POPIA-first vendor risk assessment

Your vendors say they're compliant.
Make them prove it.

Audit and Comply puts every vendor through a structured, evidence-backed compliance assessment before they touch your data — scored automatically, reviewed properly, and logged immutably for the day a regulator asks.

Free to start. The pre-assessment needs no sign-up at all.

The product

A questionnaire is easy to pass.
An audit isn't.

Self-attested spreadsheets catch nothing. Audit and Comply makes every "yes" earn its points — with evidence, review, and consequences when the answer is wrong.

Kill questions

Mandatory requirements that end the debate

A vendor that won’t sign a data-processing agreement, trains models on your data, or can’t commit to breach notification is flagged Non-Compliant instantly — no matter how good the rest of the answers look.

Evidence, not promises

Every claim backed by a document

Certificates, DPAs, pen-test attestations and insurance are uploaded per question, reviewed per assessment, and tracked for expiry with 60/30/7-day reminders. An expired mandatory document degrades the vendor’s status automatically.

Automatic scoring

Scored the moment it’s submitted

Weighted sections, evidence-gated points, and risk bands from Low to Critical. Inherent risk from the vendor’s tier, residual risk from their answers — both on the record.

Review workflow

Four-eyes where it matters

Reviewers verify evidence, raise clarification threads, and override scores only with a written justification. High-risk vendors need a second compliance manager to confirm any outcome.

Remediation & risk acceptance

Findings that actually close

Every gap becomes a finding with an owner and a due date. Vendors respond with corrective evidence in the portal. Risk acceptances need a named senior owner — and reopen automatically when they expire.

Audit trail

Reconstruct anything, years later

Every answer, override, verdict and outcome is logged append-only — immutable to every role, administrators included. One click exports a regulator-ready assessment report.

How it works

From onboarding to recertification, one lifecycle.

Every transition logged with who, what and when — and the schedule keeps itself: recertification per risk tier, evidence expiry watched continuously in between.

STEP 01

Register the vendor

Name, tier, data types accessed — or import your whole vendor book from CSV.

STEP 02

Issue the assessment

The right questionnaire for the vendor’s category and risk tier, delivered with a secure invitation.

STEP 03

Vendor completes it

Section by section with plain-language help, saving as they go, evidence attached where it’s mandatory.

STEP 04

Scored on submission

Instant score, risk rating and kill-question verdict. Non-compliance is visible the second it exists.

STEP 05

Outcome & remediation

Approve, approve with conditions, or send findings back for remediation — with recertification scheduled automatically.

Built for South African responsible parties

POPIA isn't a section of the questionnaire.
It's the spine of it.

Every question is tagged to the statute it serves — operator agreements, breach notification, cross-border transfers, special personal information — with GDPR and ISO 27001 mappings alongside, so one assessment answers three frameworks.

POPIA ss 20–21 · Operator agreements & safeguardsPOPIA s 22 · Breach notification dutiesPOPIA s 72 · Cross-border transfersPOPIA ss 23–25 · Data subject rightsPOPIA ss 26–35 · Special personal informationPOPIA ss 55–57 · Information Officers & prior authorisation

Put your vendors on the record.

Register your company, add your first vendor, and issue an evidence-backed assessment today.

Create your company account

or try the 2-minute vendor pre-assessment →