Framework Coverage
VendorTrace addresses two distinct compliance problems: the regulatory frameworks that govern your own vendor oversight (NIS2, DORA, GDPR Article 30), and the security questionnaire frameworks enterprise buyers send you (CAIQ, ISO 27001, SOC 2). Both are covered below.
NIS2 Directive (2022/2555) — Supply Chain Security
NIS2 Article 21(2)(d) requires essential and important entities to implement security measures for their supply chain, including security-related aspects of relationships with direct suppliers and ICT service providers. Article 21(2)(f) requires policies for ICT products and services acquired from third parties. VendorTrace supports the ongoing vendor oversight evidence requirements directly.
How VendorTrace helps you answer these questions
- Vendor register documents your ICT supply chain with service category and data handling role
- Outside-in scan verifies what vendors are actually running versus what they claim
- Assess: send structured questionnaires to vendors and record formal responses
- Change detection alerts you when vendor infrastructure changes between review cycles
- Audit-logged review workflow provides evidence of ongoing supply chain oversight
DORA (Regulation 2022/2554) — ICT Third-Party Risk
DORA Article 28 requires financial entities to manage ICT third-party risk through risk assessments and ongoing monitoring of ICT service providers. If you are a fintech, insurtech, payments, or financial services company subject to DORA (effective January 2025), VendorTrace supports the third-party ICT risk monitoring and documentation requirements.
How VendorTrace helps you answer these questions
- Vendor register tracks ICT service providers with their service category and data handling role
- Scheduled scans provide ongoing monitoring evidence for ICT third parties
- Change detection identifies infrastructure changes at ICT service providers
- Assess enables formal questionnaire-based assessments of ICT providers
- Scan history provides an audit trail of third-party monitoring activity over time
CSA CAIQ v4.1
The Cloud Security Alliance Consensus Assessment Initiative Questionnaire is the most common structured security questionnaire in enterprise B2B SaaS procurement. VendorTrace includes the full CAIQ v4.1 with 283 questions across 17 domains.
How VendorTrace helps you answer these questions
- All 283 CAIQ v4.1 questions pre-loaded, no manual setup
- Cloud integrations pre-fill controls from your AWS, GCP, and GitHub environments
- Domain progress bars across all 17 security domains
- Bulk N/A for cloud service customer controls that do not apply to your product
- Each answer saved to your library for reuse in other questionnaires
ISO 27001:2022
ISO 27001 is a certification standard, not a questionnaire. Buyers who hold or require ISO 27001 certification frequently reference Annex A controls in their questionnaires (for example, 'Do you have an information security policy per A.5.1?'). VendorTrace detects these control references automatically.
How VendorTrace helps you answer these questions
- Framework detection identifies ISO 27001-mapped questionnaires on upload
- Control references (A.5.x, A.8.x) are recognised and used to improve auto-fill accuracy
- Answer library entries can be tagged with ISO 27001 control references for direct lookup
- Upload your ISO 27001 certificate to the document vault as supporting evidence
SOC 2
SOC 2 is an audit-based certification covering the Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. Buyers ask whether you hold a Type II report and what controls it covers. VendorTrace stores your SOC 2 report and links it as evidence.
How VendorTrace helps you answer these questions
- Upload your SOC 2 Type I or Type II report to the document vault
- Link the report as evidence on individual questionnaire answers
- Answer library stores your standard SOC 2 scope and coverage answers
- Buyers who ask about your audit coverage see a verified, consistent answer every time
GDPR and data protection questions
Enterprise buyers subject to GDPR ask vendors about sub-processors, data locations, retention periods, and data processing agreements. These questions appear in almost every enterprise security questionnaire. VendorTrace gives you a live, accurate answer for each.
How VendorTrace helps you answer these questions
- Vendor register classifies every vendor by data handling role
- Trust page publishes your current sub-processor list as a public URL
- Posture scan identifies hosting region and cloud provider for your domain
- Answer library stores verified answers to standard GDPR data protection questions
- Point buyers to your trust page instead of writing the same answer every time
Cloud security questions
Most enterprise questionnaires include questions about MFA enforcement, encryption at rest and in transit, IAM configuration, and data residency. These questions are hard to answer accurately without pulling data directly from your cloud accounts. VendorTrace reads this data automatically.
How VendorTrace helps you answer these questions
- AWS integration reads IAM MFA status, S3 encryption, and EC2 region configuration
- GCP integration reads IAM, storage encryption, and project configuration
- GitHub integration reads branch protection, 2FA enforcement, and secret scanning status
- All cloud-read answers are clearly labelled as Auto:AWS or Auto:GCP so reviewers see the source
- Cloud answers update on each integration sync, so your evidence stays current
What VendorTrace does not do
VendorTrace helps you answer questionnaires about your own security posture and maintain evidence for your vendor oversight obligations. It does not help you achieve ISO 27001 certification, conduct a SOC 2 audit, or constitute a complete NIS2 or DORA compliance program. Those processes require qualified auditors, legal counsel, and formal assessment bodies. VendorTrace gives you the evidence and the records. The compliance decisions are yours.
Start answering questionnaires faster
The Free plan needs no credit card.