Assess vendors, keep contracts register-ready, expose subcontractor chains, calculate concentration risk daily and plan the exit. Built along the EBA outsourcing requirements, on one data layer with ISMS, BCM and Assessment. Hosted in Germany.
Book a free demoThird-party risk is a question of evidence: who is critical, why, what does the contract say and what happens when the provider fails? The module answers that from maintained data instead of a spreadsheet nobody keeps current.
Seven mandatory factors per vendor: four impacts from 1 to 5 (financial, continuity, operational and legal, reputation) and four yes-no questions (authorised activities, internal control function, approval requirement, BRRD criticality). From these the system derives the rating standard, important or critical, with fixed escalation logic: an approval requirement or BRRD criticality always leads to critical. The AI suggests a rating with reasoning per factor; people decide.
19 mandatory fields per contract, among them arrangement type, function category, notice periods, countries of data processing, annual cost, substitutability and reintegration time. From these the platform produces an exportable register snapshot as JSON or CSV for supervisors; notifications to authorities are documented with timestamp and note. Contracts run through the states draft, active, expiring, expired.
The AI reads the contract PDF and extracts SLA commitments, liability caps, audit rights, data protection clauses and exit provisions, checked against your configurable requirement policies. Every finding goes into a manual review where it is confirmed or corrected. This is a screening tool and does not replace legal review.
Multi-level chains with server-calculated chain depth and automatic cycle detection, so circular relationships surface instead of staying hidden. Changes to a chain run as a request with approval, objection or withdrawal, not as a silent edit.
Structured review of business model, financial strength, ownership structure and regulatory status, extended for critical functions by continuity planning, internal controls and ESG. Outcome: pass, pass with conditions, fail. Third-party evidence such as ISO 27001, SOC 2 or pentest reports is validated against scope coverage, recency, recognised standards and individual audit rights.
Periodic reviews with KPIs, KCIs and SLAs whose thresholds are checked directionally, plus automatic review scheduling. The concentration ratio is calculated daily per vendor and tracked in levels from low to critical. Exit strategies record triggers, resource and cost estimates, duration and the link to the BCM plan.
The module is built along the EBA outsourcing requirements, paragraph by paragraph. What is a draft, we call a draft.
Three constellations in which the vendor list in a spreadsheet becomes a liability question.
Own the register towards supervisors and must be able to export at any time. 19 mandatory fields per contract, a register snapshot at the push of a button, documented authority notification with timestamp instead of a folder full of contracts and emails.
See individual vendors but not the cluster risk behind them. A daily concentration ratio per vendor, substitutability from easy to impossible and subcontractor chains with depth calculation make visible what operations really depend on.
Must evidence that vendor risks are managed, not just asserted. Critical ratings automatically create threat scenarios in the BCM module, vendor risks hang on assets and incidents in the ISMS. The evidence emerges from operations.
The TPRM module shares the data layer, permission model and audit trail with the ISMS (ISO 27001), BCM (ISO 22301) and Assessment modules. That is exactly where the cross-links come from: a vendor rated critical creates a threat scenario in BCM, exit strategies link to BCM plans, and the ISMS asset dependency graph shows which systems depend on that provider. Licensing is modular: you can start with TPRM and extend when needed.
See the full platform