Product
What it is and what it does.
What is Thorgate?
A B2B monitoring tool that tracks vendors' privacy policies, DPAs, subprocessor lists, and terms of service, and alerts you when anything material changes. Built for compliance managers, in-house counsel, DPOs, and privacy officers at mid-market companies that need ongoing vendor oversight evidence for SOC 2, ISO 27001, GDPR, and similar frameworks.
Which documents do you track per vendor?
Five document types: privacy policy, terms of service, data processing agreement, subprocessor list, and security / trust page. You can add any of them as URLs; we auto-detect what we can from the primary URL.
How often are documents checked?
Once a day on automatic scheduling. Manual on-demand crawls available with a 60-minute cooldown per document.
How accurate is severity classification?
Severity is generated by Claude (Anthropic) using a deterministic prompt — same diff produces the same severity. The classifier follows the rules: major for new subprocessors, retention period changes, jurisdictional changes, breach notification term changes; moderate for clarifications and non-material updates; minor for typos, reformatting, and broken-link fixes. Output isn't infallible; you can override and mark events reviewed.
Do you support PDFs?
Yes. PDFs are extracted to text via Jina Reader. Many vendor DPAs and subprocessor lists are PDFs that can run dozens of pages — we handle them transparently.
Can I track our internal documents, not just vendor documents?
Today the product is built for monitoring third-party public documents. Internal-document tracking isn't a use case we're optimizing for — different audience, different feature shape.
Can I import an existing vendor list?
Not yet. CSV import is on the roadmap. For now, vendors are added one at a time via the Add Vendor flow, which is fast — auto-detection populates most fields after you paste a primary URL.
How is this different from Vanta or Drata?
Vanta and Drata are governance, risk, and compliance (GRC) platforms — security questionnaires, SIG Lite workflows, full vendor risk management — typically priced for enterprise budgets. Thorgate is purpose-built for one job (privacy document monitoring) at a price an in-house compliance professional can self-approve. Different scope, different buyer.
How is this different from Visualping or generic page-change monitors?
Generic monitors flag a navigation tweak as confidently as a new subprocessor — they know nothing about privacy documents. Thorgate produces structured diffs, AI summaries written for compliance professionals, severity classifications, and audit-evidence exports compatible with SOC 2 and ISO 27001.
Pricing & billing
Plans, trials, and money.
What counts as a vendor?
One company you track. Each vendor can have up to five tracked documents. Tracking ten vendors with all five documents counts as ten vendors, not fifty.
What happens when I exceed my plan's vendor limit?
You can't add new vendors above the limit. Existing vendors continue tracking normally. Upgrade to track more, or remove vendors you no longer need. We don't auto-charge overages.
Do you require a credit card to start?
No. The 14-day trial is free, no card required. We email you before the trial ends with a link to pick a plan. If you don't subscribe, nothing is charged.
What happens after the 14-day trial?
If you don't pick a plan, your account is paused — data preserved for 60 days, no new crawls. Subscribe within those 60 days to resume tracking. After 60 days, paused accounts are deleted.
Do you offer annual billing?
Not at launch. We may add annual billing with a discount once we have data on retention and renewal patterns.
Can I cancel anytime?
Yes. Click cancel in billing settings; subscription ends at the end of the current billing period. You keep access until then.
What if I need to track more than 100 vendors?
Get in touch. Beyond Scale we work case by case with custom contract terms.
Compliance frameworks
How Thorgate maps to the controls you're audited against.
Is Thorgate a TPRM platform?
No — Thorgate is the document-monitoring layer of a vendor risk program. Broader TPRM platforms (UpGuard, Whistic, OneTrust, Prevalent) handle vendor inventory, security questionnaires, and risk scoring. We're purpose-built for one job: continuously monitoring vendor privacy policies, DPAs, and subprocessor lists, and producing audit evidence when they change. We pair with TPRM platforms; we don't replace them.
How does Thorgate help with GDPR Article 28 compliance?
Article 28 requires controllers to engage only processors that provide sufficient guarantees of GDPR-compliant processing, and to be notified of subprocessor changes. Thorgate continuously tracks each processor's DPA and subprocessor list and produces a timestamped change log — when terms shifted, what changed, who reviewed it. The result is the audit-evidence trail behind your Article 28 vendor oversight obligation. Read more →
How does Thorgate help with GDPR Article 30 Records of Processing?
