Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.matproof.com/llms.txt

Use this file to discover all available pages before exploring further.

Vendor Risk Management

Matproof’s vendor risk module manages the full lifecycle of third-party relationships — from onboarding and risk assessment through ongoing monitoring and contract review. It produces evidence for GDPR Article 28, DORA Article 28-30, ISO 27001 A.5.19–A.5.23, and SOC 2 CC9.2 simultaneously.

What it covers

CapabilityWhat it does
Vendor registerCentral inventory of all third-party relationships with criticality classification
Article 28 register (GDPR)Required register of every processor that handles personal data on your behalf
DORA TPRMICT third-party risk register with criticality, exit strategies, concentration risk, contractual checklist per Article 30
Risk questionnairesSend security/data assessments to vendors via Questionnaire AI
Sanctions screeningAutomated screening against EU, UN, OFAC, UK lists
FindingsVendor-related gaps surface in the unified Findings view
Ongoing review cyclesScheduled re-reviews based on criticality

Adding vendors

Manual entry

  1. Go to Vendor Risk → Vendors → Add vendor
  2. Enter name, primary contact email, country of registration, contract value
  3. Classify by category (ICT, professional services, goods, marketing, financial)
  4. Save — Matproof creates the vendor record and starts a sanctions screen

Bulk import via CSV

Go to Vendor Risk → Vendors → Import and upload a CSV with the columns Matproof expects: 
name,category,contact_email,country,contract_value,ict_service,processes_personal_data
Stripe,Payments,vendor@stripe.com,IE,120000,no,yes
Atlassian,SaaS,vendor@atlassian.com,AU,30000,yes,yes
Acme Print Shop,Goods,vendor@acmeprint.de,DE,8000,no,no
Matproof imports each row, runs sanctions screening, and prompts you to classify criticality afterwards.

Sync from procurement (optional)

If you run procurement in Coupa, SAP Ariba, or a similar system, Matproof can pull the vendor list via integration. Contact support to enable.

Classifying vendors

Each vendor needs three classifications. Set them when you add the vendor or in bulk afterwards.
FieldOptionsWhy
CriticalityCritical / Important / StandardRequired for DORA; drives review frequency
Processes personal dataYes / NoTriggers Article 28 DPA requirement
ICT serviceYes / NoTriggers DORA Article 30 contractual review
Matproof’s classification helper asks a few questions about the vendor and recommends a criticality level. You confirm or override.

GDPR Article 28 register

The Article 28 register tracks every processor that handles personal data on your behalf. Required by GDPR for every controller. For each entry Matproof tracks:
  • Vendor name and primary contact
  • Categories of personal data processed (employee data, customer data, special categories, etc.)
  • Purpose of processing
  • Data transfer mechanism (SCCs / adequacy decision / DPF / not applicable)
  • DPA status — signed / pending / not required (with the actual DPA file attached)
  • Sub-processor list provided by the vendor
  • Last review date
Export as PDF or Excel for your DPO or your supervisory authority.

DORA ICT Third-Party Risk

For ICT vendors, Matproof tracks the additional information DORA Article 28–30 requires:
  • Criticality classification per the EBA guidelines
  • Contractual requirements checklist per Article 30 (mandatory clauses: data location, audit rights, exit strategy, sub-contracting limits, etc.)
  • Exit strategy — documented plan for migrating off the vendor
  • Concentration risk — alerts when too many critical functions depend on one provider, one region, or one parent group
  • Sub-processor tracking — vendor’s own sub-processor list, refreshed at each review cycle
  • Register of information — the Article 28 ROI export format that DORA-supervised entities submit to their NCA
The DORA ROI export produces the structured XLSX format the European Supervisory Authorities (ESAs) accept.

Vendor questionnaires

Send security and risk questionnaires to your vendors via the Questionnaire AI module. Matproof ships templates aligned to common standards:
  • DORA ICT third-party assessment — covers Article 30 mandatory clauses
  • ISO 27001 vendor security questionnaire — Annex A.5.19–A.5.23 alignment
  • GDPR Article 28 data processor assessment — DPA-readiness check
  • SIG Lite — Shared Assessments standard
  • CAIQ — Cloud Security Alliance standard
Vendors respond via a secure link — no Matproof account required. Responses are scored automatically and attached to the vendor’s record.

Sanctions screening

Matproof screens every vendor on import and monthly afterwards against:
  • EU Consolidated Sanctions List
  • UN Security Council Sanctions
  • OFAC Specially Designated Nationals (SDN)
  • UK Financial Sanctions
Hits raise a finding tagged “sanctions match — review required” and pause any further automation against that vendor until a compliance lead reviews and dispositions.

Review cycles

Each vendor has a review frequency tied to its criticality:
CriticalityDefault review cadence
Critical (DORA)Annually + on contract material change
ImportantAnnually
StandardEvery 2 years
Matproof emails the vendor’s owner 30 days before a review is due. The review workflow re-runs the questionnaire, refreshes sanctions screening, and re-confirms criticality.

Questionnaire AI

Send and respond to vendor questionnaires

DORA framework

What DORA Article 28-30 requires of you

Findings

Track vendor gaps in the unified findings view

GDPR

Article 28 obligations