields
- In the Used in dropdown choose: Data sources
-
Fill in the following details:
-
Name – the field label that will appear in the data source page
-
Description – explains how the field should be used and helps Vendor Scout generate better suggestions
-
Type
-
Text
-
List of options
-
-
-
Click Create
Once created, the field will appear on Data Source profiles under General.
Writing Descriptions That Help Vendor Scout
When creating custom fields, the description helps Vendor Scout understand what information it should look for when researching vendors.
Clear descriptions improve the likelihood that Vendor Scout can suggest or populate values automatically.
Field name: Sub-processors
Description: Third-party service providers used by the vendor to process or store customer data.
Why this works well
Vendor Scout may find this information from:
-
vendor sub-processor lists
-
privacy policies
-
trust centers
Below is a table of recommended data fields you could add and allow vendor scout to populate for you:
| Name | Description | Type | Example Values (if type is list) |
| Entity Type | Identifies whether the data source is an external vendor, internal system, or affiliate entity. | List | External Vendor, Internal System, Affiliate / Subsidiary, Partner |
| Headquarters Location | Country where the vendor’s primary headquarters is located. | Text | |
| Privacy Policy URL | Link to the vendor’s public privacy policy describing how personal data is processed. | Text | |
| Alternatives | Alternative vendors or solutions that could replace this system if needed. | Text | |
| Security Certifications | Security certifications or attestations held by the vendor. | List | SOC 2, ISO 27001, ISO 27701, PCI DSS, HIPAA, CSA STAR, FedRAMP, Other |
| Data Protection Officer Contact | Contact information for the vendor’s DPO or privacy contact. | Text | |
| Incident Notification Timeline | Vendor’s stated timeframe for notifying customers of security incidents or breaches. | List | 24 hours, 48 hours, 72 hours, Within contractual SLA, Not specified |
| Data Subjects | Types of individuals whose personal data may be processed by the vendor. | List | Employees, Customers, Prospects, Contractors, Partners |
| Sensitive Data Processing | Indicates whether special category or highly sensitive data is processed. | List | Yes, No, Unknown |
| Data Retention Policy | How long the vendor retains personal data or customer information. | Text | |
| Server Locations | Countries or regions where data is stored or processed. | Text | |
| Data Transfer Mechanism | Legal mechanism used for cross-border data transfers. | List | Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework (DPF), Binding Corporate Rules (BCR), Local Processing Only |
| Data Residency Options | Regions where the vendor allows customer data to be hosted. | List | US, EU, UK, Canada, APAC, Multi-region |
| Authentication Methods | Authentication options supported by the vendor. | List | SSO, SAML, OAuth, MFA, Username & Password |
| Uses Artificial Intelligence | Indicates whether the vendor uses AI or machine learning as part of its service. | List | Yes, No, Unknown |
| AI Training Data Usage | Whether customer or employee data may be used to train vendor AI models. | List | Yes, No, Unknown |
| Automated Decision Making | Indicates whether the system performs automated decisions affecting individuals. | List | Yes, No |
| AI Risk Classification | Internal classification of the vendor’s AI risk level. | List | Low Risk, Medium Risk, High Risk, Prohibited |
|
Last Risk Review Date |
Date when the vendor was last assessed as part of your risk or compliance review. | Text | |
| Cross-Border Transfer Mechanism | The legal mechanism the vendor relies on for transferring personal data across borders. | List | SCCs; BCRs; Adequacy decision; Other/unspecified; Unknown |
| AI Model / Vendor Disclosed | The AI model, model family, or AI provider publicly disclosed by the vendor. | Text | |
| AI Feature Type (Generative, Predictive, etc.) | The type of AI capability the vendor offers. | List | Generative AI; Predictive analytics; Recommendation; Classification; Clustering; Chatbot; Vision; Speech recognition; Fraud detection; Forecasting |
