My preference would be to find a different vendor.
I consider a vendor who requires sysadmin (or other server role) or dbo access for the normal application login to be incompetent. Also, vendors who require SQL Server logins for their application, especially with vendor supplied passwords that cannot be changed.