Third-Party Risk Management
Assess and monitor vendor risks, due diligence, and contractual AI governance controls
Total Vendors
6
Critical / High Risk
2
Due Diligence Overdue
0
| Vendor Name | Service | System | Risk Score | Risk Tier | Due Diligence | Contract Controls | Last Assessed | Next Assessment |
|---|---|---|---|---|---|---|---|---|
| AWS | Cloud Infrastructure | 45 | Medium | Completed | Enterprise agreement with Swiss data residency, BAA for health data, GDPR DPA, encryption at rest and in transit, dedicated VPC, annual penetration testing | Dec 1, 2025 | Jun 1, 2026 | |
| Anthropic | LLM Provider - Claude 3.5 | SYS-003 | 60 | High | Completed | Data processing agreement, Constitutional AI safety guarantees, no data retention for training, SOC 2 Type II certification, quarterly performance reviews | Dec 15, 2025 | Jun 15, 2026 |
| CrowdStrike | Threat Intelligence Feed | SYS-001 | 35 | Low | Completed | Threat data sharing agreement, feed quality SLAs (99.5% uptime, <1h latency), no PII in threat feeds, API rate limits documented | Jan 5, 2026 | Jul 5, 2026 |
| Datadog | AI System Monitoring | 30 | Low | Completed | Standard SaaS agreement, SOC 2 Type II certified, data residency in EU (Frankfurt), custom retention policies, API access for audit logs | Nov 20, 2025 | Nov 20, 2026 | |
| Mistral AI | LLM Provider - Mistral Large | SYS-008 | 55 | Medium | In Progress | Draft DPA under review, EU-based data processing confirmed, model card provided, transparency report pending | Feb 1, 2026 | Aug 1, 2026 |
| OpenAI | LLM Provider - GPT-4 Turbo | SYS-001 | 75 | Critical | Completed | Data processing agreement, model usage restrictions, no training on customer data, incident notification within 24h, annual security assessment right | Jan 10, 2026 | Jul 10, 2026 |
6 row(s) total
Page 1 of 1