| AI description (website) | A short description of how the vendor uses AI and what feature or workflow it supports. | Text | |
| Retention / Retention Period | The vendor’s stated retention period for customer or personal data. | Text | |
| Deletion SLA After Termination | How long the vendor says it takes to delete data after the contract or service ends. | Text | |
| Backup Retention Window | How long backup copies of data may be retained by the vendor. | Text | |
| Certifications / Frameworks | The certifications, audits, or compliance frameworks the vendor publicly references. | List | SOC 1; SOC 2; SOC 3; ISO 27001; ISO 27701; ISO 27017; ISO 27018; PCI DSS; HIPAA; FedRAMP; GDPR; CCPA; COPPA; DPF; CSA STAR; Cyber Essentials; TISAX; NIST CSF; ISO 9001; HDS; other |
| Subprocessors | The third-party service providers the vendor uses to support delivery of its service. | Text | |
| Data Sharing / Selling Public Claim | The vendor’s public statement about whether it shares or sells data. | List | No selling; Shares with subprocessors only; Shares for marketing/ads; Sells data; Unclear |
| Privacy Policy Link | A link to the vendor’s privacy policy. | Text | |
| Trust Center / Security Passport Link | A link to the vendor’s trust center, security page, or equivalent security documentation hub. | Text | |
| Anti-Bribery / Code of Conduct Link | A link to the vendor’s code of conduct, ethics policy, or anti-bribery statement. | Text | |
| DPO / Privacy Officer Contact | The contact details for the vendor’s data protection officer or privacy contact. | Text | |
| DSR / Data Subject Rights Coverage | The data subject rights the vendor says it supports or honors. | List | Access; Erasure; Rectification; Portability; Objection; Restrict processing; Automated decision-making; Do not sell / Share; Transparency; Withdraw consent; Appeal; Non-discrimination; Sensitive data rights |
| Cookies / Tracking Technologies | The types of cookies or tracking technologies the vendor says it uses. | List | Essential; Functional; Analytics; Advertising; Performance; Social media; Tracking pixels; Necessary; Marketing; Share or sale; Unknown |
| CMP Vendor (Consent Management) | The consent management platform the vendor appears to use for cookies or consent collection. | List | OneTrust; Didomi; Cookiebot; UserCentrics; TrustArc; Custom; Unknown; other |
| Children’s Data Policy | The vendor’s public position on whether children’s data is allowed or restricted. | List | Under 13 prohibited; Under 16 prohibited; Under 18 prohibited; Allowed with consent; Unknown |
| Responsible AI / Bias-Fairness Public Commitment | Whether the vendor publicly states a commitment to responsible AI, fairness, or bias mitigation. | List | Yes (evidence link); No; Unknown |
| Explainability / AI Risk Disclosure | The types of AI governance, explainability, or risk transparency commitments the vendor publicly provides. | List | Human oversight; Bias testing; Fairness evaluation; Explainability methods; Transparency report; Model cards; Responsible AI principles; Ethics statement; Risk mitigation procedures; Absent |
| Human-in-the-Loop / Oversight Claim | Whether the vendor publicly states that humans review, supervise, or can override AI-driven outcomes. | List | Yes; No; Unknown |
| HQ / Primary Legal Entity Country | The country where the vendor’s headquarters or main legal entity is located. | List | Country name selected by the customer |
| Hosting Provider | The main cloud or infrastructure provider the vendor appears to rely on. | List | AWS; GCP; Azure; Own DC; Oracle Cloud; Other |
| Security Controls (TOMs) | The technical and organizational measures the vendor publicly describes for protecting data. | List | Encryption at rest; Encryption in transit; MFA; multi-factor authentication; SSO; RBAC; role based access; Audit logging; DLP; Vulnerability management; Pen-testing; penetration testing; Incident response; Disaster recovery; Business continuity; Backups; Data minimization; Access reviews; Segregation of duties; Security awareness training; Monitoring / SIEM; Endpoint protection; Key management; Secure SDLC; Patch management |