Move supplier assurance off spreadsheets.
Scope your supplier portfolio. Assess what matters with structured questionnaires. Collect evidence with provenance. Hand the regulator a signed decision trace. Built in central Europe by a cybersecurity practitioner — for the mid-market that enterprise GRC suites priced out and ignored.
Microsoft Azure, EU regions only.
Read the long-formFull list, updated on every change. DPA template available before the deal.
Read the long-formHash-anchored, signed, decision-traced. Stands up six months later, unchanged.
Read the long-formThree angles into the same product.
The platform is the same regardless of who's using it. The framing changes depending on what you're trying to defend — to whom, and how fast. Pick the angle that matches; the rest of the product story flows below.
Audit defensibility, not framework gymnastics.
Decision-trace and signed evidence stand up six months later, unchanged. Article-anchored gap reports map directly to the NIS2 control set your auditor will reference.
- Article 21(2)(d) gap reports anchored to the directive, not interpreted away from it
- Reviewer attribution + timestamp on every approval, immutable post-fact
- Hash-anchored evidence model — same artefact, same answer, six months later
A supplier graph you can query in minutes.
When a supplier discloses an incident, you need to know which of your services depend on them, which sub-processors are downstream, and what evidence you currently hold — fast.
- Tier 1 + sub-processor lineage in a single graph, queryable by impact path
- Reviewer-flagged certificate expiries, with re-review prompts on the calendar
- NIS2 Article 21(2)(d) control mapping by design
Article 20 governance support, not jargon.
NIS2 makes management bodies personally accountable for cybersecurity oversight. The platform produces the board-ready evidence that lets you discharge that accountability.
- Structured monthly summary — supplier posture, open exposures, decisions taken
- Named accountability — your name appears on the documents the board signs
- Audit-readiness sign-off you can hand to the auditor without rebuilding
Your supplier list ends at one name. The risk doesn’t.
Most supplier-management tools audit who you’re paying. Supply Chain Assurance maps the chain behind them — Tier 1, Tier 2, Tier 3 — and surfaces the supplier you didn’t know was a supplier. Because that’s where the risk actually lives, and that’s where it always has.
How: sub-processors captured from supplier-disclosed lists at each review cycle and held alongside the L1 record. Reviewers flag what changed since last cycle. Automated drift detection ships in v2. More on supply chain depth →
See it on your supplier listThe supplier's evidence answers most of your questionnaire.
Your suppliers upload their SOC 2 Type II report, their ISO 27001 certificate, their sub-processor list, their DPA. The platform extracts the structured facts and pre-fills the matching items in your supplier questionnaire — every suggested answer cited back to the exact source page or clause. You accept, edit, or reject. The reviewer's decision is signed and hash-anchored.
How: Azure Document Intelligence extracts text and structure from each supplier artefact; AI-suggested answers carry mandatory citations to the source. No automated approval — every suggestion needs a reviewer sign-off, captured as an audit event with model, version, evidence set, and timestamp.
Talk to the founderHand the regulator the file. Walk away.
When a regulator, an auditor, or your board asks "how did you decide on this supplier eighteen months ago" — most companies reconstruct the answer under pressure. With Supply Chain Assurance, you hand them the trace. Every decision timestamped, every signature attributable, every evidence reference hash-anchored. Already prepared.
How: append-only decision log with reviewer attribution, evidence linkage, and content-addressable hashing. Exportable as a single signed dossier. What NIS2 expects in your supplier files →
Try the readiness self-assessmentThree screens. Three stories.
Real product, redacted. Supplier names and numbers are placeholders; the workflow is real.
Risk scored by worst dimension.
The questionnaire walks through scope, impact, geography, resilience and assurance. Each answer is colour-coded — Low / Medium / High / Critical — and the supplier's overall tier is set by their worst dimension, not an average. So one weak answer is never hidden behind nine good ones.
The library pulls prior evidence forward.
When a buyer asks for a sub-processor declaration, the library spots that you uploaded one for a different customer two weeks ago — and offers to reuse it. Re-keying the same answers across customer spreadsheets stops here.
Every decision, stamped and exportable.
