A free vendor security & third-party risk assessment for any product you’re evaluating. Capture the vendor’s security, compliance and operations answers in one structured questionnaire — and see IsItPatched’s independently-verified vulnerability data right alongside. Two data origins, never blended. Browser-first, no login to start.
Independently checked by IsItPatchedSourced from NVD · CISA KEV · EPSS · endoflife.date — not the vendor’s claim, and not editable.
Pick a tracked product above to load its verified vulnerability, exploitation and end-of-life data.
✎
Self-reported — entered by youNot verified by IsItPatched. These are the vendor’s stated answers, recorded by you.
Security
Single sign-on (SSO / SAML / OIDC)ⓘCentralises authentication so access is granted, revoked and audited in one place — and killed instantly when someone leaves.
Points to consider — Ask how accounts are provisioned and de-provisioned without SSO, and how fast a departing user loses access.
Multi-factor authentication (MFA)ⓘBlocks the credential-stuffing and phishing attacks behind most account takeovers, even after a password leaks.
Points to consider — Ask whether MFA can be enforced (not just optional), and what protects admin accounts in the meantime.
Role-based access control (RBAC)ⓘLimits each user to what their role needs, containing the blast radius if an account is compromised.
Points to consider — Ask how least-privilege is enforced and whether admin access is separated from everyday use.
Audit logsⓘLet you reconstruct who did what after an incident — and spot misuse before one.
Points to consider — Ask what activity is logged, how long logs are retained, and whether you can access or export them.
Encryption at restⓘProtects stored data if disks, backups or a database are stolen or exposed.
Points to consider — Ask which data stores are encrypted and how the encryption keys are managed.
Encryption in transitⓘStops data being intercepted between you and the vendor, and between their internal services.
Points to consider — Ask whether TLS is enforced everywhere, including service-to-service traffic.
Documented incident-response planⓘA tested plan is the difference between a contained incident and a chaotic breach.
Points to consider — Ask whether the plan is tested, and what their breach-notification commitment to you is.
Penetration test in the last 12 monthsⓘIndependent testing finds exploitable issues that internal reviews miss.
Points to consider — Ask who tested, the scope and date, and whether you can see a summary or remediation status.
Compliance · Held? Add scope / expiry in the note.
ISO/IEC 27001ⓘIndependent certification that the vendor runs a managed information-security program (ISMS).
Points to consider — Ask if certification is in progress, or which framework they manage security against instead.
SOC 2 (Type I / II)ⓘAn independent auditor's report on security controls — Type II covers how they operated over time, not just one day.
Points to consider — Ask for the report under NDA, the type (I vs II), the period covered, and any exceptions noted.
GDPRⓘGoverns how EU/UK personal data is handled — relevant if any personal data flows through the product.
Points to consider — Ask how they handle personal data, data-subject requests, and where data is processed.
Cyber Essentials / PlusⓘA UK baseline certification covering five core technical controls — often required for public-sector work.
Points to consider — Ask whether they meet the five controls and if certification is planned.
PCI-DSSⓘRequired if the product stores, processes or transmits payment-card data.
Points to consider — Ask whether cardholder data is in scope at all, and for their Attestation of Compliance (AOC) if so.
HIPAAⓘRequired if the product touches US protected health information (PHI).
Points to consider — Ask whether PHI is in scope, and whether they will sign a Business Associate Agreement (BAA).
Operations
SLA availableⓘA committed uptime/response target you can hold them to — and a basis for credits if missed.
Points to consider — Ask for their target availability and what remedies apply when it is missed.
Public status pageⓘTransparent, real-time visibility into outages and incidents without raising a ticket.
Points to consider — Ask how you will be notified of outages and incidents.
Disaster recovery (DR) documentedⓘShows they can recover the service after a major failure — and how long that takes (RTO/RPO).
Points to consider — Ask for their recovery objectives (RTO/RPO) and whether DR is tested.
Backup strategy documentedⓘDetermines whether your data can be restored after corruption, deletion or ransomware.
Points to consider — Ask backup frequency, retention, and whether restores are actually tested.
Data residency optionsⓘControls which country/region your data is stored in — often a legal or contractual requirement.
Points to consider — Ask where data is stored and processed, and whether the region can be pinned.
Sub-processor list availableⓘReveals the third parties that can access your data — your risk extends to their supply chain.
Points to consider — Ask for the sub-processor list and how you are notified of changes.
Your work auto-saves as a draft on this device. Sign in to save it to your vendor assessments, keep it across devices, and export a clean report.
How it works
Does IsItPatched verify the vendor’s answers?
No. The questionnaire is self-reported — entered by you (or, on Pro, by the vendor). IsItPatched never asserts a vendor’s certifications, controls or breaches as its own claim. It independently verifies only the software-composition layer (known vulnerabilities, active exploitation and end-of-life) from public sources, and keeps that strictly separate from the self-reported answers.
What does the verified section come from?
The IsItPatched-verified section is sourced from NVD (CVE severity), CISA KEV (active exploitation), FIRST EPSS (exploitation probability) and endoflife.date (support status). It only appears for products we already track; it is never editable.
Do I need an account?
No — you can create and fill an assessment with no login, and your work is auto-saved as a draft on this device. Signing in lets you save it to your vendor assessments, keep it across devices and export a clean report.
Is there a single combined score?
No, deliberately. Blending self-reported answers with IsItPatched-verified data would launder unverified claims into a trusted number. The verified health score stands alone, scoped to software composition; the questionnaire stands alone as self-reported.
Self-reported fields are entered by the user and are not verified by IsItPatched. Verified fields are sourced from public vulnerability data (NVD, CISA KEV, EPSS, endoflife.date). IsItPatched is independent and not affiliated with those bodies, and this tool does not constitute a security audit or legal advice. See our disclaimer.
Your privacy
IsItPatched uses strictly necessary cookies to work and, with your consent, analytics to improve the site — no cross-site tracking. Accept all, reject non-essential, or customise. See our Cookie policy.