FRAMEWORKS  ·  HIPAA · PCI DSS 4.0 · SOC 2 TSC · ISO 27001:2022 · NIS2 · DORA

Two products · public prices · no sales call

Pick the one that matches your problem.

AI-generated vendor security assessments when you need to evaluate one vendor. The full vendor management system when your auditor needs the whole portfolio.

01 / VENDOR ASSESSMENTS

PURE PLG

"Should we sign with this vendor?"

A 30-minute security assessment per vendor.

Submit a URL. The research agent pulls the trust center, privacy policy, SOC 2 reports, CVE feed. 11 structured sections contextualized to your IdP, MDM, and compliance regime. Findings reference your stack by name.

  • 11 structured sections per assessment
  • Contextualized to your IdP, MDM, and compliance regime
  • CRITICAL → POSITIVE findings with remediation
  • PDF / Markdown / Confluence / Notion / Jira export
  • From URL to signed-off assessment in under 30 minutes

Free

1 review / month · then $49.99/mo · or $12.99/assessment PAYG

Start free → Sample report
Most companies pick this

02 / VMS — VENDOR MANAGEMENT SYSTEM

"We have an auditor in 6 months."

The whole portfolio. Audit-ready by default.

Portfolio with tier auto-scoring. HIPAA BAA & PCI AoC expiry tracking. Sub-processor concentration. Continuous monitoring. 12-section evidence pack (SHA-256 sealed). Quarterly board report. Assessments included.

  • Everything in Assessments — all 11 sections, all exports
  • Vendor portfolio · lifecycle · tier auto-scoring
  • HIPAA BAA · PCI AoC · SOC 2 · ISO 27001 mapping
  • 12-section audit evidence pack · SHA-256 sealed
  • Quarterly board / management report
  • NIS2 24h/72h/30d incident tracker (when you need it)

$199

/month · Starter · 25 vendors · 20 assessments/mo · 14-day free trial

Start 14-day trial → See VMS pricing

both products run on the same AI engine · full pricing → · open the demo →

12

assessments generated

14

vendors in library

6

compliance frameworks

12

evidence-pack sections

01 / Portfolio

Vendors as first-class records, not spreadsheet rows.

Tier 1/2/3 auto-scored from data sensitivity, system access, business criticality, and geography. Lifecycle states with an immutable transition timeline. PHI and CHD flags drive the right downstream tracking — BAA required, AoC due, sub-processor register populated.

Lifecycle states
prospect → onboarding → active → in_review → offboarded
Scoring inputs
5 weighted factors, formula-versioned
Regulatory flags
phi_handling · chd_handling · needs_baa · needs_pci_aoc
Audit trail
Append-only lifecycle events with actor + timestamp

Maps to: NIS2 Art. 20-21 · NIST CSF 2.0 GV.SC-04 · ISO 27001 A.5.19/A.5.20 · HIPAA § 164.308(b)(1) · PCI DSS 4.0 Req. 12.8.1

Datadog

datadoghq.com · added 2025-08-14

TIER 1 ACTIVE

82/100

Inherent risk

3

Open risks

6

Sub-processors

1

Docs expiring

Overview Assessments Risks Documents Contract Sub-processors Activity
Internal owner Sarah Chen (Security)
Data classification regulated_pii
System access read_only
Next reassessment due 2026-06-12 (19 days)
Last lifecycle event in_review → active · 2026-03-12
/portfolio/monitoring
7 unacknowledged
CRITICAL

CVE-2026-30420 — actions/checkout RCE in untrusted PRs

2026-05-23 · GitHub · cve

HIGH

Public disclosure: customer log exposure incident

2026-05-21 · Datadog · breach

MED

Privacy policy diff: added new sub-processor (Anthropic)

2026-05-19 · Stripe · policy_change

MED

us-east-1 build outage — 2h13m, RCA pending

2026-05-18 · Vercel · status_outage

LOW

SecurityScorecard rating: 88 → 82

2026-05-17 · Notion · rating_change

02 / Continuous monitoring

One queue. Every signal that touches your portfolio.

Sub-processors extracted from each AI assessment. Policy-change diffs every 14 days. CVE alerts, breach signals, status-page outages, rating changes. All in one chronological feed with audit-logged acknowledgement per row.

Signal types
cve · breach · policy_change · status_outage · rating_change
Refresh cadence
Policy: 14d · CVE: 1h · Breach: realtime
Blast-radius view
Per sub-processor, list every vendor that depends on it
Ack trail
Audit log with user, timestamp, optional note

03 / NIS2 incident tracker

24 hours. 72 hours. One month. Don't miss any.

