Assessment Methodology
How ThirdProof investigates and rates third-party vendors
Version 1.1 · Effective February 25, 2026What We Assess
ThirdProof assesses organizational entities — companies, business units, and registered organizations — for the purpose of third-party vendor risk evaluation. Assessments are designed exclusively for business-to-business due diligence.
- ✓Organizational cyber risk posture
- ✓Sanctions and regulatory exposure
- ✓Business registration and corporate legitimacy
- ✓Adverse media signals (regulatory, financial, security, legal)
- ✓Domain health, SSL configuration, and web infrastructure
- ✓Compliance certification claims (SOC 2, ISO 27001, HITRUST, PCI-DSS)
- ✗Natural persons, individuals, or sole proprietors for consumer purposes
- ✗Employment suitability, creditworthiness, or character
- ✗Any attribute regulated under the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.)
Assessments are point-in-time snapshots reflecting conditions as of the assessment date. ThirdProof does not currently offer continuous monitoring. Customers are responsible for determining appropriate re-assessment frequency.
Data Source Categories
ThirdProof queries multiple independent public data sources simultaneously for each assessment. Sources are organized into the following categories:
| Category | What It Provides |
|---|---|
| Sanctions & Watchlists | Screening against OFAC SDN, consolidated sanctions lists, PEP databases, and international sanctions regimes |
| Business Registries | Corporate registration verification, jurisdiction, formation date, active/inactive status, officer records |
| Cyber Risk Intelligence | External attack surface scoring, network security posture, patching cadence, DNS health, IP reputation |
| Adverse Media | News coverage screening for regulatory actions, lawsuits, data breaches, financial distress, fraud allegations |
| Domain & Web Infrastructure | SSL certificate validation, HTTPS enforcement, domain age, registrar information, DNS configuration |
| Threat Intelligence | Malware association, phishing indicators, abuse reports, botnet participation, safe browsing status |
| Certificate Transparency | SSL/TLS certificate issuance history, subdomain enumeration, certificate authority validation |
| Email & Firmographics | Email deliverability verification, MX record validation, domain spoofing susceptibility, company size and industry classification |
| Compliance Verification | Trust page scanning for certification claims (SOC 2, ISO 27001, HITRUST, PCI-DSS, FedRAMP), independent registry cross-reference, aspirational language detection |
| Supply Chain Analysis | Subprocessor page discovery, third-party dependency extraction, per-subprocessor sanctions screening and safe browsing checks |
| Regulatory Filings | SEC EDGAR enforcement filing search, FDIC bank failure registry lookup, entity name verification to confirm attribution |
The specific number and identity of individual data sources may change over time as ThirdProof adds, replaces, or retires sources to improve coverage. Source changes do not constitute a material modification of the Terms of Service. The current source list is available upon request at support@thirdproof.ai.
No external data source provides complete coverage. Individual sources may be temporarily unavailable, may return incomplete data, or may contain inaccuracies attributable to the source provider. Reports indicate where sources were unavailable or returned incomplete results. The confidence score (described below) reflects data availability.
Many data sources return results based on name matching, which can produce false positives when different entities share similar names. ThirdProof applies entity verification logic to sanctions screening, business registry lookups, regulatory filing searches, and bank registry checks. When a match cannot be confirmed as the investigated entity, findings are flagged for manual verification and severity is reduced. Reports clearly distinguish between verified matches and unconfirmed name-based matches.
Risk Tier Assignment
Every assessment concludes with a risk tier assignment from Tier 1 (Critical Risk) through Tier 5 (Minimal Risk). Tiers are assigned by a deterministic rule engine — explicit, threshold-based logic applied to source evidence. The tier is determined before any AI-generated narrative is written. AI describes the findings; rules drive the decision.
Assigned when evidence includes confirmed sanctions matches, active data breaches in recent history, domains flagged as malicious by threat intelligence sources, or active regulatory enforcement actions. If any single Critical condition is present, the overall tier is Critical regardless of other signals.
