SaaSDossier

Methodology · How a dossier is built

Calm, bounded, and traceable.

Every dossier records what a vendor publishes — nothing inferred, nothing judged. Here is exactly how each one is prepared.

The 55-field framework

Every dossier follows the same framework of 55 control fields across 10 domains, so any two dossiers are directly comparable. Identity and legal entity are treated as their own domain; the remaining nine cover attestations, privacy, encryption, infrastructure, access, incident practice, subprocessors, AI governance, and secure development.

  • Identity & legal entity
  • Standards & attestations
  • Privacy & compliance
  • Encryption & key management
  • Infrastructure & hosting
  • Access control
  • Vulnerability & incident response
  • Subprocessors & supply chain
  • AI governance
  • Secure development & organization

Two independent reviews, one human reconciliation

Each vendor's published sources are reviewed twice, independently. The two reviews are compared field by field. Where they differ, a human reviewer (A. Vale · SD-R01) resolves the difference against the vendor's source text before the dossier is released. The reviewer's initials appear on every dossier.

Source rules

Built only from vendor-published sources — trust and security centers, privacy and legal pages, data-processing terms, status pages, subprocessor lists, and published documentation. No third-party articles, news, or opinions are used as evidence. Every line traces to a source in the register, and each dossier carries a SHA-256 integrity record so the released file can be confirmed unchanged.

The two states

Documented

Found in the vendor's published sources, quoted and cited in the vendor's own words.

Question surfaced

Not identified in the vendor-published sources reviewed. This does not establish absence of the control.

Frequently asked

What is a SaaSDossier?
A SaaSDossier is a finished PDF record of what a software vendor publishes about its security, privacy, and compliance — the vendor's own record, made reviewable. Every field is either Documented, with the vendor's words quoted and cited, or a Question surfaced for you to raise. It is one structured, source-linked document, not a folder of raw links.
What do “Documented” and “Question surfaced” mean?
Those are the only two states. Documented means the field was found in the vendor's published sources, quoted and cited. Question surfaced means: “Not identified in the vendor-published sources reviewed. This does not establish absence of the control.” It is a prompt for your own follow-up, never a judgment.
Does a dossier decide whether a vendor is good or bad?
No. A dossier records what the vendor publishes — nothing more. There is no third state and no number that says good or bad. It gives you the vendor's own record so you can reach your own conclusion: clarity before commitment.
Where does the evidence come from?
Only from the vendor's own published pages — trust and security centers, privacy and legal pages, data-processing terms, status pages, and subprocessor lists. Every line traces to a source, and each dossier carries a SHA-256 integrity record. No third-party articles or opinions are used as evidence.
How is each dossier prepared?
Each vendor's published sources are reviewed twice, independently. The two reviews are compared field by field. Where they differ, a human reviewer (A. Vale · SD-R01) resolves the difference against the vendor's source text before the dossier is released.
Can I see the format before I buy?
Yes. The OpenAI Public Edition is free and complete — the same 55-field framework, evidence ledger, source register, and integrity record as every Licensed Edition. It is the smallest credible first step: see the format, then decide.
What does a Licensed Edition cost, and what may I do with it?
Each Licensed Edition is US$1,500. The license permits internal review use within your organization — vendor-risk, procurement, GRC, or security review. For anything beyond that, contact contact@saasdossier.com.
Disclaimer. SaaSDossier is independent documentation research. It is not an audit, certification, rating, legal opinion, vendor approval, or substitute for professional vendor-risk, legal, procurement, GRC, vCISO, or security review. Built only from the vendor's own published pages, reviewed as of each dossier's evidence date; those pages may change after preparation. No relationship with, or endorsement by, any vendor is implied.