Methodology

VendorTrace is a security operations platform for B2B SaaS teams. It combines a posture scan, answer library, and vendor register to help you answer customer security questionnaires, publish a trust page, and track who handles your customer data.

It is not a vulnerability scanner or penetration testing tool. Nothing is accessed intrusively. Every signal comes from public sources.

All analysis is passive and outside-in. No systems are probed or tested. A scan runs the following steps:

• Domain coverage: Certificate transparency logs (crt.sh) and DNS record resolution are used to build a complete picture of the vendor's domain infrastructure. Third-party services are frequently embedded on subdomains rather than the root domain, so full coverage is necessary for accurate vendor mapping.
• DNS analysis: A, AAAA, CNAME, MX, NS, TXT, and SPF records are resolved to identify hosting providers, email infrastructure, and delegated services.
• HTTP inspection: Each live subdomain is crawled once. Response headers (Server, X-Powered-By, Set-Cookie, Content-Security-Policy), redirect chains, and page content are analysed to identify platforms and third-party integrations.
• JavaScript analysis: Third-party script sources loaded by the page reveal analytics tools, tag managers, customer support platforms, payment processors, and other sub-processors.
• IP geolocation: Resolved IP addresses are mapped to geographic regions using cloud provider IP ranges, ASN data, and geolocation databases. This produces the serving region signals used in transfer risk assessment.
• Vendor classification: Identified services are matched against a database of known vendors, including their service category, headquarters, known data processing locations, and compliance certifications.

When VendorTrace observes an endpoint serving from a specific geographic region, it records that as a region signal. Signals outside your home jurisdiction are flagged as cross-border transfer indicators and classified as home, caution, or high-risk based on that country's adequacy status under your applicable framework.

Confidence on subdomains reflects how completely the subdomain was analysed, not whether it belongs to the organisation. All discovered subdomains are under the scanned domain.

• High: The subdomain responded over HTTP or HTTPS with a resolved IP. Full analysis was performed across headers, scripts, CSP, and TLS.
• Medium: DNS resolves but no HTTP response was returned. Analysis is limited to DNS and IP signals. The subdomain exists but may be internal-only, behind a firewall, or not serving HTTP.
• Low: No DNS or HTTP response was detected. The subdomain may be inactive or recently decommissioned.

AI is used in three specific parts of the product. In each case it supplements structured data and rule-based analysis rather than replacing it.

• Vendor identification: When a scan detects a service that is not in our vendor database, AI analyses the available signals (domain patterns, HTTP headers, DNS records, script names) to identify the vendor and classify it. Identified vendors are added to the database so subsequent scans benefit immediately. Only identifications with a high confidence score are accepted.
• Compliance research: For vendors in the database, AI is used to find and verify compliance information: data processing locations, certifications (GDPR, SOC 2, ISO 27001, and others), and regulatory status. Findings are returned with the supporting evidence so they can be verified independently.
• Report summaries and next steps: After a scan completes, AI generates a short executive briefing that identifies the highest-risk vendors, references applicable regulations, and suggests concrete actions. The summary is written for DPOs and security leads who need a starting point for their assessment rather than a list of raw data to interpret.

AI-generated content is clearly labelled in the product. Compliance decisions should always be reviewed by a qualified DPO or legal team.

VendorTrace only analyses publicly available information. No private systems are accessed. Scan traffic is comparable to a web browser making a normal page visit. It does not generate unusual request volumes.

Reports are intended to support internal compliance assessments. They should not be used as the sole basis for legal or regulatory decisions. Always consult your DPO and legal team before acting on scan findings.