SOC 2 vendor monitoring evidence, on autopilot.

What SOC 2 CC9.2 actually requires

The Trust Services Criteria CC9.2 require organizations to "assess and manage risks associated with vendors and business partners." For SOC 2 Type II, that's ongoing — auditors expect evidence that vendor risk was monitored across the observation window, not just at the start.

In practice, that means producing documentation for each in-scope vendor showing: which policy and security commitments were in force, what changed during the period, how the change was reviewed, and what the conclusion was. Doing this by hand for 30+ vendors is the job nobody wants and the evidence nobody trusts.

What Thorgate produces, mapped to SOC 2 evidence

Per-vendor document version history. Privacy policy, terms of service, DPA, subprocessor list, and security/trust page — each fetched daily and stored with content hashes. The version stack is the contemporaneous evidence that the vendor's stated commitments existed at a particular point in the observation period.

Change events with AI summaries and severity classification. When something material changes — a new subprocessor, a retention period shift, a breach-notification SLA change, a jurisdictional addition — Thorgate produces a structured change event with a plain-English summary. Auditors read summaries, not diffs.

Reviewer trail. Per-change "mark as reviewed" with timestamped attestation by named user. This is the artifact your auditor actually wants: someone looked at this on this date and decided what to do.

CSV / PDF audit-evidence exports. Per-vendor audit PDFs with current document versions, change-event history, and review attestations — designed for direct attachment to SOC 2 workpapers. CSV exports give your auditor the same data in a format suitable for sampling.

What Thorgate is not

Thorgate is not a TPRM platform, not a security questionnaire workflow, and not a SOC 2 readiness toolkit. If you don't already have Vanta, Drata, or a similar GRC platform handling your CC9.2 inventory and vendor onboarding, Thorgate alone won't get you through SOC 2 audit. It's the document-monitoring layer that fills the gap your GRC tool leaves between annual vendor reviews.

Typical SOC 2 use cases

• Pre-audit evidence prep. Export the per-vendor audit PDFs for the observation window; attach to your CC9.2 workpapers.
• Year-round monitoring of tier-1 subprocessors. Per-vendor severity thresholds let you alert on every change for AWS / GCP / Stripe-tier vendors, and only major changes for the long tail.
• Continuous evidence for SOC 2 Type II. The document version stack is the contemporaneous record auditors want from the observation period — not a screenshot taken the week before fieldwork.
• Subprocessor change notification under processor DPAs. Your processor DPAs require vendors to notify of subprocessor changes; Thorgate catches the ones that don't.

FAQ

What SOC 2 control does Thorgate support?

Primarily CC9.2 (Risk Mitigation — vendor and business partner risk). Continuous monitoring evidence is increasingly expected for SOC 2 Type II.

Will Thorgate output go into my SOC 2 workpapers?

Yes. CSV and PDF exports are formatted for direct attachment as workpaper evidence — including version history, summaries, severity classifications, and named reviewer attestations.

Do I still need vendor questionnaires (SIG / CAIQ)?

Yes — Thorgate doesn't replace SIG / CAIQ. It complements them by continuously monitoring the public commitments vendors have already made.

Is Thorgate itself SOC 2 certified?

Not yet. We're targeting SOC 2 Type II within 12 months of public launch. Current security posture is published on the Security page.

Try it

14-day free trial, no credit card required. Start a trial or read the full FAQ.