Noru

Vendors · TPRM

Third-party risk, tied to real data access.

Continuous vendor monitoring scored off the systems and data each vendor actually touches — not an annual questionnaire and a stale spreadsheet. Reviews happen on a cadence, answers become evidence, and vendor risk lives in the same register as everything else.

Request a demoExplore the platform

The way this usually goes

Your vendor list lives in three spreadsheets, none of which agree on who owns what.

Questionnaires go out by email and come back as PDFs nobody maps to controls.

Renewals and security reviews happen when a customer asks, not on a schedule.

Who it's for

One system, every stakeholder

Security & CISO

Every vendor scored, owned and reviewed on a cadence you set — not when a customer asks.

Compliance

Questionnaire responses map to controls and become evidence automatically.

Procurement

A security layer that complements your purchasing process instead of replacing it.

Sales & legal

Subprocessor disclosures and attestations ready the moment customers ask.

How it works

What Noru does instead

01

One register, owned and scored

Every vendor profiled with category, status, owner and risk score — from onboarding through offboarding, linked to the assets and data they actually touch.

  • Inherent and residual risk with impact/likelihood scoring
  • Risk weighted by the systems and data each vendor accesses
  • Lifecycle states: onboarding, active, inactive, offboarded

02

Questionnaires that produce evidence

Send security questionnaires vendors complete inline. Responses map to your controls and become evidence — no PDF archaeology.

  • Template library mapped to ISO 27001, SOC 2 and more
  • Inline completion with progress tracking and reminders
  • Responses auto-populate evidence linked to controls

03

Documents and attestations in one place

SOC 2 reports, ISO certificates, DPAs and insurance docs attach to the vendor record and link into your own compliance program.

  • Evidence vault linkage with versioning
  • Expiry tracking for certificates and attestations
  • Subprocessor disclosure feeds your trust center

04

Risk that connects to the rest

Vendor risks live in the same register as everything else — linked to controls, findings and treatments, visible in audits.

  • Vendor risks linked to organizational controls
  • Remediation tracked from issue to resolution
  • Board-ready reporting across the vendor portfolio

What's included

Platform modules working together

This solution runs on the same system of record as everything else — add modules later without re-platforming.

Vendor Risk

See every vendor's posture

A vendor register with risk scoring, security questionnaires and evidence collected from responses.

Risk Register

Know your risk before anyone asks

A live register linked to security findings, controls and treatments — not a yearly workshop artifact.

Evidence Vault

Never chase a screenshot again

Evidence collected continuously from your systems, versioned, tagged and linked to controls automatically.

Trust Center

Publish proof, not promises

A public trust page on your own domain showing your security posture, policies and subprocessors — always current.

Works with

  • Microsoft
  • Google
  • Linear
  • Confluence
  • more

Request a demo

See it on your own data.

A walkthrough tailored to this use case, with your questions answered by practitioners.

  • 45 minutes, tailored to the frameworks and use cases you care about
  • Answers from practitioners, not a sales script
  • Leave with a concrete rollout plan — or a clear no-fit

We respond within one business day. No mailing lists, no spam.

FAQ

Frequently asked questions

How do vendors fill in questionnaires?

Vendors receive an email invite and complete the questionnaire inline — no account or portal login required. You see completion progress, can nudge stalled responses, and answers map back to your control framework automatically.

Can we bring our own questionnaire templates?

Yes. You can use Noru's mapped templates as a starting point or build custom ones. Either way, responses link to controls and evidence the same way.

How does vendor risk scoring work?

Each vendor carries inherent and residual risk with impact/likelihood scoring, weighted by the systems and data they actually access. Scores roll up into your risk register, so vendor exposure is visible next to every other risk your organization tracks.

Does this replace our procurement process?

No — it complements it. Noru handles the security and compliance dimension: questionnaires, evidence, risk scoring and review cadences. Your procurement workflow stays where it is.

Related solutions

Risk · A live register

Risk Management

Learn more

Privacy · Data protection at scale

Privacy Automation

Learn more