Built for the auditors' question.

Why this exists

Mid-market companies typically work with 30 to 60 SaaS vendors that handle customer data. Each of those vendors updates their privacy policy, DPA, or subprocessor list a few times a year. Almost none of them notify customers proactively. The information is public, but tracking it manually is the kind of work that fills a quarterly compliance review and feels like progress without producing much.

Vendor risk management platforms exist, but they're typically priced for enterprise budgets and ship with security questionnaire workflows, governance dashboards, and policy generators that mid-market compliance functions don't need. At the other end, generic page-change monitors are cheap but know nothing about privacy documents — they'll flag a navigation tweak as confidently as a new subprocessor.

Thorgate fills the gap. Daily monitoring, structured diffs, AI summaries written for compliance professionals, severity classifications based on common audit criteria. Audit-evidence exports compatible with SOC 2 (CC9.2), ISO 27001 Annex A.5.22 (Monitoring of Supplier Services), and GDPR Article 30 records of processing. One specific job, done well, at a price an in-house counsel or DPO can self-approve.

What we won't build

The PRD is opinionated about what's out of scope: we won't ship security questionnaires, we won't track contracts or order forms, we won't draft policies for you, and we won't try to be a one-stop GRC platform. Those are different products with different buyers.

We will keep getting better at the one thing: monitoring what vendors say publicly about how they handle data, and making changes to those statements legible to the compliance professional who has to review them.

How to reach us

One inbox for everything — sales, support, security, privacy, press: support@thorgate.com. Or use the contact page.