Assigned when evidence includes unresolved regulatory inquiries, cyber risk scores significantly below industry thresholds, adverse media showing fraud allegations or major lawsuits within recent months, or unverifiable business registration. If any single High condition is present and no Critical conditions exist, the overall tier is High.
Assigned when evidence includes moderate cyber risk scores, adverse media that is older or resolved, limited business history, claimed certifications that cannot be independently verified, or partial data availability reducing confidence significantly.
Assigned when evidence shows acceptable cyber risk scores, clean sanctions screening, clean or minimal adverse media, verified business registration with established history, and minor gaps that do not indicate systemic risk.
Assigned when evidence shows strong cyber risk scores, independently verifiable SOC 2 Type II or equivalent certification, established company history, clean sanctions and adverse media, and strong domain health. Minimal Risk requires positive evidence across multiple dimensions — absence of negative signals alone is not sufficient.
Critical conditions always override. If any single Tier 1 trigger is present, the overall tier is Tier 1 regardless of all other signals. If any single Tier 2 trigger is present and no Tier 1 conditions exist, the overall tier is Tier 2. This ensures that a single severe risk signal is never diluted by otherwise positive indicators.
Confidence Scoring
Every report includes a confidence score from 0–100 reflecting the completeness and consistency of available source data. The confidence score is computed by the rule engine, not inferred by AI.
- ›The score starts at 100
- ›Points are deducted when individual data sources return errors, are unavailable, or return incomplete data
- ›Points are deducted when data coverage is thin (e.g., limited adverse media results may indicate coverage gaps rather than absence of risk)
- ›Points are deducted when key data points are estimated rather than confirmed
A confidence score below 60 triggers a visible Data Coverage Warning on the report. A confidence score below 40 escalates the minimum tier to Tier 3 regardless of other signals, ensuring that insufficient data does not produce a misleadingly favorable rating.
Confidence scores reflect data availability, not factual accuracy. A high confidence score means ThirdProof had good data coverage — it does not guarantee that every underlying data source is correct.
The Role of AI
ThirdProof uses AI (large language model technology) to generate executive summaries, risk narratives, compliance framework context, and analytical conclusions within reports. Here is how responsibility is divided:
- ›Risk tier assignment (Tier 1–5)
- ›Confidence score calculation
- ›Finding severity classification
- ›Escalation logic
- ›Compliance framework flag triggers
- ›Executive summary prose
- ›Finding descriptions and context
- ›Compliance framework narrative
- ›Recommended action language
- ›Data limitation explanations
Risk tier assignments are deterministic and reproducible. Given identical source evidence and the same methodology version, the rule engine produces the same tier. AI-generated narrative content may vary slightly in wording between assessments but does not influence the tier.
AI-assisted synthesis may produce outputs containing errors, omissions, or inaccuracies not present in underlying source data. Reports include source citations, confidence scores, and evidence chains to enable independent verification. Customers are responsible for verifying AI-generated narrative content before relying on it for material business decisions.
Independence
ThirdProof maintains structural independence from all investigated vendors and entities. This independence is not a policy — it is an architectural constraint.
- •ThirdProof does not accept payment, compensation, data, or other consideration from investigated vendors in connection with the generation of reports
- •Investigated vendors cannot influence, modify, suppress, or remove report findings through any commercial arrangement
- •The deterministic rule engine assigns tiers based on rules applied to raw evidence; there is no pathway by which vendor commercial status can influence that output
ThirdProof’s revenue comes from customers (compliance officers, security teams) who pay to run assessments — not from the vendors being assessed.
Disputes & Corrections
ThirdProof provides a good-faith correction process for factual errors. This process protects both the accuracy of reports and the rights of investigated entities.
Who can submit a correction request
Customers who believe a report contains a material factual error attributable to ThirdProof’s data processing (rather than inaccuracies in underlying third-party source data) may submit a written correction request to support@thirdproof.ai within 90 days of the assessment date.
Investigated vendors who believe a report contains factually inaccurate information may contact ThirdProof directly. ThirdProof may, in its sole discretion, review the dispute and issue a corrected report if warranted.
