Service Overview

Vendor.Watch aims to provide the most accurate reflection of a SaaS company's privacy and AI governance credentials with the goal of assisting compliance teams, data protection officers and privacy executives in their audit or onboarding of third parties. Although most vendors count with security credentials and a "trust center" outlining their policies, a legal and technical review of such practices (i.e., a "human in the loop") is often lacking. The growing role of AI and automation in populating policies and conducting reviews results in a more pressing need for certainty. Additionally, it is usually left to data controllers/buyers to discover external "risk signals" - originating in data breaches, court disputes, or third-party investigations. Such signals should be an equally important part of the picture. Vendor.Watch was born out of our own frustration with the opacity and lack of depth of much of the documentation provided by many cloud-based solutions in the marketing technology space. At the opposite end, we also realized that vendors who had made a tangible effort to "go the extra mile" in terms of Privacy by Design or data minimization strategies were not being adequately rewarded by current market dynamics. All of it in the face of growing privacy-related fines, customer concerns, and privacy-related class-action lawsuits.

Vendor.Watch balances "trust signals" (common security credentials) with "risk signals" (red flags), both derived from automated and manual reviews. Certified professionals, either qualified lawyers with data protection credentials or privacy engineers with internationally recognized certifications, are integral to this process. These professionals are compensated by Vendor.Watch during initial vendor reviews, by data controllers requiring further scrutiny, or by data processors aiming to enhance credentials or provide additional guarantees. Vendors can claim their profile by demonstrating a valid connection to their company's digital properties, such as an email address with the same domain name.

Trust signals can be legal or technical. Legal trust signals originate from publicly available documentation (security credentials, data processing agreements, privacy impact assessments) or manual verification by qualified lawyers experienced in personal data protection, data privacy, or AI governance. Technical trust signals typically relate to Privacy Enhancing Technologies or other data minimization techniques. These can be from a certified third-party auditor, a public registry (e.g., Differential Privacy registry), or manual review by certified privacy engineers.

Risk signals can either be of legal or technical nature. Legal risk signals are typically identified through scanning or manually reviewing publicly available documentation, privacy notices, legal instruments for international data transfers, and other components of a vendor's accountability efforts. Technical risk signals are derived from public, trusted data breach registries, recent court cases, and ad hoc manual, automated, or hybrid analysis of a vendor's data collection, storage, or transfer practices.