Dormouse.
Dormouse watches your vendors' subprocessor lists, DPAs, and trust pages, tells you when something meaningful changes, and hands you a tamper-evident monthly report that answers the question with proof instead of a shrug.
SOC 2 CC9.2 and ISO 27001 A.15 expect you to monitor your vendors for changes. In practice that means someone opens forty subprocessor pages once a quarter, or nobody does. Meanwhile your payment processor adds a subprocessor, your data goes somewhere new, and your DPA obligations start ticking. Dormouse does the checking every twelve hours and keeps evidence you can hand over.
Send us your vendor list. Their subprocessor pages, DPAs, trust centers, and terms go under watch. Nineteen major SaaS vendors are pre-tuned; anything with a URL can be added.
Checks every twelve hours with noise suppression, so a rotating banner never pages you. Meaningful changes are classified by severity with a one-sentence summary of who should care, delivered to email, text, or Slack.
A signed coverage report: every check performed, every change caught, every source verified against a hash-chained audit trail. Drop it in the audit folder and answer the question in one attachment.
Every check dormouse runs is chained to the one before it, so history cannot be quietly rewritten, by us or anyone else. Snapshots are content-addressed, so what a page said on a given date is verifiable byte for byte. This is live output from the production watcher.
The same engine has watched FDA, EMA, EPA, and Federal Register feeds continuously as a public burn-in. Silence is a signal too: a watchdog raises the alarm when any source goes dark, because a gap in coverage is itself a finding.
Subprocessor and trust pages verified and noise-tuned for the vendors most B2B startups depend on. Your own vendors join the watch during onboarding.
Ten founding slots. When they are gone, the rate doubles and stays there.
Become a founding customer