DPA, subprocessor & privacy policy monitoring · Daily

Your vendors change their policies. We tell you which ones, and what changed.

Thorgate is continuous vendor document monitoring for compliance teams — privacy policies, DPAs, subprocessor lists, and terms across every SaaS vendor in your stack. When something material changes, you hear about it before your auditor does.

Built for SOC 2 · ISO 27001 Annex A.5.19 · GDPR Article 28 / 30 · DORA third-party risk

Start a 14-day trial → See how it works
No credit card required Cancel anytime Built for SOC 2 / ISO 27001 evidence
The problem

Your auditor will ask. Your answer shouldn't be "let me check."

01
Vendors change their terms constantly.
The average mid-market SaaS stack includes 30–60 vendors handling customer data. Each updates their policies a few times a year. Material changes happen often.
02
Notifications disappear into shared inboxes.
When vendors bother to notify at all, the emails land in a shared alias, get triaged as "legal," and disappear. Subprocessor updates, retention shifts, jurisdiction changes — quietly accepted by default.
03
Manual tracking doesn't survive reality.
The quarterly vendor review spreadsheet is a fiction maintained in good faith. By month two it's stale. By the audit it's evidence of a process, not an actual process.
How it works

What Thorgate does, in six parts.

Monitoring first. Signal second. Audit evidence third. No governance platform bloat, no security questionnaire workflows, no modules you'll never turn on.

Daily crawl01
Daily document fetches.
Privacy policies, terms of service, DPAs, subprocessor lists, and security pages — across your full vendor catalog. Fetched, parsed, and stored every day, with full version history.
Change detection02
Structured diffs, not noise.
Side-by-side comparison of versions with additions and deletions highlighted. Cosmetic reformats are filtered out so the signal stays clean.
AI summary03
Plain English, deterministic.
Every detected change gets a one-paragraph summary of what materially changed. Cached per diff — no drift between what you read Tuesday and what your colleague reads Thursday.
Severity tags04
Minor. Moderate. Major.
New subprocessor? Major. Retention extension? Major. Boilerplate rewording? Minor. Alert thresholds per vendor, so tier-one systems don't hide under typo fixes.
Alerts05
Email digest, Slack, webhooks.
Daily or weekly email summaries. Slack channel pings for tier-one vendors. Generic webhooks for compliance GRC integrations when you need them.
Audit evidence06
CSV, PDF, review trail.
Export the vendor list with current document versions and last-reviewed timestamps. Internal notes per vendor prove someone looked at the November DPA update and decided what to do about it.
Compliance frameworks

Built for the controls your auditor actually asks about.

Subprocessor changes, DPA versions, retention shifts, and breach-notification term updates are evidence requirements under every major compliance regime. Thorgate produces the records that map directly to specific clauses.

SOC 2
SOC 2 vendor evidence.
Continuous evidence for CC9.2 vendor management — document versions, change events, review trail. Designed for the SOC 2 auditor's "show me your vendor monitoring" ask.
Read more →
ISO 27001
Annex A.5.19 – A.5.22.
Supplier-relationships controls — monitor supplier services, manage changes, address risk in the ICT supply chain. Continuous document evidence per supplier.
Read more →
GDPR
Article 28 & 30.
Track processor DPA changes (Art. 28) and maintain Records of Processing (Art. 30) with subprocessor lists that don't go stale a week after the audit.
Read more →
DORA
Third-party ICT risk.
The EU's Digital Operational Resilience Act requires ongoing monitoring of ICT third-party providers. Thorgate captures the documentation half automatically.
Read more →

Thorgate is the document-monitoring layer of a vendor risk program. We pair with — not replace — broader TPRM and vendor risk management platforms.

Vendor intelligence

Every tracked vendor has a page. Public by default. Refreshed daily.

When someone in your organization asks "how does Notion handle subprocessors?" — the answer is a link, not a 40-minute investigation.

Pricing

Three plans. Month to month. No overages.

Fourteen-day free trial, no credit card required. Cancel with a button. Vendor count is the only variable we price on.

Starter
$49/ month

For solo privacy leads and small compliance functions tracking a focused vendor list.

10 vendors · 1 seat
  • Daily change detection
  • AI change summaries
  • Email digest alerts (daily / weekly)
  • Version comparator
  • Internal notes per vendor
  • CSV export
Start free trial
Pro
$129/ month

For compliance teams of three with real audit obligations and Tier-1 vendor oversight to document.

30 vendors · 3 seats
Everything in Starter, plus:
  • Severity classification (minor / moderate / major)
  • Peer comparator
  • Slack + generic webhook alerts
  • Per-vendor severity thresholds
Start free trial
Scale
$299/ month

For organizations with broad vendor exposure and multiple teams sharing oversight responsibility.

100 vendors · 7 seats
Everything in Pro, plus:
  • Team workspace organization
  • Priority email support
Start free trial
No usage overages Cancel anytime Month-to-month billing Need more than 100 vendors? Talk to us.

Stop finding out from your auditor.

Set up your vendor list in ten minutes. Get your first weekly digest on Sunday. Keep every version of every policy, forever.

Start your 14-day trial →