What the process covers
- •Evidence that a data source returned inaccurate information (e.g., a news article about a different company with a similar name)
- •Entity identity confusion where assessment results were attributed to the wrong organization
- •Data source errors where the underlying source has since been corrected
What the process does not cover
- •Requests to change a risk tier because the vendor disagrees with the rating outcome
- •Requests to suppress findings that are accurately sourced
- •Requests to remove reports from the platform
ThirdProof reviews correction requests within 10 business days. If the error is confirmed, a corrected report is issued. Submission of a correction request, ThirdProof’s review, and issuance of a corrected report do not constitute an admission that the original report was inaccurate, negligent, or defamatory. Every correction is logged with the reason and the methodology version under which the correction was made.
Regulatory Framework Alignment
ThirdProof assessments map to recognized third-party risk management (TPRM) frameworks and regulatory guidance. The table below shows how each stage of the ThirdProof workflow corresponds to standard framework requirements.
| Framework | Requirement | ThirdProof Coverage |
|---|---|---|
| OCC 2023-17 | Third-Party Due Diligence (Stage 2) | 23+ parallel data sources covering sanctions, cyber risk, business legitimacy, adverse media, and compliance certifications |
| NIST SP 800-161r1 | Supply Chain Risk Assessment | Subprocessor discovery with sanctions screening, technology dependency detection, and supply chain threat intelligence |
| ISO 27036 | A.15.2.1 — Supplier Service Monitoring | Re-investigation capability enables periodic re-assessment; API integration enables automated monitoring triggers |
| SOC 2 | CC9.2 — Risk Assessment Process | Documented methodology, deterministic rule engine with published thresholds, full evidence chain, and confidence score decomposition |
| SIG / SIG Lite | Risk Domain Coverage | Maps to Information Security, Privacy, Business Continuity, Compliance & Legal, and Cybersecurity domains through specialized data sources |
| GDPR Art. 28 | Processor Due Diligence | Subprocessor discovery scans vendor pages; GLEIF corporate verification; sanctions screening; trust page certification checks |
ThirdProof automates the investigative core of TPRM (OSINT gathering, risk scoring, report generation) in approximately under 2 minutes per vendor. A human analyst typically spends 15 – 20 hours on equivalent outside-in due diligence. ThirdProof enables analysts to review a structured, evidence-backed report in minutes rather than building one from scratch over days. Human judgment is preserved through the reviewer approval workflow.
| TPRM Workflow Step | Manual Effort | ThirdProof |
|---|---|---|
| Intake & scoping | 30 – 60 min | 2 min (vendor name + category + data access) |
| OSINT gathering | 1 – 3 hours | ~30 sec (23+ sources in parallel) |
| Vendor questionnaire | 2 – 6 weeks | N/A — outside-in by design |
| Evidence review | 1 – 2 weeks | ~5 sec (trust page scan + registry check) |
| Risk analysis | 2 – 4 hours | ~1 sec (30+ deterministic rules) |
| Report writing | 2 – 4 hours | ~15 sec (AI synthesis + PDF) |
| Review & approval | 1 – 3 days | Same (reviewer workflow preserved) |
Version History
Every report generated by ThirdProof identifies the methodology version in effect at the time of assessment. Assessments conducted under different methodology versions may produce different results for the same entity. Material methodology updates are communicated to active customers with at least 30 days written notice before taking effect.
| Version | Effective Date | Summary |
|---|---|---|
| 1.0 | February 22, 2026 | Initial published methodology. 5-tier risk framework, deterministic rule engine, confidence scoring. |
| 1.1 | February 25, 2026 | Added compliance verification, supply chain analysis, and regulatory filing source categories. Introduced entity name verification across sanctions, business registry, regulatory, and bank registry sources. Aspirational certification language detection for trust page scanning. |
Reports generated by ThirdProof constitute automated analytical opinions based on publicly available data and this published methodology. Reports are not certifications, guarantees, audit determinations, or legal advice. ThirdProof is not an auditor, certifying body, consumer reporting agency, regulatory authority, or legal advisor. Reports are one input into a broader vendor risk management program and are not a substitute for independent due diligence, professional judgment, or legal counsel. For questions about this methodology, contact legal@thirdproof.ai.