Your vendors are your attack surface. Own it.
We build (or run) your third-party risk program: vendor inventory, tiered assessments, DPA/BAA/SCC review, and a monitoring cadence that satisfies auditors and regulators.
Fixed pricing in USD · NDA before scoping · Senior engineers only
Everything you get with Third-Party & Vendor Risk Assessment.
Vendor inventory & risk tiering
Every vendor mapped to data access, criticality, and inherent risk tier.
Tiered security assessments
SIG Lite / SIG Core / custom questionnaires by tier — plus evidence review for high tiers.
Contract, DPA, and SCC review
Security schedules, breach clauses, subprocessor obligations, cross-border transfer terms.
Continuous monitoring
External attack surface monitoring on critical vendors — new subdomains, breaches, leaks.
Program & workflow design
Onboarding runbook, reassessment cadence, and escalation paths — auditor-ready.
How the engagement runs.
Inventory & Tiering
Complete vendor inventory, data access mapping, and inherent risk tiering.
Assessments & Contract Review
Questionnaires, evidence review, and contract/DPA review by tier.
Program Handover
Runbooks, reassessment schedule, and monitoring tools handed to your team.
What lands in your inbox.
- Complete vendor inventory with risk tiers
- Assessment reports for tier-1 and tier-2 vendors
- Contract, DPA, and SCC redline summaries
- Vendor risk register
- Ongoing monitoring runbook