Production · Internal Tool

TPRM | Third-Party Risk Management Platform

A purpose-built vendor risk management platform that automates the identification, assessment, and ongoing monitoring of third-party software vendors. Integrates with procurement (Ramp), project tracking (Linear), and the Claude API to create an end-to-end workflow from purchase request to AI-powered SOC 2 analysis to security assessment to annual review.

Role
Designer, Builder, & Operator
Timeline
Built in days, not months
Status
Live in Production
Built With
AI-Assisted Development
The Problem
No visibility into the vendor landscape
As the company scales, the number of third-party software vendors grows. Without a centralized system, there was no visibility into which vendors access PII or integrate with internal tools, no systematic process for assessing vendor criticality before procurement approval, no audit trail linking procurement events to security reviews, and no mechanism for tracking annual reviews of critical vendors.
The Dashboard
Real-time vendor risk at a glance
Summary stats, active reviews, recent decisions, and attention items, all in one view.
TPRM | Dashboard
TPRM Dashboard Vendors Reviews Due Admin Dashboard Last sync: 5/1/2026, 2:19:02 PM Total Vendors Tracked 162 Critical Vendors 48 Pending Assessment 55 Non-Critical 59 IN REVIEW 0 active No vendors currently in review. RECENTLY DECIDED View all → Vendor Alpha5/1/2026 Not Critical DevTools Inc.4/29/2026 Not Critical CloudSync Corp4/29/2026 Critical DataPipe AI4/29/2026 Critical SecureVault4/29/2026 Critical NEEDS ATTENTION 55 vendors pending assessment View pending vendors →
Vendor Detail
Documents, scoring, and audit trail
Each vendor has a full profile with uploaded SOC 2 reports, AI-powered analysis scores, assessment decisions, and a comments thread that syncs directly to Linear.
TPRM | Vendor Detail — CloudSync Corp
TPRM Dashboard Vendors Reviews Due Admin Last Review 5/4/2026 Subprocessor Yes Cloud infrastructure provider Set Decision This will be synced to Linear when issue creation is enabled Critical Not Critical Reset Documents (1) Upload Document FILENAME TYPE SIZE DATE ANALYSIS DECISION CloudSync SOC 2 Type 2 2025 Audit.pdf SOC 2 432 KB 5/7/2026 64 View Report Conditional Notes: Add notes about this decision... Comments (1) Review notes, decisions rationale, and audit trail for this vendor S reviewer@company.com 5/8/2026, 9:38:24 AM Reviewed the SOC 2 report. Found several exceptions in access controls and a redacted penetration test. Vendor confirmed an updated report is expected next quarter. Setting as conditional until then. Add a comment... Cmd+Enter to submit Add Comment
SOC 2 Analysis Engine
AI-powered vendor security scoring
Upload a vendor's SOC 2 report and the platform analyzes it against a multi-pillar rubric using Claude. Each pillar receives a score with specific findings, producing a reliability assessment that informs the vendor's criticality decision.
TPRM | SOC 2 Reliability Assessment — CloudSync Corp
SOC 2 Reliability Assessment CloudSync Corp · 2026-05-08 64 Moderate Reliability Structure 89 Substance 65 Source 38 Pillar: Structure Does the report include required components and maintain professional consistency? 89 High Reliability Required Auditor's Report Section Structure 95 The SOC 2 Type 2 report contains a well-structured Independent Service Auditor's Report with all required sections clearly labeled and present. The auditor issued an unqualified opinion. • Clearly labeled 'Scope' paragraph present on page 3 • Clearly labeled 'Opinion' paragraph present on page 5 with unqualified opinion • 'Description of Tests of Controls' paragraph present on page 4 as required for Type 2 • No qualifying language or exceptions noted in the opinion • Report follows current AICPA attestation standards format • Proper restricted use paragraph included Management's Assertion Completeness 85 Management's Assertion is present as Section 2 and includes all required elements for a Type 2 report including assertions about system description accuracy, control design, and operating effectiveness. • System description accuracy assertion present
How It Works
End-to-end automated workflow
01

Procurement

Someone buys software through Ramp. The intake form captures PII access, tool integration, and software classification.

