Our Product

VendorTrace.io

Your vendor's DPA lists 4 sub-processors. Their infrastructure shows 23. VendorTrace gives your compliance team objective, timestamped evidence of what each vendor is actually running — not what they choose to disclose.

Free tier, no credit card requiredEU infrastructure (eu-north-1)Passive analysis — no agent installed

The Problem

“Your vendor listed 4 sub-processors. We found 23.”

Vendors fill in questionnaires and list a handful of subprocessors in their DPA. But a questionnaire is a self-portrait: it shows what the vendor chooses to disclose, not what's actually running. NIS2, GDPR, and DORA don't accept "we asked them and they said it was fine" as evidence.

A compliance workflow, not just a scan

From single vendor assessments to continuous portfolio monitoring. Built for DPOs, CISOs, and compliance teams who need evidence, not reports that sit in a drawer.

Assess what's actually running

Every subdomain, hosting provider, and third-party integration tied to a vendor domain — including the ones missing from their DPA. Your vendor's infrastructure shows who processes data. Their questionnaire shows who they want you to think does.

Surface geographic transfer signals

Before you sign a DPA, see which countries the vendor's endpoints are served from. Transfer signals give your legal team a concrete starting point for Schrems II TIAs and GDPR Article 46 assessments.

Monitor your vendor portfolio

Vendors change their infrastructure without telling you. Scheduled reassessments flag new third-party services, infrastructure moves, and geographic changes when they happen. Import your existing vendor list to start monitoring immediately.

Discover from your SaaS stack

Pull vendors from the systems that already track them. Google Workspace is live today, giving you every OAuth-authorised app in your tenant. Microsoft Entra ID, Okta, and spend platforms are planned.

Compliance signals & certifications

Automatic detection of ISO 27001, SOC 2, and NIS2-relevant certifications, plus GDPR transfer risk indicators. No waiting for a questionnaire response to verify a claim.

Audit-ready reports

Timestamped, exportable PDF reports providing defensible evidence for GDPR Article 28, NIS2 Article 21, DORA, and ISO 27001 compliance packages.

Built for Compliance Teams

NIS2, GDPR, and DORA require you to know your supply chain and prove it. VendorTrace builds the documentation: objective, timestamped, and independent of what vendors choose to disclose.

Compliance Coverage

NIS2 Art. 21Supply chain security

GDPR Art. 28Subprocessor transparency

Schrems IITransfer impact assessments

DORA Art. 28–44ICT third-party risk

Build the evidence trail your compliance program needs

NIS2 supply chain risk registers. GDPR Article 28 subprocessor discovery. Schrems II transfer signals. DORA ICT third-party documentation. Objective, timestamped artifacts your legal team can rely on.

Start free Apply for early access

Free tier available, no credit card required.