Each vendor record carries continuity dependencies, security posture, DPA status and NIS2/DORA artefacts. One register feeds ISMS, BCMS and DSMS.
The challenge
Vendor security usually means a folder of returned questionnaires, a spreadsheet of contract dates, and a vague sense of which suppliers would actually hurt if they went down. The DPAs are in legal's drive, the sub-processor list is on someone's laptop, and when DORA or NIS2 asks for a register of ICT providers, you assemble it from scratch under deadline. The information exists; it just never lives in one place.
A supplier is not one risk, it is several at once. They hold your data, they sit in your recovery path, and they carry their own sub-processors behind them. Track those facts in separate tools and a contract change quietly breaks your GDPR position while your continuity plan still assumes the old setup. One record per vendor, linked to the assets and processes that depend on them, is the only way the picture stays straight.
Benefits at a glance
All suppliers, cloud providers and service partners sit in one searchable register. Each record carries contract status, risk classification, DPA state, continuity dependency and the assets or processes that rely on the vendor.
Send pre-built or custom questionnaires and track responses inside KaitoSec. Completed assessments are scored automatically, linked to the vendor risk profile and converted into follow-up tasks where action is needed.
DPAs, sub-processor lists, standard contractual clauses and contractual SLAs live on the vendor record. KaitoSec alerts owners before agreements expire and when a scope change affects GDPR, NIS2 or DORA exposure.
How it works
A composite risk score combines questionnaire results, the criticality of the data the vendor handles, the continuity dependency they create and the contractual safeguards in place. Scores update as new evidence is received.
Sub-processors are linked to the parent vendor and to the processing activities they touch in your record of processing. The Article 28 chain of accountability stays explicit without parallel spreadsheets.
Generate the ICT third-party register required by DORA and supply-chain artefacts expected under NIS2. Vendor risk findings, continuity dependencies and incident logs are mapped to the relevant articles, ready for supervisory reporting.
KaitoSec