02

Sync & Evaluate

TPRM pulls purchase orders from Ramp, filters to software vendors, and evaluates risk signals automatically.

03

Assessment

Vendors with risk signals get routed to Linear as issues. Upload SOC 2 reports for AI-powered analysis. The security team reviews findings and labels vendors Critical or Not Critical.

04

Ongoing Monitoring

Critical vendors are automatically flagged for annual re-review. An in-process scheduler runs daily syncs with Slack notifications and catch-up logic on container restart.

Architecture
Built on Google Cloud Platform
Single-container design: FastAPI backend + React frontend served from one Cloud Run service. SQLite persisted via GCS FUSE mount.

Cloud Run

Hosts the unified container: FastAPI + React SPA served from a single uvicorn process on port 8080.

📦

Artifact Registry

Container registry for Docker images. Multi-stage builds: Node for frontend, Python for backend.

🔒

Secret Manager

API credentials for Ramp and Linear injected as environment variables. No secrets in code or images.

🛡

Identity-Aware Proxy

Restricts access to authenticated corporate users. OIDC bypass for service-to-service scheduler calls.

In-Process Scheduler

APScheduler runs inside the container: Ramp sync at 9am PT, decision sync at 4pm PT, with automatic catch-up on restart.

🗃

Cloud Storage

GCS FUSE volume mount for SQLite persistence. Database survives container restarts and redeployments.

Key Features
What makes it work
🔄

Bidirectional Sync

Procurement data flows in from Ramp; assessment decisions flow back from Linear. Both syncs run daily.

📈

SOC 2 Analysis Engine

Upload a vendor's SOC 2 report and get an AI-powered reliability assessment scored across Structure, Substance, and Source pillars. Findings post directly to Linear.

💬

Comments & Audit Trail

Vendor-level comment threads with timestamps and author tracking. Every comment syncs to the vendor's Linear issue for a centralized audit trail.

💬

Slack Notifications

Five notification types: new vendor alerts, daily sync summaries, annual review reminders, contract expiration warnings with urgency indicators, and sync failure alerts.

📄

Compliance Export

CSV export with all compliance-relevant fields. Filter by Critical, Pending, Not Critical. Includes subprocessor flags and review history.

🔗

Linear Integration

Auto-creates issues with vendor context, assigns reviewers, syncs labels and statuses. Manual issue creation from vendor detail pages for ad-hoc assessments.

👥

Role-Based Access

IAP authentication with admin and viewer roles. Admins get full vendor details, sync controls, and decision authority. Viewers get a read-only dashboard.

📄

Document Management

Upload SOC 2 reports and other evidence per vendor. Each document carries an assessment decision (accept, reject, conditional) with notes, all synced to Linear.

🔄

Decision Writeback

Set vendor decisions directly in the app. Labels, comments, and completion dates sync to Linear in real time. Bidirectional sync prevents conflicts.

📍

Subprocessor Tracking

Cross-references vendors against a maintained subprocessor list. Flags matches automatically and surfaces purpose context on vendor detail pages.

📅

Contract Lifecycle

Tracks contract start and end dates from procurement data. Flags expiring contracts 30 days in advance with urgency indicators and deep links back to Ramp.

Tech Stack
What it's built with
Python / FastAPIReactSQLiteDocker GCP Cloud RunGCS FUSESecret ManagerIdentity-Aware Proxy APSchedulerArtifact RegistryRamp API (OAuth2)Linear GraphQL API Slack WebhooksClaude API (SOC 2 Analysis)Claude Cowork (AI-Assisted Dev)
Outcomes
Impact
0
Manual data entry steps
100%
Procurement audit coverage
5
Automated Slack notification types
Days
Built, not months