NIS2 Article 23 mandates three deadlines from detection: early warning at 24h, notification at 72h, final report at one month. Per-country CSIRT directory for all 27 EU member states. Pre-filled regulator drafts in Markdown — review, edit, file.

Deadlines tracked
T+24h · T+72h · T+30d
CSIRT directory
27 EU member states + UK
Draft generation
3 regulator-facing templates, Markdown
Cross-border
Per-incident affected-jurisdictions list

Maps to: NIS2 Art. 23 · HIPAA § 164.410 · NIST CSF 2.0 GV.SC-08

Unauthorized access — Datadog

INC-241 · detected 2026-05-22 18:14 UTC

SIGNIFICANT

Early warning — T+24h

filed 2026-05-23 16:02 · 2h12m before deadline

SENT

Notification — T+72h

due 2026-05-25 18:14 — 47h32m remaining

Final report — T+30d

due 2026-06-21 18:14 — 29d4h remaining

pending

CSIRT

BSI CERT-Bund · [email protected] · accepts English

Audit Evidence Pack · Datadog

Generated 2026-05-24 · sealed

SHA-256: a3f9…b201

§6 Sub-processors

6 sub-processors registered · 0 unconfirmed

Satisfies: NIST CSF 2.0 GV.SC-04 · NIS2 Art. 21 · ISO 27001:2022 A.5.21 · HIPAA Security Rule § 164.308(b)(2)

§7 Incidents

2 vendor-notified · 0 SLA breaches

Satisfies: NIST CSF 2.0 GV.SC-08 · NIS2 Art. 21/23 · SOC 2 TSC CC2.3/CC7.3 · HIPAA Security Rule § 164.314(a)(2)(i)(C) · § 164.410

§9 Contract

MSA · ends 2027-08-14 · 60d notice · BAA executed

Satisfies: NIST CSF 2.0 GV.SC-05 · NIS2 Art. 21 · HIPAA Security Rule § 164.314(a)(1) · § 164.308(b)(3) · PCI DSS 4.0 Req. 12.8.2/12.8.5/12.9.1

12 sections · 8 mapped frameworks Download JSON · Print PDF →

04 / Audit evidence pack

One click. Twelve sections. Hash-sealed.

Per-vendor, on demand. Every section cites the controls it satisfies — framework-prefixed, always. Coverage matrix in the appendix shows which controls map where. JSON and printable HTML; SHA-256 over the JSON for chain-of-custody.

Sections
Vendor · Intake · Tier · Assessments · Risks · Sub-procs · Incidents · Docs · Contract · HIPAA · PCI · Lifecycle · Cadence
Output formats
application/json · text/html (printable)
Sealing
SHA-256 over canonical JSON
Mapping registry
Versioned YAML, lint-enforced prefixes

05 / Board report

The NIS2 Art. 20 deliverable, on demand.

Quarterly snapshot for the management body. Headline portfolio stats, trend deltas vs prior quarter, tier-1 vendor table, overdue items, sub-processor concentration, decisions requested. Snapshots are immutable — the numbers presented to the board stay frozen regardless of subsequent portfolio changes.

Sections
Headline · Trends · Tier-1 table · Overdue · Incidents · Sub-procs · Decisions
Immutability
Snapshot JSON + rendered HTML stored on generation
Quarter-over-quarter
Auto-diff against prior period
Delivery
Browser print → PDF · Standalone template

Maps to: NIS2 Art. 20 (management body oversight) · NIST CSF 2.0 GV.OV

Vendor Management · Board Report

Q2 2026

Generated 2026-05-24 · Acme Inc.

14

Total vendors

+2 vs Q1

3

Tier 1

+1 vs Q1

12

Active

+2 vs Q1

Decisions requested

Approve onboarding of 1 Tier 1 vendor currently in onboarding
Review 3 overdue reassessment(s) — confirm cadence or grant exception
Report ID: brep_a8f3c01 · NIS2 Art. 20 (management body)

Coverage matrix

Every section. Every framework. Auditable.

A YAML registry binds each evidence-pack section to control IDs from six frameworks. A lint test fails CI if any rendered reference lacks a framework prefix.

