SaaSDossier turns vendor-published security, privacy, compliance, incident, subprocessor, and infrastructure documentation into human-reviewed PDF dossiers for vendor-risk and contract-stage review.
02 — The problem
Somewhere on your desk is the question: can we work with this company? Answering it properly means hours inside trust centers, security pages, DPAs, and subprocessor lists — or a questionnaire cycle that takes weeks and still comes back half-blank. Even the SOC 2 reports you do collect tend to get filed and never read.
So the check gets rushed, or skipped, or signed off on a logo and a feeling. That's the gap this tool closes.
03 — What you receive
Each dossier reviews a vendor's published record across five areas:
SOC 2, ISO 27001, PCI DSS, GDPR posture, and what's verifiably documented versus merely mentioned.
In transit, at rest, key management, cloud regions, data residency.
MFA, SSO, role-based access, audit logs, API scoping.
Bug bounty, pentest cadence, disclosure policy, status page, notification commitments.
Subprocessor registry, retention, erasure, portability, cross-border transfer.
Every finding carries its source location and an evidence class from A (formal artifact) to D (not identified in the sources reviewed). Where a field is a question surfaced, this does not establish absence of the control.
Not finding something in a vendor's public documentation does not mean it doesn't exist. It means they haven't published it — and that, too, is worth knowing.
Trust
A human-reviewed PDF that compiles a vendor's own published security, privacy, compliance, incident, subprocessor, and infrastructure documentation into one structured, source-linked evidence record — 43 fields, every finding traced back to the vendor's own page. Built for vendor-risk, procurement, and contract-stage review.
A finished PDF dossier for one named vendor: a documentation summary, a 43-field evidence ledger, a gap register, a source register, a SHA-256 integrity record, a human review note, and a disclaimer. No dashboard to log into, no subscription — a document you own.
You can — and you should be able to check our work. The value is the compiling: 43 fields pulled across a vendor's trust center, security pages, DPA, status page, and subprocessor list, reconciled and cited into one record. So instead of a 200-question questionnaire that comes back half-answered, your follow-up to the vendor is a handful of precise questions.
Each dossier is checked field by field against the vendor's published sources — reviewed independently, reconciled against the source, and human-reviewed before release. Every documented finding is a quote with a link to the vendor's own page, so you can trace any claim back to the source yourself.
Vendor-owned, vendor-published sources only: trust centers, security and privacy pages, legal pages, DPAs, subprocessor lists, status pages, and developer or security docs where relevant. No third-party reviews, news, opinions, or marketing copy are ever used as evidence.
The reviewed vendor-published sources didn't address that field. It does not mean the control is absent — it means the public record is silent, and you now have a precise question to put to the vendor before relying on it. We never treat absence of published evidence as proof of absence.
No — and that precision is deliberate. A SaaSDossier does not certify, rate, approve, or reject a vendor, and it does not replace legal, procurement, GRC, vCISO, or professional vendor-risk review. It gives you a clean, source-linked evidence record so review starts from the vendor's own documentation instead of a blank page.
Every dossier carries its assessment date; findings reflect the vendor's published sources as reviewed on that day. If a vendor updates its documentation, a refreshed dossier can be produced.
04 — Method, in plain terms
We read only what the vendor itself has published, on its own domains. The same documentation is reviewed independently, twice over; the findings are compared field by field, disagreements are flagged and resolved against the source, and every dossier is human-reviewed before release.
Each finished dossier carries a SHA-256 integrity hash, so the document you hold is verifiably the document we issued.
No third-party reviews. No opinions. No inference.
05 — Released dossiers
Stripe and HubSpot are completed and human-reviewed, ready now. Any other company with a public security presence can be produced on request — inquire and we'll produce and review its dossier before it reaches you.
Dossier No. 001 · 35 / 43 fields documented · 8 questions surfaced
Human-reviewed · 17 Jun 2026
Buy the Stripe dossier →Dossier No. 002 · 36 / 43 fields documented · 7 questions surfaced
Human-reviewed · 17 Jun 2026
Buy the HubSpot dossier →06 — Pricing
One human-reviewed PDF dossier for one vendor decision — a full 43-field vendor security evidence dossier with source register and integrity record.
Choose a released dossierFor teams or consultants reviewing a small SaaS stack. You name your five vendors up front — from the released library or by request — each produced and human-reviewed before delivery.
Choose five vendorsFor a larger vendor stack. You name your ten vendors up front; each is scoped, produced, and human-reviewed before delivery.
Request portfolio packOne-time purchase. You receive a finished, human-reviewed PDF dossier for the named vendor. Length varies by vendor because each dossier follows the evidence available in the vendor-published source set.
07 — Who it's for
Compliance leads and fractional CISOs running vendor reviews for multiple clients. Operations and IT managers at companies of 10–500 people choosing tools without a security team. Consultants who need a clear, source-linked document behind every recommendation. And if you're pursuing SOC 2 yourself, vendor reviews are part of the program — a dossier is documented evidence of that review. If your name goes next to the decision, the dossier is the paper that stands behind you.
SaaSDossier is an evidence-organization product. It is not legal advice, not an audit, not a certification, and not a substitute for professional vendor-risk, legal, procurement, GRC, vCISO, or security review. Each dossier reflects vendor-published sources reviewed at the time of preparation.