A vendor can begin when the office can answer these questions:
- What work is approved, where will it happen, and how often?
- Who owns the vendor relationship and approves invoices?
- What physical access, digital access, information, or storage space does the vendor need?
- What is the approved price, and who can authorize extra charges?
- How will keys, accounts, equipment, stored items, and recurring billing be removed when the work ends?
Pause approval when a vendor needs after-hours entry, system access, sensitive records, recurring billing, or onsite storage and those details are still unresolved.
Choose the Right Onboarding Level
Match the intake process to the vendor’s access and impact. A one-time repair visit should not receive the same process as a provider handling payroll or managing company systems.
| Onboarding level | Use it for | Minimum record |
|---|---|---|
| Basic intake | One-time, visible work with staff onsite and no sensitive information or continuing access | Scope, approved price, service date, office contact, and invoice record |
| Controlled onboarding | Recurring services, office access, recurring invoices, or onsite supplies and equipment | Service schedule, access rules, billing terms, storage plan, vendor contacts, renewal date, and offboarding trigger |
| High-control onboarding | Vendors handling sensitive information, financial records, employee data, business systems, or administrator access | Data-handling rules, named accounts, permission limits, incident contacts, review dates, and account-removal process |
Basic intake fits work such as daytime repairs, one-time furniture assembly, pest control, or a local print order that does not use customer or employee data.
Controlled onboarding fits recurring cleaning, facilities maintenance, copier service, document destruction, office plant care, deliveries, and vendors that keep supplies or parts onsite.
Use high-control onboarding for managed IT, bookkeeping, payroll support, administrator access, or any provider that handles employee, client, financial, or regulated information. If the office cannot assign someone responsible for data handling or system access, do not treat the arrangement as routine office purchasing.
1. Define the Work Before Discussing Access
Write the service scope in terms that someone can recognize later. A vague agreement turns ordinary changes into billing disputes.
Record:
- Tasks included and excluded
- Office locations covered
- Service frequency or project dates
- Materials, equipment, or office support required
- Approved price or rate schedule
- Dollar limit for extra work
- Person authorized to approve changes
For cleaning, name the rooms, tasks, and frequency. For a repair visit, identify the equipment or area being repaired. For IT support, identify the covered systems, service hours, and escalation contact. For document storage, identify pickup, retention, retrieval, and destruction authority.
Do not use “as needed” as the whole scope for recurring work. It does not establish who decides what is needed or who approves the charge.
2. Limit Physical and Digital Access
Physical access should be limited by area, time, and purpose. A vendor may need entry to a supply closet, server room, reception area, or suite after hours; that does not mean the vendor needs unrestricted access to the office.
Document:
- The internal sponsor responsible for access
- Permitted areas and permitted hours
- Whether staff must be present or provide an escort
- Keys, badges, alarm codes, visitor procedures, or lockbox arrangements
- The access end date or removal trigger
For digital access, use named accounts rather than shared office logins. Record the account name, approved role, permissions, internal owner, and removal trigger. A provider may need administrator access for a defined task without receiving permanent access to every business system.
The NIST SP 800-53 Rev. 5 control families covering least privilege and external system services support a straightforward rule: give vendors only the access required for approved work, then remove it when that work ends.
3. Set Billing and Renewal Rules
Recurring charges need an owner before the first invoice arrives. Assign one person to review invoices against the approved scope and another approver only when the office’s financial process requires it.
Keep these items in the vendor record:
- Rates, service fees, minimum charges, and add-on pricing
- Invoice delivery method and payment contact
- Spending limit for unplanned work
- Recurring billing schedule
- Renewal date and cancellation notice period
- Person authorized to change or cancel the service
Review recurring invoices against the agreed work. This catches duplicate billing, charges that continued after cancellation, unapproved extra work, and price changes that appear in a monthly statement.
A vendor portal can help with scheduling or payments, but the office still needs its own record of approvals, access, and cancellation authority.
4. Account for Information, Storage, and Property
Information handling and onsite storage are easy to overlook because they may not appear on the first invoice.
When a vendor handles employee, client, financial, or regulated information, document the permitted use, transfer method, people who may receive the information, and contacts for a suspected exposure. Do not send sensitive records through a personal email account or give a vendor broad access because it is convenient.
Healthcare-adjacent offices need an added filter. A vendor that receives protected health information needs contractual and handling controls that match the organization’s HIPAA obligations. A vendor repairing a waiting-room chair does not need access to patient information.
For items left onsite, record the exact location and owner. “Back closet” is not enough. Name the room, cabinet, shelf, or storage cage, then note who can access it and what happens to the contents at the end of the agreement.
This applies to cleaning supplies, toner, replacement parts, loaner devices, paper records, and vendor-owned equipment. A janitorial service storing supplies in a locked closet or an IT provider leaving loaner equipment creates an ongoing office responsibility.
5. Build One Vendor Record and Plan the Exit
Keep each vendor’s documents together in a shared location with controlled internal access. A secure document system, shared drive folder, or operations platform can work when responsible staff can find the record without relying on one person’s inbox.
Include:
- Signed agreement, work order, or approved service terms
- Scope, locations, frequency, exclusions, and approval limits
- Vendor contacts and emergency or escalation contacts
- Internal relationship owner and invoice approver
- Physical access notes and digital access notes
- Billing terms, renewal dates, and cancellation rules
- Required insurance documents
- Storage and property record
- Completed offboarding record
Every access grant needs a removal trigger. Use a project completion date, contract end date, staffing change, scheduled review, or service cancellation. Without a trigger, temporary access often remains active simply because nobody returns to it.
The NIST Cybersecurity Supply Chain Risk Management guidance emphasizes understanding supplier relationships and dependencies. For a small office, that means knowing which vendors touch which locations, systems, records, and recurring payments.
Review Schedule
Vendor onboarding continues after the first invoice is paid.
- One-time vendors: Close the record after payment, property return, and access removal.
- Recurring facilities vendors: Review service scope, contacts, access, and invoices at renewal and when the office moves.
- Data or system vendors: Review user accounts, administrator permissions, data handling, and emergency contacts at least annually and after staffing changes.
- High-impact vendors: Review the arrangement after a security incident, service failure, office move, merger, or major scope expansion.
Final Approval Checklist
Use this list immediately before the vendor begins work.
- The scope names the work, location, frequency, exclusions, and extra-work approval limit.
- One internal owner is responsible for vendor communication and invoice review.
- Physical access is limited to the areas and hours required for the job.
- Digital access uses named accounts with only necessary permissions.
- Keys, badges, accounts, stored items, and recurring billing have an end date or offboarding trigger.
- Billing terms identify recurring charges, add-on work rules, renewal timing, and cancellation authority.
- Onsite supplies, equipment, or records have a defined storage location and owner.
- Escalation contacts cover missed work, urgent building issues, service outages, and data concerns.
- The agreement, contacts, access notes, and billing terms are stored in the vendor record.
- The vendor has a review date that matches its operational impact.
When to Hold Approval
Hold approval until the gap is resolved when the office cannot identify the scope, invoice owner, access sponsor, or offboarding plan.
Use a high-control process rather than a basic office checklist when the vendor will receive administrator access, process payroll, handle financial records, access regulated information, or support a critical business system. These arrangements need input from the person responsible for technology, finance, privacy, or legal obligations.
Do not approve a high-access vendor with “we will sort it out later” as the operating plan. It is far easier to delay a start date than to recover an untracked key, remove unknown system access, or dispute recurring charges with no documented approval.