Full coverage page →
Section NIS2 NIST CSF 2.0 HIPAA PCI DSS 4.0 ISO 27001:2022 SOC 2 TSC
Vendor inventory Art. 20/21 GV.SC-04 § 164.308(b)(1) Req. 12.8.1 A.5.19/A.5.20 CC9.2
Tier rationale Art. 21.2(d) GV.SC-04/ID.RA-01 Req. 12.8.3 CC9.1
Intake answers Art. 21.2(a) ID.RA-04 A.5.23 CC9.1
Assessments Art. 21 GV.SC-07 Req. 12.8.4 A.5.22
Risks Art. 21 ID.RA-04 A.5.20 CC9.1
Sub-processors Art. 21 GV.SC-04 § 164.308(b)(2) A.5.21
Incidents Art. 21/23 GV.SC-08 § 164.314/410 CC2.3/CC7.3
Documents Art. 21 GV.SC-05 § 164.314(a) Req. 12.8.2 A.5.22
Contract Art. 21 GV.SC-05 § 164.314/308(b) Req. 12.8.2/12.9.1
Lifecycle audit Art. 20/21 GV.OV A.5.22 CC3.4
Reassessment schedule Art. 20/21 GV.SC-09 Req. 12.8.4 A.5.22 CC3.4

All references rendered through format_control() — banned-pattern lint enforces framework prefix.

The onboarding engine

Every vendor enters the portfolio with a real 11-section assessment.

Submit a URL. We pull the trust center, privacy policy, SOC 2 reports, CVE feed, and recent news. Findings are contextualized to your IdP, MDM, and compliance obligations — not generic. Sub-processors land in the portfolio; monitoring subscriptions open automatically.

GitHub Copilot

github.com/features/copilot · reviewed 2026-04-21

2

CRIT

3

HIGH

2

MED

0

LOW

2

POS

NOT APPROVED
CRITICAL

Source code transmitted to OpenAI for inference

Copilot sends code context to OpenAI's API on every completion. Includes proprietary logic, internal architecture, and potentially secrets. Source code leaves your control boundary on every suggestion.

CRITICAL

No confirmed opt-out from AI model training

Copilot Individual may use code for model improvement. The DPA does not explicitly prohibit metadata/usage patterns for training. Under your GDPR obligations, the lawful basis is unclear.

HIGH

No GDPR DPA covering OpenAI sub-processing found

GitHub's standard DPA covers GitHub's processing. A separate DPA addendum for Copilot AI sub-processing via OpenAI was not found publicly — a gap under GDPR Article 28.

See the full 11-section report in the demo →

Comparison

Built for what's between a spreadsheet and a six-figure contract.

Capability Spreadsheet Vanta / Drata OneTrust / Prevalent Vensider.io
Vendor portfolio with auto-tiering partial
Sub-processor concentration view
AI-generated security assessments
NIS2 24h/72h incident tracker partial
Multi-framework control mapping manual compliance-only
Quarterly board pack manual
Hash-sealed audit evidence pack partial
Time to first vendor onboarded hours days weeks ~5 min
Annual cost (50-vendor portfolio) $0 + analyst time $8k–$24k $15k–$50k free–$49/mo

Customer notes

From operators running the system.

All reviews →

Solid tool, would like more vendor index coverage

"The review quality for major SaaS vendors is excellent. A few niche tools we use aren't in the vendor index yet, but the free-form review still works well. Support was helpful when I had questions about the HIPAA BAA coverage."

Alex C. · IT operations

Best ROI of any security tool we've bought this year

"I've evaluated a lot of vendor risk tools. Vensider.io is the first one where the output is immediately usable. No tuning, no configuration, no consultant. The risk register export alone saves us hours of work per quarter."

Tom B. · CISO / security strategy

Great for a lean security team with no dedicated GRC

"We're a 30-person startup and can't justify a full GRC platform. Vensider.io sits in the sweet spot — proper depth, reasonable price. Would love a Jira integration to auto-create tickets from action items."

Priya M. · Startup security compliance

Pricing

No sales calls. No contracts. No minimum commitments.

Plan Price Includes

Free

$0

forever
  • 1 review / month
  • Standard report template
  • Vendor index access
  • Company profile
  • PDF export
  • Markdown export
Get started →

Pro

MOST POPULAR

$49.99

per month
  • 5 reviews / month
  • Customizable template
  • Confluence & Notion export
  • Policy change monitoring
  • CVE & breach alerts
  • AI sub-processor flagging
Start free trial →

Team

$99.99

per month
  • 11 reviews / month
  • Shared vendor library
  • Analyst review gate
  • Risk register dashboard
  • Slack, Jira & Teams
  • Branded PDF reports
Start free trial →

Pay-as-you-go

$12.99

/ assessment

 1 assessment credit. No subscription. Good for trying the engine before committing. Buy 1 assessment →

Full feature comparison →

Start managing your vendor portfolio.

free · no credit card · ~5 min to your first vendor

Start free → Open the demo