A new AI supplier is asking for approval, but the evidence is scattered.
For Procurement
Approve AI suppliers with evidence,
not email threads.
Request Evidence Passports, track missing supplier evidence, coordinate DPO and CISO review, and record access decisions — before AI tools reach your data.
Supplier Evidence Workflow
Supplier Request
New AI vendor
Evidence Request
Passport requested
Vendor Dock
Passport completed
DPO / CISO Review
Compass routes
Access Decision
Cleared · Limited · Blocked
Renewal Monitor
Tide sweeps
Northstar HR Copilot
Employee query handling · HR platform
The security questionnaire is no longer enough.
AI vendors process personal data, use external model APIs, deploy agents, and access internal systems. A generic questionnaire cannot capture that evidence. A structured Passport can.
The shift
From questionnaires to Evidence Passports.
Without AffectLog
- New vendor, new questionnaire — every time
- Evidence in emails, PDFs, and spreadsheets
- No standard format — incomparable across vendors
- DPO/CISO sign-off delays the purchase cycle
- Renewal dates tracked in spreadsheets
- No audit trail for who approved what
- Re-approved AI tools with no updated evidence
With Provena
- Vendor completes one Passport — reused across buyers
- Evidence structured, signed, and linked to decision
- Comparable evidence format across all suppliers
- Compass routes to DPO/CISO automatically by risk tier
- Tide Monitor sweeps hourly — alerts before lapse
- Full decision log: actor, role, timestamp, rationale
- Renewal triggers evidence refresh before re-approval
What gets fixed
Common procurement blockers — resolved.
New AI vendor. Same manual questionnaire. No standard. No audit trail.
Evidence Passports replace one-off questionnaires. Vendors complete once — you receive the same structured profile for every deal.
DPO and CISO sign-offs are blocking the purchase cycle.
Compass Review routes the Passport to the right reviewer automatically, based on risk tier and data categories.
Renewal dates in spreadsheets no one checks until it is too late.
Tide Monitor sweeps hourly. Alerts arrive before renewal lapses — not after the AI tool is already re-approved without evidence.
No record of who approved which tool, when, and under what conditions.
Every access decision is logged: actor, role, timestamp, rationale, and access conditions. Exportable for compliance review.
How it works
From supplier request to access decision — in one workflow.
Every step is logged. Every reviewer is named. Every access decision is traceable.
Map your AI estate
Provena Scan discovers tools already in use — before the next vendor pitch.
Request a Passport
Send vendors a structured evidence request via Vendor Dock. They complete it once.
Route to reviewers
Compass routes the Passport to DPO, CISO, or Procurement based on risk tier.
Record the decision
Approve, restrict, or block. Access conditions and rationale are logged.
Monitor renewals
Tide Monitor tracks every approval expiry. No silent lapses.
Real scenario
A new AI HR tool wants access before the annual review cycle.
The trigger
HR wants to deploy an AI tool to support employee performance reviews. It processes EU employee data and uses an external model API.
The gap
No DPIA. No DPA signed with the vendor. Unknown whether data is used for model training. No evidence of Art. 9 legal basis.
The action
Procurement requests an Evidence Passport via Vendor Dock. Compass routes to DPO for privacy review and CISO for security review.
The outcome
Tool approved with limits: EU data only, no training use, no agent access, DPA signed, annual renewal required. All logged.
Role handoff — Compass Review
Procurement
Requests Passport from vendor
DPO
Reviews data categories, legal basis, DPIA status
CISO
Reviews security posture, agent tools, egress
Procurement
Records access decision with conditions
Signal Receipts generated at each review stage.
Evidence coverage
What every Passport answers for procurement.
What data does this AI system process?
Data categories, personal data flags, Art. 6 and Art. 9 legal basis.
Is data used for model training?
Raw training use flag — on/off — explicit in every Passport.
Who are the subprocessors and where is data hosted?
Subprocessor list, hosting region, and data transfer controls.
What security certifications does the vendor hold?
ISO 27001, SOC 2, pen test dates, vulnerability disclosure, encryption standards.
When does this approval expire?
Expiry date on every Passport. Tide Monitor alerts before lapse.
What are the access conditions?
Restrictions logged alongside the access decision: data scope, usage limits, monitoring requirements.
Common questions
How AffectLog fits your current workflow.
“We already have a security questionnaire process.”
Security questionnaires are one-off, unstructured, and non-reusable. Evidence Passports are structured, reusable, and linked to a decision record. Vendors complete once — you request the same profile for every new deal.
“Legal handles our vendor reviews.”
AffectLog does not replace legal review. It structures the technical and operational evidence that legal needs to make an informed decision — faster and with a complete audit trail.
“We already have Vanta / SOC 2.”
SOC 2 covers a vendor's internal controls. It does not tell you what data your specific AI system processes, whether it trains on your data, or whether the agent can act on internal systems. That is what Evidence Passports capture.
“This will slow down vendor onboarding.”
Passports speed up onboarding once a vendor has completed theirs. The first request takes time. Every subsequent buyer request is answered instantly from the existing Passport.
Get started
Start with your AI supplier estate.
Two weeks. Clear evidence.
Provena Scan maps which AI suppliers already have access to your data, which evidence is missing, and which systems need DPO or CISO review.
AffectLog provides technical and operational evidence to support AI access, supplier-risk, security, privacy, and governance review. Not legal advice, certification, or regulatory approval.