Automated 0–100 security scoring for every data processor. Breach history, SSL validation, certifications, domain age, and DPO sign-off — no spreadsheets, no paid APIs.
5 factors: Security cert (30pts), breach history (25pts), SSL validity (20pts), domain age (15pts), DPO sign-off (10pts). No paid APIs.
HIBP v2 + databreach.com breach lookups. Cached in Redis for performance. Flags vendors with known historical or recent breaches.
ISO 27001, SOC 2 Type I/II, PCI-DSS, CERT-In, CSA STAR. Upload certificate documents to R2. Expired certs auto-reduce score.
Each vendor card shows DPA status (DPDPA S.8(2)): signed, missing, or expired. Not a score factor — a compliance requirement.
Visualise your entire vendor portfolio: data sensitivity on X-axis, risk score on Y-axis. Click any dot to jump to that vendor.
Generate a board-ready vendor risk report: cover page, portfolio summary, per-vendor score breakdown. Stored immutably in R2.
Vendor Risk Intelligence is available on Growth, Business, and Enterprise plans.
DPDPA S.8(2) requires every Data Fiduciary to ensure that any Data Processor they engage handles personal data only as directed and implements security safeguards that are contractually specified. This means: (1) a written Data Processing Agreement must exist before any processing begins, and (2) the DPA must specify security standards. DPDPA Shield's vendor risk module tracks both the DPA status and the vendor's actual security posture independently.
The score uses 5 factors with no paid APIs: Security Certification (30 points — ISO 27001/SOC 2/PCI-DSS/CERT-In full cert = 30, Type I/CSA STAR = 18, expired = 5, none = 0), Known Public Breaches (25 points — no breach = 25, historical = 8, recent = 0), Valid SSL/TLS (20 points — checked via Node TLS), Domain Age over 2 years (15 points — RDAP lookup), and DPO Formal Sign-off (10 points — 12-month review cycle). Total risk tiers: LOW (≥80), MEDIUM (60–79), HIGH (40–59), CRITICAL (<40).
DPA status (DPDPA S.8(2)) is a binary compliance requirement, not a risk factor. A vendor can have excellent security and still be non-compliant if you have no DPA with them. Conversely, a DPA doesn't mean the vendor is secure. We surface the DPA status as a prominent compliance banner on every vendor card so you can act on it independently from the security score.
Vendor Risk Intelligence is available on Growth, Business, and Enterprise plans. It includes automated enrichment, certification tracking, DPO sign-off workflow, and PDF report generation. Starter plan users do not have access to this module.
Growth plan includes full vendor risk intelligence. Weekly automated re-enrichment keeps scores current.
Prove every consent. Court-admissible SHA-256 proof.
Learn moreOTP-verified portal. 30-day SLA countdown.
Learn moreNever miss the 72-hour Board notification window.
Learn moreReal-time 0–100 compliance health score.
Learn moreMap every asset, processor, and data flow. Auto-generate RoPA.
Learn moreTrack, score, and treat every DPDPA risk. Growth+.
Learn moreAI-curated DPDPA updates. Never miss an enforcement signal.
Learn moreChildren's data, DPIA, SDF — highest-penalty coverage.
Learn more