Article 30 ROPA records require an up-to-date list of processors and the personal data they handle. The pain point is keeping subprocessor lists current — vendors update them quarterly, and your ROPA goes stale almost immediately. Thorgate's daily monitoring catches the changes and the CSV export feeds directly into ROPA maintenance.
How does Thorgate help with SOC 2 vendor management evidence?
SOC 2 CC9.2 requires ongoing assessment of vendor risk and controls. Auditors increasingly ask for evidence of continuous monitoring — not a once-a-year vendor review checkbox. Thorgate provides per-vendor document version history, AI-summarized change events with severity classification, reviewer attestations, and CSV / PDF exports formatted for SOC 2 auditor workpapers. Read more →
How does Thorgate help with ISO 27001:2022 Annex A.5.19 through A.5.22?
The 2022 revision's supplier-relationships controls cover information security in supplier relationships (A.5.19), within supplier agreements (A.5.20), managing ICT supply-chain risk (A.5.21), and managing change in supplier services (A.5.22). Thorgate produces continuous evidence per supplier — current document versions, change events, last-reviewed timestamps — mapped to the operational requirements of those controls. Read more →
How does Thorgate help with DORA third-party ICT risk?
The EU's Digital Operational Resilience Act (Articles 28-30) requires financial entities to maintain a register of ICT third-party providers and to monitor concentration and substitutability risk continuously. Thorgate captures the documentation half of that obligation automatically. Read more →
Security & compliance
Where data lives and who sees it.
Where is my data stored?
In our managed VPS instance in the United States. Account metadata in one MariaDB instance; document content in a separate one. See the Security page for full details.
Do you train AI on my data?
No. The data sent to Anthropic is the public document content you've chosen to track (privacy policies, terms of service, etc. — already published by the vendors themselves). Anthropic's API terms prohibit using API content for model training. We don't send any customer-account data, settings, or usage patterns.
Can I get a Data Processing Agreement (DPA)?
Yes. Our DPA is published at /legal/dpa and is incorporated automatically when you subscribe. If you need a counter-signed copy on letterhead, email support@thorgate.com.
Are you SOC 2 certified?
Not yet. We're targeting SOC 2 Type II attestation within 12 months of public launch. Progress is published on the Security page.
Do you sell or share my data?
No. We don't sell personal data. We don't share it with advertisers. We don't use it to train AI models. We disclose to government authorities only when legally required.
How do I delete my data?
Cancel your subscription from billing settings; data is purged after a 60-day grace period. For immediate deletion, email support@thorgate.com.
Do you have a public bug bounty?
Not yet. Responsible disclosure is welcome at support@thorgate.com; we aim to acknowledge promptly.
Technical
How the crawler works and other plumbing.
What if a vendor blocks crawlers?
Direct fetches that fail (Cloudflare challenges, 403s, JS-rendered SPAs) automatically fall back to Jina Reader, which uses a headless browser. Identifiable user agent so vendors can exclude us if they prefer.
Do you support SSO?
Not yet. Email + password at launch; SSO (SAML / OIDC) is on the roadmap, likely a Scale-tier feature when it ships.
Do you have a public API?
Not at launch. CRUD API access is on the v1.1+ roadmap, primarily for customers wanting to integrate with internal tooling or GRC platforms.
Can I export my data?
CSV export of vendor list, document URLs, last-fetched dates, recent change counts, and last-reviewed dates is available on every plan. Full audit-evidence export designed for SOC 2, ISO 27001 Annex A.5, and GDPR Article 30.
What happens if a tracked URL changes?
When you update a document URL via the edit form, Thorgate prompts to confirm — saving will reset that document's history (delete prior versions and change events) so the next crawl establishes a fresh baseline. Other accounts tracking the same URL aren't affected.
How do you handle vendor URLs that redirect?
We follow up to 5 redirects. If the final destination is a different domain (e.g., slack.com/subprocessors redirects to a Salesforce-hosted PDF), we capture the canonical-URL metadata and the actual content. The "Open original" button on the version page reflects the URL you tracked, not the redirect destination.