Vendor Due Diligence
Govern the AI you buy as closely as the AI you build.
One verified vendor profile, evaluated against your obligations and reviewed when their stance changes — not a PDF that ages on a SharePoint.
Vendor · model platform · profile
Verified · 9 enterprises
Vendor side
One profile, kept current.
Model lineage
Sub-processors
Certifications
Data handling
Your side
Evaluated against your obligations.
EU AI Act · Annex III(5)Met
ISO/IEC 42001 · 8.4Met
GDPR · Art. 28 DPAOpen
Updated by vendor · flagged to buyers on changeLive
The problem
The questionnaire is everyone's worst week.
Every buyer sends the same 240-question spreadsheet. Every vendor answers in a slightly different way. Neither side is sure when the answer was last true.
And the most important question — has anything material changed — is rarely asked.
Today · 240-row spreadsheet
Stale on receipt
— Same questions, slightly different in every enterprise
— Answers as of when the vendor last touched it
— No re-issue when the vendor's posture changes
— Buyers reconcile vendor names across three documents
How it works
Two sides, one profile.
01
Vendor profile, authored once
The vendor maintains a verified profile — model lineage, data handling, certifications, sub-processors — and updates it when it changes. Once, not per buyer.
Vendor maintains
One profile · many buyers
02
Buyer view, scoped to obligations
You see the vendor evaluated against your frameworks and jurisdictions — what is in scope, what is held open, what is non-compliant.
In scopeok
Metok
Held openopen
03
Continuous review
A material change on the vendor profile flags every buyer who depends on it. The record knows which enterprises are exposed.
Change flagged
9 buyers notified
Sub-processor added · today
Registry · AGT-014
↔vendor →
Vendor profile
verified · current
A vendor change opens an event on every registry record that links to it.
Through-line
The vendor becomes part of your record.
Each engagement links to the vendor profile from the system record. A vendor change is a registry change, with the same audit chain as anything you build in-house.
One source of truth, both sides.
Proof
A vendor profile, against your obligations.
Same vendor; verdict shaped by the obligations you carry. Sourced and honest about gaps.
Vendor · model platform · against your obligations
Sourced
EU AI Act · Annex III(5)(b)Vendor attested · 2 Jun · Annex IV readyMet
ISO/IEC 42001 · 8.4Certified · cert 42001-2451 · expires MarMet
GDPR · Art. 28 · DPAHeld open · DPA pending sub-processor amendmentHeld open
NIST AI RMF · ManageVendor self-asserted · awaiting attestationHeld open