Every approval, rejection and resubmission is logged with the actor, the reason and the timestamp. Auditors get a chronological export that closes regulator questions in minutes, not hours.
Vendor breach in the news. Supplier exposure mapped in one search.
An attack on a major vendor becomes your problem if your suppliers depend on them. Supply Chain Assurance captures those dependencies at every supplier review — direct relationships and the sub-processors behind them — so when something happens, the answer is already structured and searchable in the file you maintain.
- Direct suppliers — Tier 1 relationships, current as of the last review.
- Sub-processor disclosures — Tier 2 and Tier 3 dependencies, surfaced from supplier-provided lists.
- Searchable attributes — Query by vendor name, technology, country, or risk attribute.
- Refresh cadence — Updated on every supplier review — not just when something goes wrong.
From scoping to next year's review.
Six stages, one cycle. The capabilities above (decision trace, supplier graph, cross-framework mapping) are what makes each stage hold up — this is the flow they sit inside.
Scope your portfolio
Add suppliers — Tier 1 and below where visibility allows. Tag each by the service they provide and the data classification they touch. Sub-processors recorded separately as they are disclosed.
Risk-tier each supplier
Score by data sensitivity × service criticality × replaceability. Top-tier gets full assessment; lower tiers lighter-touch. Either way the tier choice is signed and timestamped, not implicit.
Request the evidence that matters
When residual risk warrants it, send a tailored request pack. You pick which artefacts — SOC 2 Type II, sub-processor list, breach-disclosure history, BCP test results, contract clauses verified. Supplier receives it via the supplier-side surface; you see what they have already shared with other buyers and what is new.
AI-assisted answer extraction
When the supplier returns evidence, AI extracts structured facts and suggests answers to the items in your supplier questionnaire — every suggestion carries a mandatory citation to the exact source page or clause. You accept, modify, or reject each one. AI never closes the loop.
Decide and sign
Approval, rejection, or accepted-with-conditions — the decision is hash-anchored with reviewer attribution and timestamp. Future you, the auditor, and the regulator all see the same answer. Mark compliant, and the file is closed for this cycle.
Watch for change. Re-review on signal.
Annual cadence sits on top — every supplier file knows when it is due. Reviewers flag out-of-cycle re-reviews when something material changes: vendor breach disclosure, certificate expiry, sub-processor addition, ownership change. Automated trigger detection — and the half-prepared file that comes with it — ships in v2.
Stage 06 feeds back into Stage 03 (or 02 if the change is material enough to re-tier). The cycle is the point — supplier assurance is not a one-off audit, it is the continuous practice the audit trail depends on.
Not enterprise procurement. Not a consumer tool. The segment in between.
Most supplier-assurance platforms target the global procurement team running 5,000-vendor audits. We built ours for the businesses inside the supply chain — the 50–500-person manufacturer, the regional MSP, the medical device company — that suddenly need to prove their security posture to three different customers asking three slightly different questions, and answer for their own supplier risk under NIS2.
Naming the scope earns trust.
The product is a supplier-assurance platform, narrowly. The list below names the things buyers sometimes assume are bundled — they aren't. Saying so up front saves a quote cycle on both sides.
- No 24/7 SOC or managed-detection coverage
- No managed endpoint or operational IT services
- No audit-as-a-service — we produce evidence; the audit happens elsewhere
- No unbounded consultancy with day rates and quote cycles
What you can use today, what ships, what comes after.
Brand voice §10 — claim the present accurately, name the future honestly. We do not market features that do not exist yet, and we do not hide the line between what pilot members test now and what general availability brings.
What design partners test now
- Process-driven supplier scoping
- Structured assessment with AI-assisted ingestion
- Evidence records with reviewer attribution
- Decision-trace ledger with hash-anchoring
- NIS2-shaped audit exports — machine-readable, structured
What ships at general availability
- Microsoft Marketplace listing + procurement-friendly billing
- SLA commitments + uptime guarantees
- Single-tenant deployments on request
- Locked launch pricing for the first cohort
- Sub-processor change notifications
What is designed for the next versions
- Review-trigger engine — automated re-review on cert expiry, sub-processor change, contract amendment
- Source drift detection — trust-center page changes, posture shifts
- Cross-framework crosswalks — NIS2 evidence reused across ISO 27001, DORA, SOC 2
- Shared assurance pools (buyers + suppliers in the same regulated chain)
- Sector-specific evidence templates per Annex I/II category
- Slovak / Czech / German UI translations
Built by the practitioner.
