ThirdGuardian is a complete vendor risk platform — from intake request to final remediation. AI-powered questionnaires, rules-based tier assignment, vendor self-service portal, and real-time audit trails all in one place.
A structured, automated path that covers every stage of third-party risk assessment — without the spreadsheets.
Business teams submit a Use Case request. The rules engine automatically assigns a risk tier based on data classification, service type, and configurable conditions. Custom intake fields capture your org's specific requirements.
Questionnaires are auto-assigned based on tier and rules. Vendors complete questionnaires via a dedicated self-service portal. AI extracts BIA impacts from uploaded documents and generates questionnaire drafts from frameworks.
Assessors review responses with per-question notes. Issues with severity-based due dates are auto-created. Bar raiser approvals enforce accountability on critical findings. Everything is logged to an immutable audit trail.
Reassessment cadences are automatically scheduled based on vendor tier. Track breach history, monitor tier changes across your portfolio, and surface overdue reassessments before they become compliance gaps.
A comprehensive TPRM suite built on a clean service-layer architecture — configurable, auditable, and ready to scale.
Design reusable questionnaires with 8 question types, section-based organization, and conditional logic. Assign templates automatically via a rules engine based on vendor tier, data classification, and intake field values.
Generate full questionnaire drafts from natural language instructions or uploaded frameworks (CSV, PDF, DOCX). The AI engine handles file parsing, structured output, and large-framework chunking automatically.
AI PoweredVendors log in to their own secure portal to complete questionnaires with section-by-section navigation, view assessment status, and upload documents. Fully isolated from internal user sessions via polymorphic authentication.
LiveAssessors can return questionnaires to vendors with mandatory comments explaining what needs revision. Email notifications fire automatically via async Celery tasks with retry logic. Race conditions handled across multi-questionnaire assessments.
NewDefine priority-ordered rules to auto-assign vendor risk tiers based on data classification, service type, custom intake fields, and more. Manual overrides require a mandatory justification tracked in the audit trail.
Upload BIA documents (PDF, DOCX) and let AI extract Confidentiality, Integrity, and Availability impacts directly into Use Case fields. AI also suggests grammar improvements for impact narrative fields.
AI PoweredTrack findings from assessments with severity-based due dates auto-calculated from SLA configuration. Bar raiser approval workflow for critical findings. Issues can be reopened, assigned to teams, and tracked to remediation or cancellation.
Every field change, state transition, comment, tier override, and questionnaire action generates an immutable audit log entry — automatically. No manual logging required, no gaps. Fully ready for compliance audits.
Four fixed roles (Admin, Manager, Assessor, Business User) with 18 granular permissions configurable per role. Ownership-based access control ensures users only see what they're responsible for.
Classify data elements (PII, PHI, Financial, Payment) into fully configurable classification types. Datasets inherit the highest classification of their elements. Auto-sensitivity mapping drives Use Case risk scoring.
Admins define dynamic intake fields (yes/no, text, select, checkboxes, date) per organization. These fields integrate with the questionnaire assignment rules engine — use them as conditions to auto-trigger specific questionnaires.
NewEach user sees their own risk posture — use cases they own, issues assigned to them, overdue tasks. Ownership role filter lets users pivot between their Requestor, Assessor, Manager, or Watcher roles in a single view.
A configurable AI service layer woven throughout the platform — from intake to remediation. Each capability can be independently enabled and tuned with custom system prompts.
Use Cases, Assessments, Issues, and Questionnaires all follow defined state machines — no ambiguous statuses, no lost work.
Each vendor engagement is managed as a Use Case — the central entity connecting all assessments, issues, tasks, datasets, and audit history. From the moment a business team submits a request to final sign-off, everything is tracked.
Each assessment is the hub connecting questionnaires, documents, communications, and issues for a given vendor relationship. Multiple questionnaires can run concurrently with independent state management.
Issues capture risk findings from assessments. Due dates auto-calculate from the Use Case go-live date plus the severity SLA. The owning team (Business or Third Party) drives which state label is shown.
Questionnaires move between your team and the vendor until fully reviewed. Assessors annotate individual questions with notes, create issues directly from problematic answers, and return incomplete submissions with comments.
Four purpose-built roles with 18 granular permissions. Everyone sees what they need — nothing more.
Full platform control. Configure tiers, rules engines, AI providers, data classifications, severity levels, and all system settings.
Team-level oversight. Review escalated use cases, pending approvals, bar raiser sign-offs, and team performance metrics.
Dedicated review interface. Annotate questionnaire responses, create and track issues, run AI analysis, and manage vendor communication.
Submit Use Case requests, monitor progress on their vendors, view issues assigned to them, and collaborate with risk teams via comments.
Whether you're meeting regulatory mandates or proactively managing supply chain risk, ThirdGuardian adapts to your framework.
Meet OCC, Fed, and FFIEC third-party risk guidance with comprehensive audit trails, data classification tracking, tiered assessment cadences, and evidence management.
Track PHI and HIPAA-sensitive data elements through every vendor relationship. Business Impact Analysis tools surface confidentiality, integrity, and availability risks from the first intake request.
Scale your vendor risk program as your vendor portfolio grows. Automate assessments for cloud services, APIs, and tech partners without adding headcount — rules engines do the routing.
Consolidate third-party risk into a single platform. Assessor workflows, issue tracking, bar raiser approvals, and customizable severity SLAs align with how professional security teams work.
Every configuration option backed by a real use case. No feature bloat — just the controls risk teams actually need.
One source of truth for every vendor relationship — assessments, issues, tasks, documents, and contacts — all linked and fully searchable.
AI-generated questionnaires, automated routing, and vendor self-service mean your assessors spend time reviewing risk — not managing logistics.
Issue due dates auto-calculate from go-live dates and severity levels. Overdue items surface in dashboards automatically before they become problems.
Every field change, tier override, and state transition is logged automatically with who, what, and when. No manual documentation required.
Severity levels, data classifications, vendor tiers, questionnaire templates, and intake fields are all admin-configurable — no developer needed.
A dedicated vendor portal means your partners can complete questionnaires, check status, and respond to requests without email chains or shared drives.
See ThirdGuardian in action. We'll walk you through the platform with your own use cases and answer any questions your team has.
We'll be in touch within 1 business day.