runbookify
← All plans
Compliance, Quality & Risk / Vendor / Third-party Risk

Certificate of Insurance (COI) Tracker

Build your own internal tool that collects each vendor's certificate of insurance, reads the coverages, limits, and dates, checks them against your required minimums, and reminds you before every COI expires - with a human approval gate before any vendor is marked compliant.

IntermediateA weekendBuilds onNext.js (App Router) on VercelSupabase (Postgres + Storage + Auth with RLS)Resend (expiry and deficiency email reminders)
What you'll build

A private web app where you upload a vendor's COI, the agent reads the key facts, you verify them against your requirements, mark the vendor compliant or deficient, and get automatic reminders before each policy expires - plus a clean compliance-matrix CSV export.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A free Supabase account
  • A free Vercel account
  • A free Resend account (for reminder emails)
  • Your vendor list and your required-coverage rules (even a rough version in a spreadsheet)
  • A handful of real COI PDFs to test with

The problem this kills

Vendor certificates of insurance pile up in an email folder, a shared drive, and a spreadsheet that nobody trusts. Someone has to open each PDF, squint at the coverage types and limits, check whether your company is listed as additional insured, note the policy dates, and then remember - months later - to chase the renewal before it expires. Miss one, and you've got an uninsured contractor on site or a contract clause you can't defend in an audit.

The painful part isn't the insurance. It's the manual reading, the comparing-against-requirements, and the calendar math - done by hand, over and over, with no record of who checked what.

What you'll build

A private internal tool, just for your team, that turns COI tracking into a calm, repeatable workflow:

  • Upload a COI (PDF or image) and the AI reads the key facts: coverage types, limits, policy effective and expiration dates, and whether additional-insured / waiver-of-subrogation language is present.
  • Compare against your minimums - the tool flags gaps automatically (limit too low, coverage missing, no additional-insured endorsement).
  • A human verifies and approves - you confirm what the AI extracted against your actual requirements before the vendor is ever marked "insurance compliant." Nothing changes status on the AI's say-so alone.
  • Automatic reminders - Resend emails you (and whoever owns the vendor) ahead of each expiry, and nudges you on open deficiencies.
  • A full history - every COI file is kept, every status change is logged, and you can export the whole compliance matrix as a CSV.

What's inside the Implementation Plan

The plan is a complete, paste-and-go runbook. It opens by interviewing you about your business - your vendor types, your required-coverage rules, the exact way your COIs and policies are named and structured, your typical and peak volumes, and your messy edge cases (blanket additional-insured wording, multiple policies on one certificate, mid-term endorsements). It reads a short tailored spec back to you, you give it a thumbs-up, and only then does it build a tool shaped to how you actually work - not a generic template.

From there it walks you, step by step, through standing up the database, the upload-and-extract screen, the requirements rules, the human review-and-approve gate, the reminder emails, and the CSV export. Every step ends with a ready-to-copy prompt you paste into your AI coding agent.

The governance it includes (this is the point)

This isn't a toy. The plan bakes in the controls a risk or compliance team actually needs:

  • Login so only your team can use the tool.
  • Row-level security so each organization only ever sees its own vendors and COIs.
  • A complete audit trail - who extracted, who verified, who approved, and exactly when.
  • A hard human-in-the-loop approval gate - the AI drafts the extracted coverages; a person reviews and approves before any vendor is written as "compliant."
  • Duplicate guards - the same vendor + policy period can't be logged twice.

Who it's for

Contract managers, procurement teams, and risk professionals who require vendors to carry adequate insurance and are tired of tracking it by hand. If you can write a clear sentence about your requirements, you can build this - no coding background needed.

You've got this - paste the first prompt and let the interview tailor it to your business.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.