Vendor Risk & Compliance

Continuous vendor vetting. Zero risk.

Vendor risk changes every day. Codekeeper Vendor Risk & Compliance keeps oversight running with it: every vendor, automatically assessed against DORA, NIS2, ISO, and more. You know where every vendor stands long before anyone asks.

Book a demo View pricing plans

Runs alongside your Codekeeper escrow — nothing to migrate.

COVERS DORA NIS2 CRA ISO 27001 SOC 2 GDPR

Dashboard Download certificate

Vendor status

28 Active vendors

In order

Needs review

Under assess.

Open issues

27 issues

Critical2

High6

Medium14

Low5

Framework qualification

FrameworkQual.Pend.Issues

SOC 22242

ISO 270011864

GDPR1486

Recent activity

GitHub raised a critical issue: MFA not enforced.

3 days ago

AWS renewed SOC 2 certification for 2026.

1 week ago

Stripe moved to “Needs review”.

2 weeks ago

Written verdict Pass

Jordan Adler Lead analyst · signed today

DORA NIS2 CRA

Join 3 500+ teams who manage their software risk with Codekeeper

Your tools weren't built for the question regulators now ask.

DORA, NIS2, and CRA made third-party risk an ongoing obligation. Regulators want a live record of vendor assessments, framework mappings, and risk verdicts. Most teams keep that record by hand — and by the time anyone checks it, it's already out of date.

DORA makes the people in charge personally accountable. That's fair.

Holding someone accountable for a system they were never given the tools to run isn't.

YOUR RISK FRAMEWORK TODAY

Escrow Ready

Vendor assessments Scattered

Spreadsheet Stale

Rebuilt from scratch, every audit.

A GRC team reviewing vendor compliance records together

We built vendor vetting because 3 500+ teams asked for it.

The escrow is in order. The vendor records aren't — and a regulator doesn't care which tool owns which. Ten years in regulated industries taught us where compliance actually breaks: not inside the tools, but at the seams between them.

Vendor Risk & Compliance seals that seam from the account you already have.

10+

years in regulated industries

3 500+

teams protected

ISO 27001

certified

Airbus · Bayer · GM · EU Parliament

trust Codekeeper

Vendor compliance that keeps itself current while you're doing everything else.

Six capabilities. Each closes a gap manual vendor vetting leaves open.

Always-on vendor vetting

Every vendor assessed against DORA, NIS2, CRA, ISO 27001, SOC 2, and GDPR — automatically, on an ongoing basis.

When a framework shifts, you find out the day it changes — not at the audit.

Written verdicts, signed by a human

Each vendor gets a written verdict, reviewed and signed by a human analyst, so you can hand your auditor a name, a date, and a decision.

Not a score. A verdict.

Audit-ready evidence packets

You get pre-mapped evidence per vendor, per framework — versioned, dated, and traceable — ready to retrieve in one click.

The audit is a hand-off.

Sub-processor tracking

Every named sub-processor across your vendor portfolio is tracked. We flag changes within days of publication.

So a yes today doesn't quietly become a no tomorrow.

Change alerts before the audit finds them

We monitor breach disclosures, certification lapses, financial signals, and DPA changes in real time.

Nothing your auditor finds will be news to you.

10 000+ vendors pre-monitored

Most of your stack is already in the library; new vendors onboard within five business days.

You're not starting from zero every time procurement signs something new.

How it works

3 steps. Then vendor oversight runs itself.

Stripe stripe.com

Add

SOC 2 PCI GDPR

AWS aws.amazon.com

Add

SOC 2 ISO 27001 NIS2

1. Map your application dependencies once.

You do the one thing only you can do.

GitHub

Source-code hosting and CI for your engineering org.

12 open issues across 3 frameworks Review

Status Needs review

Criticality Critical

Vetted against

SOC 2 GDPR

Overview Framework Alignment Risk Evaluation

2. Every vendor gets an up-to-date written verdict.

Assessed against your regulatory scope, updated automatically, signed by a human.

Evidence packet Acme Cloud · 14 documents

Forward

Framework evidence, per vendor 5 frameworks

Sub-processor lineage Tracked

Versioned, dated, traceable Ready

3. When the auditor asks, you forward a packet.

You don't start a project. The evidence is already there.

All of this runs alongside your Codekeeper escrow. One proves you can recover; the other proves you were right to trust them in the first place.

Book a demo

These companies’ systems are protected, compliant, and resilient.

They made the decision. They built their resilience. They have peace of mind. You can too.

“We’ve had a great experience with CodeKeeper. The setup process was smooth, and the team made everything very straightforward. Knowing our critical software assets are securely protected gives us real peace of mind. Their support has been responsive and professional, and the overall service has been reliable and easy to work with. Highly recommended.”

Jordan Adler

“We worked with Codekeeper as our escrow provider for major enterprise deployments and found them to be extremely professional, responsive, and flexible throughout.
I'd highly recommend Codekeeper. They clearly understand the realities of working with growing tech businesses and enterprise customers alike.”

Ross Kilshaw

I found Codekeeper's solution excellent for what I need. I scheduled a demo to better understand the possibilities. Very easy! It was a clear and straightforward meeting, focused exactly on what I needed. Excellent service!

Thiago Mendes

Every vendor mapped to every framework that applies to you.

One assessment, mapped to every framework in your regulatory scope — so the evidence lines up with whichever standard the audit runs against.

DORA Digital Operational Resilience Act

NIS2 Network & Information Security Directive

CRA Cyber Resilience Act

ISO 27001 Information security management

SOC 2 Trust services criteria

GDPR General Data Protection Regulation

What's at stake

Add Vendor Risk & Compliance. Or don't.

Without it

Regulators find the gaps before you do.
DORA Article 28 makes that personal — fines, management bans, criminal liability for the board members responsible.

€10M or 2% of revenue, whichever is higher

With Vendor Risk & Compliance

Every vendor assessed, signed off, and traceable before the request arrives.
One click. One packet. One less thing that keeps you up before an audit.

Book a demo

Sample report

See what a vendor verdict looks like before you decide.

We ran one vendor through a full DORA, NIS2, and CRA assessment. Download the report to see exactly what your auditor would see.

Vendor security
assessment certificate

Issued to

Vendor Criticality Status Reviewed

Acme Cloud Critical Needs review

Stripe High In order

Datadog High Under assess.

HubSpot High Needs review

Snowflake High Needs review

Get your free sample vendor report

We'll email the report straight to your inbox.

Frequently asked questions

Is this a separate product, or does it add to my existing Codekeeper plan?

It's an add-on to your existing Codekeeper account — available on Software Escrow, SaaS Escrow, Continuity Escrow, AI Escrow, and Software Backup plans. Nothing migrates: connect your vendor portfolio and continuous vetting runs alongside the escrow you already have.

Which regulations does Vendor Risk & Compliance cover?

The add-on maps vendor assessments against DORA, NIS2, CRA, ISO 27001, SOC 2, and GDPR.

What if a vendor isn't in your library yet?

If a vendor in your portfolio isn't already in the library, they're onboarded within five business days.

How is this different from a point-in-time vendor risk assessment?

Point-in-time assessments capture a vendor on a single day. DORA and NIS2 require continuous evidence — assessments that update when the vendor changes, frameworks shift, or certifications lapse. Vendor Risk & Compliance monitors continuously, so the record your auditor sees always reflects where each vendor stands today.