Vendor software · 1 tool, 4 regulatory registers

Your vendors upload a document. Your 4 registers fill in by themselves.

Today, your vendor compliance looks like this: providers send their ISO 27001 and SOC 2 by email, someone opens them one by one, copies info into 4 separate spreadsheets (GDPR Article 30, CSSF 22/806, DORA Register of Information, NIS 2 vendors), forgets reminders, and rediscovers everything 11 months later when audit approaches. Third Party Register reverses the logic: vendor uploads their ISO 27001 on a dedicated portal, AI reads it, identifies the type, extracts the fields, and your 4 registers fill in live in front of you. DPO and CISO no longer do daily work, they validate high-stake decisions.

Build my quote → Contact us
Main features

What the software actually does.

Vendor uploads, your register fills in live

Each vendor has their private space on the platform, with the list of documents you expect from them. They upload their ISO 27001: AI identifies the certifier, number, dates, scope, and fills the vendor record before their eyes. They upload their SOC 2 Type II: covered period, scope, exceptions are extracted. They upload their DPA: Article 28 clauses are verified against your internal template. No more manual copy-pasting.

4 regulatory registers from a single source

All authorities ask the same information about your vendors, but in 4 different formats. GDPR Article 30 for the CNPD, CSSF 22/806 outsourcing register for the CSSF, DORA Register of Information in European authorities' ITS format, NIS 2 vendors for the ILR. With Third Party Register, you enter information once, generate each register in two clicks in the expected format. No more parallel spreadsheets going out of sync.

Risk score recalculates on its own

For each vendor, a 0-100 score aggregating 7 dimensions: data protection, cybersecurity, continuity, concentration, geopolitical, financial, contractual. Most importantly, it recalculates at every event: an expiring certification, a vendor-notified incident, a fresh adverse media mention, a European decision under NIS 2 Article 22, an update to the DORA CTPP list. The continuous monitoring required by law becomes reality, not an annual audit that misses things.

Never again an expired certification you discover 3 months later

When a vendor uploads an ISO 27001, the tool records the expiry date and automatically schedules a 90-day reminder. If no renewal, escalation at D-60 (email to vendor), D-30 (DPO copy), D-15 (CISO notification), D-0 (score adjustment, non-compliance event), D+30 (automatic mitigation plan proposal). You can no longer forget a renewal.

CSSF prior notification prepared in two clicks

You plan to outsource a critical or important function? CSSF wants 3-month advance notice, with a precise dossier (services rendered, location, scoring, exit plan). The tool builds this dossier from already-captured data, you review, e-sign, send. Same for vendor-related incident notifications (CNPD 72h GDPR, ILR 24h NIS 2, CSSF DORA).

Dashboard adapted to each role

The DPO sees their GDPR obligations: pending DPAs, DPIAs to complete, non-EU vendors with their safeguards. The CISO sees cybersecurity: certifications, incidents, vulnerabilities. Compliance officer sees CSSF and DORA. Management sees aggregates: top 10 risky vendors, concentration (alert if over X% critical functions at single provider), geographic data locations, decisions to make. Everyone sees what concerns them.

Over 90% of daily work automated

Product target: over 90% of recurring vendor management work executed without human intervention. Document collection, reading, filing, register feeding, reminders, score recalculation: automated. DPO and CISO step in on the 10% with stakes: validate a critical onboarding, approve a non-standard DPA, decide on termination when score exceeds 60, sign a CSSF notification.

Auditor in read-only mode, timestamped signed export

When CSSF, CNPD, ILR or your auditor walks in: you give them read-only access to the platform. They browse your vendors, scores, decisions, proofs. If they want to take away a file, you generate a timestamped PDF export with cryptographic signature. No 3-week audit prep, no stress.

Use cases

Who it is for, and in what context.

Banks, support PSFs, specialised PSFs: continuously maintained CSSF 22/806 + DORA Register of Information, traced CSSF prior notifications, inspection-ready dossier at any time.

Management companies (UCITS, AIFM, ManCo), funds (SIF, SICAV, SICAR, RAIF): ICT chain tracking with LEI, identification of CTPP providers designated by European authorities (DORA).

Insurance companies (CAA): compliance with circular 15/3, archiving, sector-specific GDPR register.

Hospitals, NIS 2 essential entities: continuous assessment of your critical IT providers, Article 21(2)(d) and (f) compliance.

Multi-client external DPOs: centralised supply chain management for all clients in a single platform, data isolated between them.

Regulatory compliance

Four regulatory frameworks, one tool.

  • GDPR Article 28 (processor) and Article 30 (records of processing) with full mention of recipients and non-EU transfers.
  • CSSF Circular 22/806 modified by 25/883: outsourcing register with prior notification of critical functions.
  • DORA Regulation 2022/2554 Article 28 and its Register of Information in European authorities' ITS format (15 sub-templates).
  • NIS 2 Directive Article 21(2)(d) and (f): security and continuous assessment of the supply chain.
  • EBA outsourcing guidelines transposed via 22/806, specific expectations on cloud computing.
  • Article 41 LSF: exclusive on-premise AI routing for documents covered by banking secrecy.
Architecture · Hosting

Technical stack and data sovereignty.

Module integrated with DPO Assistant platform: same technical base, same connectors, same configurable AI engine. Native connectors to existing TPRM platforms (TrustCenter, Whistic, OneTrust, ServiceNow GRC) if you already use one. REST API for IT integration. Luxembourg hosting, 100% on-premise mode possible for Article 41 LSF actors.

FAQ

Frequently asked questions

How many vendors can we manage?
The tool is sized for over 1,000 vendors per institutional client. For a large group with 5,000+ vendors, horizontal scaling possible without architecture change.
What if a vendor refuses to use your portal?
Three alternative channels: dedicated email per vendor (DKIM/SPF verified), API connector to TrustCenter / Whistic / OneTrust platforms where they already publish, manual upload by an internal operator. But in practice, critical and important vendors quickly accept the portal because they have the same auditability needs on their side.
What does the AI actually do?
Three specific things: classify the uploaded document type (DPA, ISO 27001, SOC 2, continuity plan, etc.) among a 30-category reference; extract structured fields (certifier, numbers, dates, scope, RTO, RPO); propose actions (reminder, escalation, mitigation plan, exit plan recommendation). No high-stake decision is made by AI alone. DPO or CISO validates.
Difference with OneTrust, ServiceNow GRC, Whistic?
Three real differences. (1) Designed for Luxembourg + EU: CSSF 22/806 registers, DORA RoI in ITS format, LU NIS 2, Article 41 LSF secrecy. (2) Automatic AI document reading with live filling, where competitors require manual or semi-manual entry. (3) EU sovereignty: Luxembourg hosting, full on-premise mode, on-premise AI routing for banking secrecy.
Implementation timeline?
Daily-usable version (vendor reference, portal, auto-reading, GDPR + CSSF 22/806 registers): 6 months. Full version with complete DORA Register of Information and NIS 2: 10 months. POC on a dozen of your real vendors in 4 weeks to validate the tool before commitment.
How much does it cost?
Pricing by tiers of managed vendors and analysed documents per month, plus AI consumption. For a PSF with 80 vendors and 200 documents analysed per month: 2,500 to 5,000 EUR/month. For a large bank with 500+ vendors and monthly DORA reporting: 8,000 to 18,000 EUR/month. Quote within 24h.
Combine with

Our complementary services.

Try this software on your real data.

POC with no long-term commitment. Tailored quote within one business day.

Build my quote →