Getting started with Thorgate

This guide takes you from empty workspace to a working vendor-monitoring program in about ten minutes. If you've used Thorgate before, skim the headings — most of it is muscle memory once you're past setup.

Before you start

You'll want one piece of information per vendor:

• The vendor's primary URL — usually their homepage (e.g. https://stripe.com). Thorgate auto-detects privacy policy, terms, DPA, and subprocessor list URLs from there.

That's it. No security questionnaires, no vendor onboarding sessions, no "first sync" wait. Add a URL and tracking starts within a minute.

Step 1 — Add your first vendor (2 minutes)

1. Click Add vendor in the top-right of any page.
2. Type the vendor name and paste the primary URL.
3. Click Detect. Thorgate fetches the homepage and tries to find the five document types automatically.
4. Review the auto-detected URLs. Edit any that look wrong, paste any that are missing. You can always edit later.
5. Choose a tier:
   • Tier 1 — critical vendors (payroll, identity, customer data). Default to alerting on every change.
   • Tier 2 — standard vendors (most B2B SaaS).
   • Tier 3 — light-touch (utilities, internal tools).
6. Click Save vendor.

The first crawl runs immediately. Within a minute or two, you'll see version data on the vendor detail page.

Step 2 — Configure your digest (1 minute)

1. Open Settings from the sidebar.
2. Digest frequency — choose Daily if you want morning emails when changes happen, Weekly if Monday-mornings are enough.
3. Timezone — already auto-set from your browser; only change if needed.

Daily digests skip silent days (no email when there are no changes). Weekly always sends, including silent weeks — auditors like the proof-of-monitoring trail.

Step 3 — Set per-vendor alert thresholds (optional, 2 minutes)

By default every change triggers an entry in the digest. For tier-3 vendors that change frequently with mostly minor edits, you may want to filter out the noise.

1. Open any vendor's detail page.
2. Click Edit.
3. Set Alert threshold:
   • All severities — every change alerts (default).
   • Moderate and above — skip minor (typos, reformatting).
   • Major only — skip moderate clarifications.
   • No alerts — track silently, see in the in-app feed only.
4. Save.

Changes still appear in the in-app Changes feed regardless of alert threshold; this only controls digest emails and webhook deliveries.

Step 4 — Wire up Slack or PagerDuty (optional, 3 minutes)

If your team lives in Slack or PagerDuty, push major changes there too:

1. Settings → Webhooks → Configure.
2. Add webhook.
3. Paste your Slack incoming webhook URL or PagerDuty webhook URL (Generic JSON).
4. Set Minimum severity to "Major only" for PagerDuty, or "Any" for a Slack channel that wants everything.
5. Save. Copy the signing secret shown in the orange callout — your receiver will need it to verify HMAC signatures.

End-to-end the next time a major change is detected on a vendor whose alert threshold permits it, you'll see the message in Slack or the incident in PagerDuty.

Step 5 — Review changes as they happen (ongoing)

When a change is detected:

1. The vendor's privacy policy / DPA / subprocessor list / terms / security page is re-fetched.
2. The diff is sent to Anthropic's Claude with a deterministic prompt to classify severity (major / moderate / minor) and summarize what changed.
3. A change event appears in the Changes feed.
4. Depending on your alert threshold and digest frequency, you may also get an email or a webhook delivery.

To review:

1. Click into any change event.
2. Read the AI summary — usually one sentence describing what's different.
3. Toggle between Reading view (changes highlighted in the document) and Unified view (line-level diff like a code review).
4. If the classification looks wrong, override the severity from the same page.
5. Click Mark reviewed when you're done evaluating. The reviewer name and timestamp are recorded in the audit trail.

For SOC 2 / ISO 27001 evidence, the "reviewed by [name] at [timestamp]" trail is what auditors want to see — not just that you have the data, but that you actually evaluated it.

Step 6 — Generate audit evidence (1 minute, before any audit)

Thorgate produces two evidence artefacts:

• Vendor list CSV — one row per vendor with every field auditors typically ask for. Click Export CSV on the Vendors page; preserves any active filters.
• Per-vendor audit PDF — a branded document with vendor identity, tracked documents, full change history, reviewer attribution, and a signature paragraph naming you and the date. Click Audit PDF on any vendor detail page.

You can run these on demand the night before an audit, or any time you want a snapshot.

Where to go next

• How the crawler works — what triggers a re-fetch, how PDFs are handled, what robots.txt does.
• Severity classification — the rules Claude follows, and how to override.
• Interpreting the diff viewer — reading view vs unified, the AI summary, severity overrides.
• Configuring digest alerts — daily vs weekly, what shows up, who receives.
• Exporting audit evidence — full guide to the CSV and PDF artefacts, plus what auditors actually ask for.

For everything else, browse the help index or email support@thorgate.com.