PartnerScope gives compliance, risk, and AI governance teams at DACH enterprises an audit-ready 10-dimension risk scorecard for every third-party AI vendor — in the time it takes to read this page.
If you deploy AI in credit scoring, claims, diagnostics, grid management, or safety-critical manufacturing — the accountability sits with you as deployer. Not the model vendor.
Most compliance teams have a mature inventory of their own AI. But ask them to produce audit-ready due diligence on every third-party model, data provider, and ML tooling vendor — and the answer is "give us a few weeks."
Annex III requires continuous conformity. The question isn't "can we build a report?" — it's "can we produce audit-grade vendor evidence on demand, today, across 30+ suppliers?"
Training data without documented lineage. A model supplier with no MLSecOps posture. A sub-processor outside the EEA. Any of these can downgrade your entire system's classification.
Here's what you get back for every vendor you submit — a PDF you can attach directly to your Annex III risk register.
Vendor name + what they supply you (model, data, MLOps tool). 30 seconds.
Our analysts + automated signals score the vendor against EU AI Act, DORA, and NIS2 criteria.
Scorecard + heat-map + red-flag summary + remediation checklist. Attachable to your Annex III file.
Vendors drift. Scorecards re-run on demand or on a schedule — so your file stays current.
Each one mapped to specific EU AI Act articles, DORA obligations, or NIS2 supply-chain clauses.
Training-data legality, lineage, consent basis, and cross-border transfer history.
Documentation, explainability techniques, known failure modes, and evaluation evidence.
Model integrity, adversarial-robustness testing, secrets handling, SBOM.
AI Act, GDPR, DORA, NIS2, sector-specific (MDR, Solvency II, BaFin).
Uptime record, SLA bite, failover capability, incident MTTR.
Going-concern signals, runway, funding stability — no point signing a vendor that vanishes in 18 months.
Clean-room provenance, training-data license chain, open-source license compatibility.
Every downstream party touching your data. Where they sit. What they re-share.
Published fairness testing, bias-remediation process, human-rights alignment.
Historical breaches, disclosure timeliness, your right to be notified and timelines.
Start with a single vendor. Scale to your whole AI supply chain. Every tier includes audit-ready PDF output.
One-off — see the output before you commit.
one-time · 1 vendor
For compliance and risk teams with an active vendor register.
/month · up to 20 vendors/month
For regulated groups with large AI vendor inventories.
/month · unlimited scans
White-glove engagement: your vendor inventory, assessed end-to-end.
one-time · 50 vendors + compliance memo
A scorecard is not a regulatory certification — it's structured due-diligence evidence. Customers attach it to their Annex III risk register as the "third-party vendor assessment" document their internal audit and external conformity assessors expect to see. It closes the same gap a written vendor questionnaire would close — but faster, more structured, and re-runnable.
Public filings, technical documentation, SBOMs, published security posture (SOC 2, ISO 27001, ISO 42001), court records, breach-disclosure databases, and — when the vendor cooperates — direct documentation they provide. When evidence is missing, we flag it as a gap rather than guessing.
No. A cold scorecard (no vendor cooperation) still captures most observable signals. Vendor cooperation raises coverage and confidence. Some customers use the free pilot scorecard itself as the opener to request vendor documentation.
Questionnaires are self-attested and static. PartnerScope scorecards combine external signals (breach history, financial filings, sub-processor registries) with self-attestation, producing a score the vendor can't author themselves. And they re-run on a schedule — so a vendor that drifts triggers an alert.
We process vendor metadata, not your personal data. No training data or customer records leave your systems. A DPA / AVV is available on request for Team and above. All processing within the EEA.
Scorecards delivered in English or German. DACH market is the current focus; customer-success communication in DE / EN / RU.
Pick a vendor. We deliver a full 10-dimension PDF within 48 hours. Zero commitment.
Request a free scorecard →