Product
What it is and what it does.
What is Thorgate?
A B2B monitoring tool that tracks vendors' privacy policies, DPAs, subprocessor lists, and terms of service, and alerts you when anything material changes. Built for compliance managers, in-house counsel, DPOs, and privacy officers at mid-market companies that need ongoing vendor oversight evidence for SOC 2, ISO 27001, GDPR, and similar frameworks.
Which documents do you track per vendor?
Five document types: privacy policy, terms of service, data processing agreement, subprocessor list, and security / trust page. You can add any of them as URLs; we auto-detect what we can from the primary URL.
How often are documents checked?
Once a day on automatic scheduling. Manual on-demand crawls available with a 60-minute cooldown per document.
How accurate is severity classification?
Severity is generated by Claude (Anthropic) using a deterministic prompt — same diff produces the same severity. The classifier follows the rules: major for new subprocessors, retention period changes, jurisdictional changes, breach notification term changes; moderate for clarifications and non-material updates; minor for typos, reformatting, and broken-link fixes. Output isn't infallible; you can override and mark events reviewed.
Do you support PDFs?
Yes. PDFs are extracted to text via Jina Reader. Many vendor DPAs and subprocessor lists are PDFs that can run dozens of pages — we handle them transparently.
Can I track our internal documents, not just vendor documents?
Today the product is built for monitoring third-party public documents. Internal-document tracking isn't a use case we're optimizing for — different audience, different feature shape.
Can I import an existing vendor list?
Not yet. CSV import is on the roadmap. For now, vendors are added one at a time via the Add Vendor flow, which is fast — auto-detection populates most fields after you paste a primary URL.
How is this different from Vanta or Drata?
Vanta and Drata are governance, risk, and compliance (GRC) platforms — security questionnaires, SIG Lite workflows, full vendor risk management — typically priced for enterprise budgets. Thorgate is purpose-built for one job (privacy document monitoring) at a price an in-house compliance professional can self-approve. Different scope, different buyer.
How is this different from Visualping or generic page-change monitors?
Generic monitors flag a navigation tweak as confidently as a new subprocessor — they know nothing about privacy documents. Thorgate produces structured diffs, AI summaries written for compliance professionals, severity classifications, and audit-evidence exports compatible with SOC 2 and ISO 27001.
Pricing & billing
Plans, trials, and money.
What counts as a vendor?
One company you track. Each vendor can have up to five tracked documents. Tracking ten vendors with all five documents counts as ten vendors, not fifty.
What happens when I exceed my plan's vendor limit?
You can't add new vendors above the limit. Existing vendors continue tracking normally. Upgrade to track more, or remove vendors you no longer need. We don't auto-charge overages.
Do you require a credit card to start?
No. The 14-day trial is free, no card required. We email you before the trial ends with a link to pick a plan. If you don't subscribe, nothing is charged.
What happens after the 14-day trial?
If you don't pick a plan, your account is paused — data preserved for 60 days, no new crawls. Subscribe within those 60 days to resume tracking. After 60 days, paused accounts are deleted.
Do you offer annual billing?
Not at launch. We may add annual billing with a discount once we have data on retention and renewal patterns.
Can I cancel anytime?
Yes. Click cancel in billing settings; subscription ends at the end of the current billing period. You keep access until then.
What if I need to track more than 100 vendors?
Get in touch. Beyond Scale we work case by case with custom contract terms.
Security & compliance
Where data lives and who sees it.
Where is my data stored?
In our managed VPS instance in the United States. Account metadata in one MariaDB instance; document content in a separate one. See the Security page for full details.
Do you train AI on my data?
No. The data sent to Anthropic is the public document content you've chosen to track (privacy policies, terms of service, etc. — already published by the vendors themselves). Anthropic's API terms prohibit using API content for model training. We don't send any customer-account data, settings, or usage patterns.
Can I get a Data Processing Agreement (DPA)?
Yes. Our DPA is published at /legal/dpa and is incorporated automatically when you subscribe. If you need a counter-signed copy on letterhead, email support@thorgate.com.
Are you SOC 2 certified?
Not yet. We're targeting SOC 2 Type II attestation within 12 months of public launch. Progress is published on the Security page.
Do you sell or share my data?
No. We don't sell personal data. We don't share it with advertisers. We don't use it to train AI models. We disclose to government authorities only when legally required.
How do I delete my data?
Cancel your subscription from billing settings; data is purged after a 60-day grace period. For immediate deletion, email support@thorgate.com.
Do you have a public bug bounty?
Not yet. Responsible disclosure is welcome at support@thorgate.com; we aim to acknowledge promptly.
Technical
How the crawler works and other plumbing.
What if a vendor blocks crawlers?
Direct fetches that fail (Cloudflare challenges, 403s, JS-rendered SPAs) automatically fall back to Jina Reader, which uses a headless browser. We respect robots.txt; if a vendor explicitly disallows crawling, we don't crawl. Identifiable user agent so vendors can exclude us if they prefer (most don't).
Do you support SSO?
Not yet. Email + password at launch; SSO (SAML / OIDC) is on the roadmap, likely a Scale-tier feature when it ships.
Do you have a public API?
Not at launch. CRUD API access is on the v1.1+ roadmap, primarily for customers wanting to integrate with internal tooling or GRC platforms.
Can I export my data?
CSV export of vendor list, document URLs, last-fetched dates, recent change counts, and last-reviewed dates is available on every plan. Full audit-evidence export designed for SOC 2, ISO 27001 Annex A.5, and GDPR Article 30.
What happens if a tracked URL changes?
When you update a document URL via the edit form, Thorgate prompts to confirm — saving will reset that document's history (delete prior versions and change events) so the next crawl establishes a fresh baseline. Other accounts tracking the same URL aren't affected.
How do you handle vendor URLs that redirect?
We follow up to 5 redirects. If the final destination is a different domain (e.g., slack.com/subprocessors redirects to a Salesforce-hosted PDF), we capture the canonical-URL metadata and the actual content. The "Open original" button on the version page reflects the URL you tracked, not the redirect destination.