Frequently Asked Questions
Answers to the questions security teams and CTOs ask before using VendorTrace.
Is it legal to analyse a vendor's domain without their permission?
Yes. VendorTrace analyses only publicly available information: the same information visible to any web browser making standard HTTP requests. DNS records, TLS certificate logs, and HTTP response headers are all published publicly by design. This is the same category of information used by search engines, certificate transparency monitors, and security researchers. No authentication is bypassed, no private systems are accessed, and no legal boundary is crossed. If you have specific concerns about your jurisdiction, consult your legal counsel. Passive, public-data analysis of this kind is widely accepted.
How does questionnaire answering work?
Create a new questionnaire response under Incoming, then paste or upload the incoming questions. On the Pro plan, VendorTrace runs auto-detect: it scans your evidence library, posture scan results, and cloud integration data, then maps each question to the best available answer. Questions without a direct match are drafted by AI using your existing evidence as context. Review every answer before approving. Once approved, export as DOCX to send back to the customer. Approved answers are saved to your library so future questionnaires pre-fill faster.
What is the evidence library?
The evidence library stores verified answers to common security questions. Sources include your posture scan (TLS grade, security headers, email authentication, hosting region), cloud integrations (AWS IAM configuration, MFA status, S3 encryption, GitHub branch protection), and anything you write manually. Each answer can link to a document in your vault as supporting evidence. On the Free plan, you can add up to 25 manual entries. On Pro and above, the library is unlimited and integrations populate it automatically.
What is a trust page?
A trust page is a public page showing your security posture: subprocessors, data locations, certifications, and answers to common security questions. Share the URL with prospects before they send a questionnaire. It reduces inbound questionnaire volume for questions already answered publicly. Trust pages are available on all plans including Free. Trust page embed (for your own website) requires Pro. Custom domains (trust.yourcompany.com) require the Team plan.
Does VendorTrace support CAIQ?
Yes. The CSA CAIQ v4.1 questionnaire (283 questions across 17 domains) is built into the platform. On the Free plan, you can answer all 283 questions manually. On Pro, cloud integrations pre-fill the relevant controls from your AWS, GCP, and GitHub environments automatically. The CAIQ domain sidebar shows completion progress across all 17 domains. You can bulk-answer cloud service customer controls as N/A where they do not apply to your product.
What is MCP access?
MCP (Model Context Protocol) lets you query VendorTrace from AI tools like Claude or Cursor. With MCP access you can ask your AI assistant to look up vendor compliance status, list subprocessors, check posture scan results, or pull questionnaire answers, all without opening the browser. MCP access is available on the Pro plan and above. See the MCP documentation for setup instructions.
Will the vendor know we analysed their domain?
No. VendorTrace uses passive techniques that are indistinguishable from normal web browsing traffic. The vendor receives no notification, no alert, and no unusual signal. Assessments do not appear in vendor security monitoring as an anomaly. This is by design. Outside-in analysis works because it relies on publicly observable signals, not vendor-provided data.
What compliance frameworks does VendorTrace help me answer questions about?
VendorTrace covers two types of compliance need. For answering questionnaires your customers send: CAIQ v4.1 (built in with 283 questions), ISO 27001 Annex A control references, SOC 2 (store your Type II report in the document vault), and GDPR data protection questions (sub-processors, data locations, retention). For your own vendor oversight obligations: NIS2 Article 21(2)(d) supply chain security, DORA Article 28 ICT third-party risk (for financial entities), and GDPR Article 30 records of processing. The vendor register, change detection, and Assess features directly support these regulatory requirements.
What happens to our scan data? Who can see what we scanned?
Scans you run are associated with your account and not visible to other users. VendorTrace is operated by LINA Solutions AB, based in Sweden. Core infrastructure runs on AWS in Stockholm (eu-north-1). A small number of third-party processors for billing, transactional email, and AI research are US-based and operate under standard contractual clauses. We do not sell or share scan data and do not use it for advertising. Scan and posture history retention varies by plan. See the pricing page for details. See our Privacy Policy and sub-processor list for full details.
Can multiple people in our team access the same account?
Yes, on the Team and Enterprise plans. The Team plan is €199/month and includes unlimited team members. Enterprise supports larger organisations with custom scan volumes and optional SSO. You can invite colleagues by email and assign each person an Owner, Admin, or Member role. Owners and Admins have full read and write access. Members can view the vendor register, scan results, and compliance views but cannot make changes. Everyone on the team works from the same vendor portfolio and scan history.
Is there an API? Can we integrate this into our GRC tooling?
MCP (Model Context Protocol) access is available on the Pro plan and above, letting you query VendorTrace from AI tools like Claude or Cursor. REST API access for GRC integration is available on the Enterprise plan. Contact us at info@vendortrace.io to discuss integration with your GRC platform or vendor risk management workflow.
We track a large number of vendors. What plan do we need?
The Free plan supports up to 10 vendors. The Pro plan supports unlimited vendors with scheduled posture scans and change alerts. The Team plan adds multi-admin access, a custom trust domain, and audit logs. For organisations with very large vendor registers or compliance-specific requirements, the Enterprise plan provides custom scan volumes, dedicated onboarding, and a dedicated SLA. Contact us to discuss.
Still have questions?
We are happy to answer specific questions about your use case, regulatory context, or enterprise requirements.
Get in touchWant the technical detail? Read the full methodology.