Skip to content
Case Study

dōTERRA takes vendor security management to the next level with Whistic

Rows of lavender in field
dōTERRA logo


dōTERRA® International is an integrative health and wellness company and the world leader in the Global Aromatherapy and Essential Oils market. Founded in 2008 and headquartered in Pleasant Grove, Utah, dōTERRA sources, tests, manufactures and distributes CPTG Certified Pure Therapeutic Grade® essential oils and essential oil products. With over five million dōTERRA Wellness Advocates and customers around the world, the dōTERRA corporate team realized that strong back-end safeguards were a must to protect the security and professional integrity of the dōTERRA brand, its vendors, and its customers.

Eric Sorenson joined the dōTERRA team as the company’s first-ever Chief Information Security Officer to work directly with the executive team and the complete management hierarchy to understand the implications of the business choices they are making with respect to information and cybersecurity risk. A security program builder by experience, Eric had been working in security for more than ten years before joining the dōTERRA team.

The Challenge

In today’s climate, it’s very common for major security breaches to occur as a result of third party vendor relationships. Because of its unique business model, dōTERRA works with a large number of outside vendors, which makes it especially susceptible to outside threats.

Shortly after he started, Eric began looking for solutions to better manage vendor security assessments and to get better insights into the associated risks of third party relationships. The company signed a 1-year contract with a GRC vendor to handle multiple aspects of its security risk management needs, including vendor risk management.

Unfortunately, this partnership provided more headaches than solutions for the dōTERRA team.

“After a three-day training, we were left to our own devices to customize and implement our security workflow,” Eric said. “This was a challenging, time-consuming process that required more than one full-time resource to handle, and we didn’t have that kind of time.”

Because of the cumbersome customization process, resource demands, and ongoing process issues, the dōTERRA team never actually got up and running on their GRC platform in the year they had their contract. Once the contract was over, Eric knew the dōTERRA team needed a more focused, ready-to-use solution to take vendor security management to the next level. With Whistic, Eric knew they were getting a purpose-built, ready-to-use solution that would be easy for internal team members, executives, and vendors to use – without a year-long onboarding process.

“We needed to make the decision whether or not to move forward with our GRC solution rather quickly, and we realized that the vendor management platform we were using just wasn’t going to work for us,” said Eric. “The other security-focused components, we could customize over time, but this first project was just too time-consuming. Because vendor security management is so critical to the success of our business, we needed a platform that was going to deliver value fast.”

Vendor Assessments

Because vendor security management is so critical to the success of our business, we needed a platform that was going to deliver value fast.”

Eric Sorenson, Chief Information Security Officer


The Solution

The dōTERRA team began using Whistic to manage vendor security assessments.

The dōTERRA team began using Whistic to manage vendor security assessments soon after. Instead of a year-long onboarding cycle with little guidance or visibility, the Whistic solution is extremely simple to use and purpose-built for vendor security management. Whistic also delivers the solutions needed in a time frame that’s manageable. The dōTERRA team was up and running on the Whistic platform – including building all custom forms and onboarding – in just 60 days.

“We were able to build a brand-new vendor security management process with Whistic in just two months,” said Eric. “When you contrast that with the year-long debacle we went through with our last GRC provider, the advantage of Whistic is clear.”

In addition to Whistic, dōTERRA leverages OneTrust to manage all GDPR compliance requirements. Although the OneTrust platform also offers vendor management capabilities, Eric and the dōTERRA team realized that it too didn’t suit their needs as well as Whistic.

“The Whistic platform offers everything we need from a vendor risk management standpoint, and it’s incredibly easy to use,” said Eric. “It’s definitely the most purpose-built, well-designed, and well-thought-out vendor risk management platform we’ve come across, and the fact that it’s located practically in our backyard doesn’t hurt either.”

We were able to build a brand-new vendor security management process with Whistic in just two months.”

Eric Sorenson, Chief Information Security Officer


The results

With the Whistic platform in place managing all facets of the dōTERRA vendor security management protocol, dōTERRA can track and manage vendors like never before. With so many different vendors spread out around the world, Whistic delivers dōTERRA the visibility and insights into various risks and threats.

Onboarding time nearly 6x faster

A measurable time savings by replacing time-consuming emails and Excel forms with automated Whistic forms and alerts.

More streamlined, rigorous business processes

The ability to pinpoint at-risk vendors, take the relevant data to team members for follow-up, and mitigate these threats before they can grow.

Executive-level reports for decision makers

Peace of mind for vendors that their critical information is protected and not simply managed via open-source email chains.

Whistic is extremely simple, and it’s purpose-built with what we had in mind from a vendor management perspective. It’s perfect. Vendor management overall is such a critical part of risk management for a company like dōTERRA, and Whistic has given us the tools to seamlessly integrate this process into the larger risk management protocol. Whistic has made it easier for our team to do our jobs with the data and resources at our fingertips. Plus, vendors appreciate our new simple, secure process, so it’s been a win on both sides.”

Eric Sorenson, Chief Information Security Officer


Third-Party Risk Management Vendor Assessments