For in-house counsel

Vendor Contract & DPA Monitoring for In-House Counsel

You negotiated the DPA once. Then the vendor changed their subprocessor list, their liability terms, their data-use language — and nobody told legal. Thorgate watches so you're not the last to know.

Start a 14-day trial → See pricing

You did the hard part already. You reviewed the vendor's DPA, pushed back on the indemnity, got the subprocessor-notification clause you wanted, and signed. The problem is that signing isn't the end of the document's life — it's the beginning of a period where the terms quietly move and legal is rarely in the loop.

Thorgate is the safeguard against being the last to find out.

What actually happens after signing

  • Subprocessor lists change constantly. Most DPAs let the vendor add subprocessors with notice. The notice often doesn't reach legal, and the list you approved at signing no longer matches who's actually processing the data.
  • Incorporated-by-reference terms drift. DPAs routinely reference the vendor's security page, acceptable-use policy, or privacy policy. When those referenced documents change, your contractual terms change with them — without a redline, without a signature, without anyone telling you.
  • Renewals arrive with no memory. When the contract comes up for renewal, reconstructing what changed over the term means re-reading everything. Usually it doesn't happen, and you renew blind.

What Thorgate does for you

  • Watches the whole document set. Privacy policy, terms, DPA, subprocessor list, and security page — the incorporated-by-reference documents included — fetched daily.
  • Surfaces the legally material changes. New subprocessors, liability and indemnification changes, jurisdictional shifts, breach-notification changes, new data uses — classified by severity so you can filter to what needs a lawyer's eye.
  • Keeps a signing-to-now timeline. Every version stored and timestamped, so at renewal you see the full arc of changes since execution rather than starting from a blank page.
  • Respects your inbox. Per-vendor thresholds mean you hear about tier-one vendors' material changes and nothing else. No noise.

Where it earns its place

The value shows up at two moments. First, the day a vendor adds a subprocessor you'd have objected to — you find out in days, not at the next audit. Second, at renewal, when you walk in with a documented history of how the relationship's terms actually evolved, instead of a vague sense that "some things probably changed."

What it isn't

Thorgate doesn't practice law. It reports what changed and how significant it is factually; the legal judgment — does this breach our standard, does it need escalation, is it acceptable risk — remains entirely yours. It removes the monitoring burden so that the changes needing legal attention actually reach legal.

Frequently asked

We already redline DPAs at signing. Why monitor after?
Because the document you signed isn't frozen. Vendors update subprocessor lists, security terms, and referenced sub-policies continuously, and many DPAs incorporate those by reference. The terms you negotiated can shift materially without a new signature — Thorgate catches that drift.
Does this help with contract renewals and vendor reviews?
Yes. When a renewal or review comes up, you have a full timeline of what changed since signing instead of re-reading everything from scratch — which changes went in your favor, which added risk, what to raise in the renewal.
Can I limit alerts to legally material changes only?
Yes. Per-vendor severity thresholds let you hear only about major changes — new subprocessors, liability shifts, jurisdictional changes — for the vendors that matter, and stay silent on cosmetic edits.
Is this a substitute for legal review?
No. Thorgate flags what changed and how significant it is on a factual scale. Whether a change needs action is your call — it surfaces the signal so nothing material reaches renewal unseen.
Try it on your vendor stack.

14-day free trial, no credit card required.

Start a trial