Complete vendor compliance,
end to end
Every feature in OnComply — from first vendor invite to audit-ready export. No integrations required to get started.
Full vendor lifecycle in one place
From first invite to renewal — every state of a vendor relationship tracked, auditable, and actionable.
Invitation & onboarding flow
Email-based vendor invitations with 72-hour expiring portal links. Resend, renew, or revoke at any time.
Vendor status tracking
Invited → Pending Review → Approved → Onboarded. Each status transition is logged with actor, timestamp, and reason.
Vendor profile collection
Legal entity name, contact details, billing address, business classification, entity type, and annual transaction volume — all collected and structured.
Onboarding groups
Segment vendors by type, contract, or requirement set. Move vendors between groups as relationships evolve.
Renewal portal links
When documents expire, send a targeted renewal link. Vendors return to a scoped portal showing only what needs to be updated.
Vendor activation controls
Activate or deactivate any vendor. Deactivated vendors are preserved in your audit trail but blocked from your eligibility checks.
Every document type. One vendor experience.
Vendors complete every requirement in a single portal flow on any device — without creating an account.
W-9 collection
Collect and store Form W-9 with automated extraction of name, TIN, entity classification, address, and signature.
Certificate of Insurance (COI)
Upload COIs and automatically extract policy number, coverage limits, effective dates, insured name, and insurer. Validate against your minimum coverage rules.
ACH authorization
Collect routing number, account number, account type, and account holder name — with e-signature consent and a formatted authorization PDF. Optional voided check upload.
Document fill and sign
Upload any PDF document with fillable fields. Vendors fill in the required information and sign through the portal. Full evidence package captured: signature image, geolocation, timestamp, and cryptographic digests.
Professional licenses
Collect license number, issuing authority, and expiration date. Validate against your required license types per vendor category.
Business licenses
State registration documents with entity type validation and expiration tracking.
Tax exemption certificates
Exemption certs with jurisdiction-specific validation rules and automatic expiration alerts.
Custom forms
Define your own structured fields — text, date, select, checkbox. Build any intake form directly in the platform.
Custom PDFs
Upload any document type and define exactly which fields to extract and validate.
Secure upload flow
Vendors upload directly to encrypted cloud storage. Files are validated for type and size. Cryptographic checksums verified on every upload.
Document versioning
Multiple versions per requirement. Previous versions preserved. Current version tracked and displayed clearly to admins.
Documents read, extracted, and validated automatically
The moment a vendor submits a document, it enters a three-stage processing pipeline. Nothing manual unless you choose it.
File validation & virus scanning
Every uploaded file is validated for MIME type integrity and scanned before any extraction begins. Invalid files are rejected automatically.
Automated field extraction
Documents are processed to extract structured data — coverage amounts, expiration dates, license numbers, tax IDs, entity names, and more. Results include a confidence score per field.
Configurable validation rules
Define exactly what passes for each requirement. Minimum insurance coverage amounts, required license types, valid entity classifications — all configurable per onboarding group.
Confidence scoring
Every extracted field returns a confidence percentage. Low-confidence extractions are flagged for human review before any automatic pass/fail.
Manual review queue
Documents with failed scans, flagged validations, or low confidence land in a structured review queue with extraction details and manual override capability.
Manual field override
Admins can correct any extracted field and document the reason. Override history is preserved and auditable.
Validation override
Mark a document as passing or flagging with a documented reason. The full validation history is preserved — nothing is overwritten.
Expiration field configuration
Per requirement, configure which extracted field drives the expiration date and what grace period applies before the vendor is flagged.
Extraction accuracy metrics
Track extraction accuracy per document type and field over time. Feed back corrections to continuously improve validation performance.
Document fill and sign — built right in
Upload any PDF, define fillable fields, and let vendors fill and sign directly in the portal. No DocuSign or third-party integration needed.
Upload any PDF document
Upload contracts, NDAs, service agreements, onboarding forms, or any other document you need vendors to fill out and sign.
Define fillable fields
Place fillable fields anywhere on the document — text inputs, checkboxes, date pickers, and signature fields. Mark fields as required or optional with default values.
Onboarding group association
Associate contract templates with specific onboarding groups. Different vendor types can sign different contracts automatically.
Template versioning
Upload new versions of contracts. Historical signed copies are preserved against the template version that was current at signing.
Fill and sign in the portal
Vendors fill in every field and sign through the portal with a drawn or typed signature. Completed values and signature are embedded into the PDF and stored alongside the evidence package.
Cryptographic evidence
Every signed document generates a detailed evidence package: cryptographic digests of the template PDF, the signed PDF, the consent text, and the signature image. Field values are snapshotted and hashed.
