Premium • Powered by GRCxAI

Third-Party Risk Management
Continuous. Evidence-Based. No Questionnaires.

Stop chasing vendors for annual spreadsheets that are out of date the day they're returned. TPRM continuously gathers evidence about your third parties — from official registries, sanctions and watchlists, and live attack-surface scans — and grades every finding for reliability. Know who you're really dealing with, and prove it.

Core Platform

GRCxAI Platform

The complete AI-powered GRC suite across 26 standards — risk, compliance, audit, business continuity, AI governance, ESG & training.

£2,000/mo per company
Premium Add-on

TPRM

Continuous, evidence-based vendor due diligence that complements the platform — or runs standalone. No annual questionnaires.

£2,000/mo — add-on or standalone
Book a TPRM Demo See it on grcxai.com

Honest Scoring

One Number Was Never Enough

A single risk rating hides what you most need to know: how much do we actually know about this vendor? TPRM splits the score into three — so a confident "low risk" and a "low risk, but we couldn't check much" never look the same.

Risk

How risky the third party looks on the evidence we have — corporate, sanctions, cyber, financial, geographic and regulatory signals combined.

Confidence

The weakest-link reliability of that evidence, graded on the NATO Admiralty scale (A1–F). One unverifiable source drags confidence down — honestly.

Coverage

The percentage of required due diligence that actually ran. A missing data source shows as a coverage gap, never as a clean pass.

Inside the Product

The Vendor Dossier

Every monitored third party gets a living dossier — the three-score header up top, then an evidence register, attack surface, intelligence and network graph behind the tabs. Here's a real vendor view (illustrative data).

app.grcxai.com/tprm/vendors/northwind-logistics
81RiskPoor
77ConfidenceHigh
85Coverageof applicable
Northwind Logistics Ltd
CRN 12345678 · northwind-logistics.com
Cat 1b High Pending Approval AI systems
19 checks complete · 2 sources awaiting credentials · 1 flagged for review · 4 not applicable.
Overview Due-Diligence Register Attack Surface (3) Intelligence News Network
A code-faithful preview of the GRCxAI TPRM dossier — illustrative data, no real third party shown.

Inside the Product

The Due-Diligence Register

Every check is an immutable, timestamped record — graded for reliability on the NATO Admiralty scale, and tagged with an honest evidence state. A clean result, a finding, a "couldn't check" and a "doesn't apply" never look the same.

app.grcxai.com/tprm/vendors/northwind-logistics · Register
Corporate
8 tests · 12 evidence
Sanctions
3 tests · 2 evidence
PEPs
4 tests · 1 evidence
Finance
6 tests · 5 evidence
Cyber
12 tests · scan
Geographic
3 tests · 1 evidence
Identity & status
✓ CLEAR Northwind Logistics Ltd corporate.identity_status A2 16 Jun 2026
Directors & cross-company history
⚠ REVIEW Director linked to a dissolved entity B3 10 Jun 2026
Evidence state — Flagged as indeterminate: a current director also held a board seat at a company dissolved within 24 months. Source: Companies House · checked 10 Jun 2026.
Sanctions & watchlists
✓ CLEAR Northwind Logistics Ltd sanctions.ofac_sdn C1 16 Jun 2026
Credit & going concern
⏳ AWAITING SOURCE Creditsafe report — connect your key to enable finance.going_concern
Seven honest evidence states · NATO Admiralty grades on every source · immutable, hash-chained, audit-ready.

What's Inside

Continuous Due Diligence, End to End

Corporate Identity & Ownership

Identity, status and filings verified against Companies House (UK), GLEIF (global) and SEC EDGAR (US). Beneficial-ownership (PSC) chains walked recursively, with offshore-opacity flags.

Sanctions, PEP & Adverse Media

Screening against UK, OFAC and EU sanctions lists plus PEP and debarment data — with weighted entity matching and a defensible note on every near-miss.

Attack-Surface Scanning

Eight live probes — DNS & DNSSEC, TLS, email posture, CAA, cloud, app security, typosquatting and exposed-service intelligence — turning a vendor's domain into cyber evidence.

Financial & Credit

Always-on insolvency and Gazette signals, plus optional Creditsafe credit scores, CCJs and going-concern checks — financial distress surfaced as a hard stop.

Immutable Audit Trail

Every finding is append-only and hash-chained with a timestamp and source grade. Review the register exactly as it stood on any past date — built for auditors.

Continuous Monitoring & Threat Radar

New findings, score swings and sanctions hits raise alerts instantly, plus a portfolio-wide threat-campaign view with forward-looking forecasts.

Built Differently

Depth Where It Matters — No Noise Where It Doesn't

Evidence, not self-reported questionnaires

Annual questionnaires measure how good a vendor is at filling in questionnaires. We measure what's actually true — gathered independently, graded for reliability, refreshed continuously.

A rating is not due diligence

Security-rating tools give you a letter grade. We give you the underlying evidence register — sanctions, ownership, financials and cyber — that a rating can't, with the audit trail to prove it.

Deliberately no dark-web noise

We don't pad the feature list with dark-web "monitoring." In practice it's high-noise and low-value for third-party due diligence. We invest that effort in evidence you can act on and defend instead.

Pricing

£2,000/month Per Company — Add-on or Standalone

Add TPRM to your GRCxAI platform (full suite £4,000/mo), or run it as a standalone product for £2,000/mo with no full-GRC requirement — unlimited monitored third parties either way.

Book a TPRM Demo