Supply Chain Assurance is built by Pavel Láska — a CISSP- and CISM-certified cybersecurity practitioner with over a decade across banking, pharma, and education. Eight years in the banking sector progressing from senior engineer to senior risk manager. Time on critical financial infrastructure, reporting risk to board level. Then a global security services team in pharma across three continents.
The credibility chain runs practitioner → witness → builder. He filled the spreadsheets, defended the supplier decisions, prepped for the audits. Supply Chain Assurance is the tooling that should have existed back then.
The product itself was shaped by quiet conversations with practising CISOs and security leads across regulated industries — people who've sat in the audit chair, defended supplier decisions to boards, and lived with the consequences. They're not named on this page, but they're in the product.
Bratislava · CISSP · CISM · Microsoft Partner
Common questions
Is the product available today?+
The pilot is open today — Supply Chain Assurance is in pre-launch and we are onboarding the first cohort of design partners now. The live production version (V1) is planned for Q4 2026 via the Microsoft Marketplace. Apply via the /pilot page to join the first cohort.
Do I need to be NIS2-regulated to use it?+
No. Many pilot conversations are with suppliers to NIS2-regulated firms who want to demonstrate posture quickly when assurance requests arrive — and with mid-market buyers who are themselves in scope.
How is this different from the NIS2 Supplier Exposure Assessment?+
The Assessment is a fixed-scope advisory engagement: a practitioner walks your supplier portfolio, produces an audit-ready exposure report and a prioritised remediation list, and hands it over. Supply Chain Assurance is the SaaS — the platform you operate after that initial picture is in your hands. Many buyers do the Assessment first, then onboard the platform.
How does the lineage tracing work?+
Where a supplier discloses its sub-processors and downstream providers, we map the chain and surface the highest-risk path. Most supplier lists only show your direct (Tier 1) relationships; the real risk often hides two or three hops deeper.
How is evidence reused across requests?+
Once a supplier uploads policies, certificates or attestations to their library, future assurance requests pull the existing evidence forward. Re-keying the same answers across spreadsheets stops.
What’s your data residency posture?+
EU-hosted by default — Microsoft Azure, EU regions only. Single-tenant deployments available on request for buyers with stricter requirements. No customer data leaves the EU without explicit configuration.
Do you offer a Data Processing Agreement?+
Yes. Standard DPA template available on request, GDPR Article 28-compliant. We’ll sign yours if it’s standard, or work through redlines.
Who are your sub-processors?+
Our sub-processor list is published and updated on every change. Currently: Microsoft (Azure hosting), Resend (transactional email). No customer evidence is sent to third-party AI services.
What happens to my data when the pilot ends?+
Full export available in machine-readable format (JSON + signed PDF dossiers). Thirty-day grace period to export, then complete deletion with a deletion certificate.
How does this differ from OneTrust, Prevalent, or Whistic?+
Those are enterprise procurement-side tools, priced and configured for global teams running thousands of vendor audits. Supply Chain Assurance is built for the mid-market — companies that need defensible NIS2 supplier assurance without a six-figure platform contract or a six-month implementation. We have 30–40% fewer features than enterprise GRC suites, at a price that reflects that. Honest tradeoff.
What’s a typical onboarding timeline?+
Pilot customers are live in under two weeks: import supplier list, run risk tier on the top 20, send the first request packs. Full coverage of a 100-supplier portfolio typically settles within 90 days.
Join the pilot — open today.
The pilot is open now. A small first cohort of mid-market buyers and their key suppliers — members join free or at compute cost, shape the roadmap, and lock in launch pricing. Production-ready V1 ships Q4 2026 via the Microsoft Marketplace. Mutual exchange — we help you, you help us.