Dormouse watches your vendors' subprocessor lists, DPAs, and trust pages, tells you when something meaningful changes, and hands you a tamper-evident monthly report that answers the question with proof instead of a shrug.
SOC2 CC9.2 and ISO 27001 A.15 expect you to monitor your vendors for changes. In practice that means someone opens forty subprocessor pages once a quarter, or nobody does. Meanwhile your payment processor adds a subprocessor, your data goes somewhere new, and your DPA obligations start ticking. Dormouse does the checking every twelve hours and keeps evidence you can hand over.
Send us your vendor list. Their subprocessor pages, DPAs, trust centers, and terms go under watch. Nineteen major SaaS vendors are pre-tuned; anything with a URL can be added.
Checks every twelve hours with noise suppression, so a rotating banner never pages you. Meaningful changes are classified by topic and severity with a one-sentence summary of who should care, delivered to email or Slack.
A signed coverage report: every check performed, every change caught, every source verified against a hash-chained audit trail. Drop it in the audit folder and answer the vendor-monitoring question in one attachment.
Every check dormouse runs is chained to the one before it, so history cannot be quietly rewritten, by us or anyone else. Snapshots are content-addressed, so what a page said on a given date is verifiable byte for byte. This is live output from the production watcher, right now:
The same engine has been watching FDA, EMA, EPA, and Federal Register feeds continuously as a public burn-in. Silence is a signal too: a watchdog raises the alarm when any source goes unreachable, because a gap in coverage is itself a finding.
Subprocessor and trust pages verified and noise-tuned for the stack most B2B startups already run. Your own vendors join the watch during onboarding.
Ten founding slots. When they are gone, the rate doubles and stays there.
Become a founding customer