Complete event log
Load, focus, change, and sign events captured with millisecond timestamps. Authentication method and token ID recorded at signing.
Geolocation capture
Latitude, longitude, and accuracy captured at signature time with vendor consent. Timezone and locale recorded.
Signed PDF storage
The completed signed PDF is stored in encrypted cloud storage. Admins can download it at any time. Vendors can be sent a copy.
Collect and protect bank account information
ACH data is encrypted end-to-end with step-up authentication required for any admin to view full details.
Full ACH collection
Routing number (9-digit with checksum validation), account number, account type (checking, savings, or business checking), and account holder name.
E-signature authorization
Vendors sign a standardized ACH authorization form electronically. Authorization text is versioned and the signature is embedded into a generated PDF.
Optional voided check
Require vendors to upload a voided check photograph (JPG or PNG) as supporting documentation for their banking information.
Full payload encryption
The complete ACH record — account details, authorization content, signer information, and vendor billing data — is encrypted with tenant-scoped envelope encryption backed by AWS KMS.
Masked display by default
Admins see only the last four digits of routing and account numbers, plus the account holder name. Full details require step-up authentication.
Step-up authentication
Viewing full ACH details requires a second authentication challenge beyond the standard login session — enforced at the API level.
Authorization PDF
A formatted authorization document is generated with all submission details. Stored in encrypted cloud storage and available for download with audit logging.
Submission audit trail
Timestamp, IP address, and session token ID recorded at submission. View access is tracked separately (who viewed, when).
Always know who is cleared — and who is not
OnComply maintains live compliance state for every vendor and surfaces it everywhere you need it.
Work eligibility
can_work flag per vendor. Updated in real time as document statuses change. Configurable blocking rules per requirement.
Payment eligibility
can_pay flag per vendor. Independently configurable from work eligibility. Finance teams can see payment status without seeing full document details.
Blocking scope and reasons
When a vendor is blocked, the system records whether they are blocked from work, payment, or both — plus the specific reason code.
Grace period management
Configure a grace period per requirement. Vendors remain eligible during the grace period after a document expires, giving them time to submit a renewal.
Compliance events log
An append-only log of every compliance state change — document validated, ACH submitted, contract signed, eligibility changed. Every event includes actor, timestamp, and metadata.
Upcoming expiration forecasting
See which vendors have documents expiring in the next N days. Dashboard view and export available.
Requirement completion funnel
See what percentage of your vendors have completed each requirement. Identify where vendors are getting stuck in the onboarding flow.
Tenant compliance settings
Configure compliance rules globally or per onboarding group. Rules have effective dates and update history.
Plug compliance status into your existing systems
OnComply is built to be a compliance data source, not a compliance silo.
Eligibility API — single vendor
Query any vendor's compliance status in real time — work eligibility, payment eligibility, blocking reasons, and upcoming expirations.
Eligibility API — bulk check
Check compliance status for multiple vendors in a single API call. Built for payroll and ERP sync jobs.
Scoped API keys
Generate API keys with specific permission scopes. Keys are hashed and salted in storage — no plaintext ever stored.
Webhook events
Subscribe to compliance changes, vendor invitations, onboarding completions, document uploads, validation failures, and upcoming expirations.
Webhook delivery
Signed POST requests with cryptographic signatures. Automatic retry with backoff. Delivery status tracked per event.
Webhook secrets
Shared secrets are encrypted at rest. Verify every webhook payload against the signature header before processing.
Webhook URL validation
HTTPS-only webhook URLs. Private IP ranges, localhost variants, and internal hostnames are blocked at registration time to prevent SSRF.
Audit-ready reports, available on demand
Every report is generated asynchronously and available for download with a time-limited secure URL.
Vendor compliance summary
All vendors with current status, blocking scope, and last-updated timestamp. The report your auditor will ask for.
Upcoming expirations report
Vendors with documents expiring in the next N days. Configurable window.
Requirement completion funnel
What percentage of vendors have completed each requirement. Exportable for board reporting.
Manual review queue export
All documents currently flagged or failing validation — with extraction details and the reason for flagging.
Insurance adequacy report
COI validation results — which vendors meet your coverage requirements and which do not.
E-signature detail report
Per-vendor contract signature evidence, including signing timestamp, authentication method, and evidence hash.
Audit access report
Full log of every support or admin access session — who accessed what, when, and with what authorization.
Exception report
Failed validations, processing errors, and documents requiring manual intervention.
Audit log export
The complete audit log — every action by every user, with IP, user agent, and full metadata — exportable as CSV.
Step-up auth for downloads
Export downloads require a second authentication challenge beyond the standard session, ensuring sensitive data is not accessible from a shared workstation.
Everything you need. Nothing you do not.
Start with the document types you need today. Add requirements as your compliance program grows.