Vendor Trace

Methodology

How Vendor Trace performs outside-in analysis.

What is Vendor Trace?

Vendor Trace is a compliance intelligence tool that helps Data Protection Officers and security teams understand a vendor's publicly observable digital footprint. It is not a vulnerability scanner or penetration testing tool.

By analyzing publicly available DNS records, TLS certificates, HTTP headers, and JavaScript resources, Vendor Trace discovers subdomains, identifies third-party vendors (potential subprocessors), and detects geographic signals relevant to cross-border data transfer assessments.

Methodology

All analysis is performed using passive, outside-in techniques. No systems are accessed, probed, or tested intrusively.

  • DNS analysis: Enumeration of A, AAAA, CNAME, MX, NS, TXT, and SPF records to identify infrastructure providers and services.
  • Certificate transparency: TLS certificate Subject Alternative Names (SANs) to discover related domains and subdomains.
  • HTTP inspection: Response headers (Server, X-Powered-By, etc.) and redirect chains to identify platforms.
  • JavaScript analysis: Detection of third-party scripts that indicate vendor relationships.
  • IP geolocation: Mapping of resolved IP addresses to geographic regions and cloud provider ranges.

Region & Transfer Signals

When Vendor Trace observes an endpoint serving traffic from a specific geographic region, this is recorded as a "region signal." Signals from outside your selected home jurisdiction are flagged as "cross-border transfer indicators."

Important: Observed serving regions are not proof of data storage or processing location. CDN edge nodes, anycast routing, and load balancing mean traffic may be served from locations different from where data is stored. These signals are starting points for compliance investigation, not conclusions.

Confidence Levels

Each finding is assigned a confidence level based on the strength and quantity of supporting evidence:

  • High: Multiple corroborating sources (e.g. DNS CNAME + HTTP header + TLS cert).
  • Medium: At least one reliable source with some ambiguity.
  • Low: Circumstantial evidence only; manual verification recommended.

Privacy & Responsible Use

Vendor Trace only analyzes publicly available information. No private systems are accessed. Scans do not generate unusual traffic volumes and are comparable to what a web browser performs during normal browsing.

Reports are intended to support internal compliance assessments. They should not be used as the sole basis for legal or regulatory decisions. Always consult with your DPO and legal team.