Configure and publish a compliance intake form

This guide walks workspace admins through enabling, securing, and deploying a Parakeet Risk intake form for incidents, supplier issues, certification requests, and more.

Before you start#

• You need admin-level access to your Parakeet Risk workspace.

• Decide who can create, view, triage, and export submissions.

• Draft a short privacy notice (sample provided below).

Step 1 — Enable intake forms#

1. Open your Admin Console.

2. Navigate to the modules/settings area for forms or intake collection.

3. Turn on the Intake Forms feature for the workspace or selected projects.

4. Choose where submissions should route (e.g., EHS Control Center, Continuous Compliance queue, or Supply Chain Resilience queue) so owners can act immediately.

Screenshot placeholder: Intake Forms module toggle and default destination queue.

Step 2 — Set permissions and visibility#

• Assign who can:

• Create and edit form definitions (Admins/Owners)

• View and triage submissions (Team leads or designated reviewers)

• Export data and manage evidence (Compliance Officers/Risk Managers)

• For external stakeholders (contractors, suppliers), use link-based access with least privilege and disable workspace browsing.

• Review role design and least‑privilege tips in Access controls and roles.

Screenshot placeholder: Role mapping for Create/View/Triage/Export.

Step 3 — Define required fields#

Create a clear, minimal set of required inputs to speed completion and improve data quality:

• Reporter identity (name and business email) or anonymous flag

• Submission type (Incident, Supplier Non‑conformance, Certification Request)

• Date/time and location

• Severity/impact (predefined scale)

• Description and root‑cause hypothesis (free text)

• Affected product/batch/material (with lookup if applicable)

• Attachments (photos, COAs, SDS, logs)

• Consent checkbox acknowledging the privacy notice

Tips

• Keep the first screen under 6 fields; move advanced details to a second section.

• Use field validations and dropdowns to reduce rework.

Screenshot placeholder: Field builder with Required toggles and validations.

Step 4 — Configure tokenized, expiring submission links#

• Generate a tokenized link for each audience (e.g., employees, suppliers, contractors).

• Set expiration windows (for example, 7–30 days) and limit usage (one submission per token or per user).

• Restrict by domain allowlist (e.g., @yourcompany.com) when appropriate.

• Enable automatic revocation when a link is shared outside its audience.

• Optionally append tracking parameters to route to the correct queue or apply labels.

Screenshot placeholder: Token settings (expiry, single‑use, domain allowlist).

Step 5 — Embed in your portals (optional)#

You can publish the intake form where your teams already work:

• Share a secure link in internal portals (e.g., intranet, wiki, contractor hub).

• If your portal supports embedded web content, use the provided embed option and keep “Require token” enabled.

• For project tools, link the form from task templates so every project includes a compliant intake path. See automation ideas in Advanced intake automation with Rosella.

Screenshot placeholder: “Copy link / Copy embed” controls and example intranet page.

Step 6 — Add a privacy notice and consent#

Include a concise notice that explains what you collect, why you collect it, and how it’s protected. Example language you can adapt with your legal team:

• “We collect the information you submit to investigate and mitigate operational, safety, and compliance risks. Submissions are stored with audit trails and access controls. Do not include patient PHI or trade secrets beyond what is necessary.”

• Add a checkbox: “I have read and agree to the privacy notice.”

• For regulated environments (e.g., 21 CFR Part 11 contexts), ensure electronic records and signatures align with your QMS and access policies.

Screenshot placeholder: Privacy notice and consent checkbox.

Step 7 — Test and go live#

1. Submit test entries covering each scenario (incident, supplier issue, certification request).

2. Verify routing, notifications, and dashboards in the destination queues.

3. Validate export/audit evidence and redaction rules.

4. Rotate or expire any public tokens and publish the final link in approved channels.

Screenshot placeholder: Test submission flowing to EHS and Compliance queues.

Pattern — Supplier intake for TPRM (auto‑tiering + SLAs)#

Use this pattern to publish a supplier‑facing intake that feeds your third‑party risk workflow and accelerates onboarding.

1) Create the supplier form and link

• Duplicate your general intake form and rename it “Supplier Intake,” or create a new form scoped to your TPRM project/queue.

• Generate a tokenized link just for suppliers and contractors. Set an appropriate expiry window and usage limits.

• Append routing labels to the link (for example: source=supplier‑intake, region=NA) so submissions land in your TPRM queue.

2) Required fields for tiering Include these metadata fields up front to enable automatic risk tiering:

• Supplier industry

• Operating geography/region of service delivery

• Estimated annual spend band (e.g., <$100k, $100–500k, >$500k)

• Data exchange type (None, PII, PHI, operational/production data)

• Optional: supplier website/domain and primary contact email

Screenshot placeholder: Supplier Intake required fields and validations.

3) Auto‑tiering rules (example) Define label‑based rules that set a Tier and route or require due diligence automatically. Adjust thresholds to your policy.

• Tier 1 (High): data exchange includes PII or PHI OR spend band >$500k OR service delivered in higher‑risk regions.

• Tier 2 (Medium): spend $100–500k OR operational/production data exchange; otherwise defaults from Tier 3.

• Tier 3 (Low): no sensitive data exchange and spend <$100k in standard regions.

Action on tier assignment

• Apply label: Tier: High/Medium/Low and route to the appropriate review queue.

• Trigger task templates (e.g., security questionnaire, certification checks) based on Tier.

Screenshot placeholder: Rule builder showing tier assignment and routing.

4) SLA tracking by tier Attach SLAs to the destination queue so owners act on time.

• Initial review: High = 2 business days; Medium = 5; Low = 10.

• Due diligence completion: High = 15 business days; Medium = 30; Low = 45.

• Escalations: notify TPRM owner at 75% of SLA; auto‑escalate to Compliance at breach.

Screenshot placeholder: Queue SLA timers and escalations by Tier.

5) Privacy notice options for suppliers

• Standard: state that details are collected to evaluate supplier risk, qualifications, and compliance, stored with audit trails and least‑privilege access.

• Regional add‑ons: display region‑specific clauses (e.g., international data transfer, retention). Require a consent checkbox.

See also: Supplier onboarding workflow and end‑to‑end controls

• Learn the full onboarding steps, approvals, and evidence collection in Supplier Onboarding.

• Explore risk scoring, continuous monitoring, and certification tracking in the Third‑Party Risk Management hub.

Troubleshooting#

• I don’t see Intake Forms in settings: Confirm you have admin privileges or contact your workspace owner.

• External users can’t open the form: Check token expiration, domain allowlist, and whether the link requires SSO.

• Submissions aren’t routing correctly: Review the destination queue mapping and any label‑based rules.

Related articles#

• Access controls and roles

• Advanced intake automation with Rosella