SAMPLE. This is a fabricated example. acmecorp.com is a placeholder. All findings below are illustrative only and do not reflect any real vendor.
Vendor Risk Evidence Bundle

Acme Software, Inc.

Domain: acmecorp.com
Prepared for: Casey Procurement (casey@buyerco.example)
Order: cs_test_a1b2c3d4e5f6
Scrape date: 2026-05-21T14:22:08Z
Report date: 2026-05-21
Prepared by: Palavir LLC

1. Executive Summary

This document is a point-in-time evidence bundle assembled from the target's public trust and safety surfaces. It is not a SOC 2 audit, a penetration test, or legal advice. It is a fact-pattern intended for a procurement or vendor risk file.

11
surfaces published
6
surfaces not found
2
items to review
65
public posture score

Compliance check: No exact or high-confidence matches against OFAC, LEIE, or SAM exclusion lists.

Scrape duration: 18s across 17 URLs.

2. Scope and Methodology

The scrape targets only public URLs at conventional paths and subdomains. No authentication is used, no active scanning is performed, and no robots.txt-blocked resources are fetched. DNS lookups are standard recursive resolutions. TLS certificate inspection is a passive read of the handshake. The WHOIS pull uses a third-party API (whoisxmlapi). The Compliance API check screens the supplied legal entity name against the U.S. Treasury OFAC SDN list, the OIG LEIE list, and the SAM.gov exclusion list. Coverage is approximately 269,000 records as of the report date.

3. Findings by Public Surface

SurfaceURLStatusNote
security.txthttps://acmecorp.com/.well-known/security.txtPUBLISHEDPublished. 412 bytes captured. Security contact: security@acmecorp.com.
Privacy policyhttps://acmecorp.com/privacyPUBLISHEDPublished. 38,402 bytes captured.
Security pagehttps://acmecorp.com/securityPUBLISHEDPublished. 21,118 bytes captured.
Trust centerhttps://acmecorp.com/trustPUBLISHEDPublished. 15,604 bytes captured.
Sub-processorshttps://acmecorp.com/sub-processorsPUBLISHEDPublished. 8,902 bytes captured. 14 third-party sub-processors listed.
Terms of servicehttps://acmecorp.com/termsPUBLISHEDPublished. 44,810 bytes captured.
GDPR pagehttps://acmecorp.com/gdprPUBLISHEDPublished. 9,210 bytes captured.
CCPA pagehttps://acmecorp.com/ccpaNOT FOUNDNot published at conventional URL. CCPA references may live inside the privacy policy.
Certificationshttps://acmecorp.com/certificationsNOT FOUNDNo certifications index page. SOC 2 and ISO 27001 logos appear on /security but no badge or report link.
Status subdomainhttps://status.acmecorp.com/PUBLISHEDPublished. Statuspage.io hosted. Uptime visible 90 days.
Legal indexhttps://acmecorp.com/legalPUBLISHEDPublished. Aggregates terms, privacy, DPA links.
TLS certificatehttps://acmecorp.comPUBLISHEDIssuer Cloudflare Inc ECC CA-3, expires 2026-08-14 (85 days). TLSv1.3 / TLS_AES_256_GCM_SHA384.
SPF recordtxt:acmecorp.comPUBLISHEDv=spf1 include:_spf.google.com include:mailgun.org ~all
DMARC recordtxt:_dmarc.acmecorp.comREVIEWv=DMARC1; p=none; rua=mailto:dmarc@acmecorp.com. Policy is monitor-only, not enforcing.
MTA-STStxt:_mta-sts.acmecorp.comNOT FOUNDNo MTA-STS policy advertised.
Privacy varianthttps://acmecorp.com/privacy-policyNOT FOUNDRedundant path not used. Main policy lives at /privacy.
Compliance indexhttps://acmecorp.com/complianceNOT FOUNDNo /compliance index page.

4. DNS and TLS Posture

SPF

v=spf1 include:_spf.google.com include:mailgun.org ~all

DMARC

v=DMARC1; p=none; rua=mailto:dmarc@acmecorp.com; ruf=mailto:dmarc@acmecorp.com; adkim=s; aspf=s

MTA-STS

not configured

CAA

0 issue "letsencrypt.org"
0 issue "digicert.com"
0 iodef "mailto:security@acmecorp.com"

TLS

Issuer:     Cloudflare Inc ECC CA-3
Subject:    acmecorp.com
Valid from: Feb 14 00:00:00 2026 GMT
Valid to:   Aug 14 23:59:59 2026 GMT
Days left:  85
Protocol:   TLSv1.3
Cipher:     TLS_AES_256_GCM_SHA384

5. Federal Exclusion Screening

Entity screened: Acme Software, Inc.

Lists checked: OFAC SDN, OIG LEIE, SAM.gov exclusions.

SourceMatch nameScoreDetails
No matches at exact or high-confidence threshold.
SAMACME SOFTWARE LTD (Belize)61.2%Name collision, different jurisdiction. Low confidence.

Match scores are fuzzy. An exact or high-confidence hit is rare and should be cross-checked against the official source list. Medium and low scores are name collisions in the vast majority of cases.

6. Certification Mentions Matrix

URLSOC 2ISO 27001HIPAAGDPRCCPAPCI-DSSFedRAMP
https://acmecorp.com/securityYYYY
https://acmecorp.com/trustYYYY
https://acmecorp.com/privacyYYY

Mention != certification. Treat each row as a starting point for a vendor questionnaire.

7. WHOIS Snapshot

RegistrarMarkMonitor, Inc.
Registered on2009-06-12
Expires on2027-06-12
Registrant orgAcme Software, Inc.
CountryUS
Domain age (days)6,187
Error

8. Recommendations

  1. Move DMARC policy from p=none to at least p=quarantine before enforcing in the buyer's email ingress rules.
  2. Request the most recent SOC 2 Type II report under a one-way NDA. Mentions on /security are not the same as a report.
  3. Confirm whether CCPA disclosures live inside /privacy or require a separate request.
  4. Consider asking the vendor to publish an MTA-STS policy if mail flows are sensitive.
  5. Re-run this bundle 12 months from now or upon a material change in the contract.
  6. For federal procurement use cases, run an independent SAM.gov search on the entity at sam.gov/search.

Appendix A: Raw Surface Snippets

security_txt

URL: https://acmecorp.com/.well-known/security.txt
Status: 200
Content-Type: text/plain
Length: 412 bytes
Duration: 142ms
Snippet:
Contact: mailto:security@acmecorp.com
Expires: 2027-01-01T00:00:00Z
Encryption: https://acmecorp.com/.well-known/pgp-key.txt
Preferred-Languages: en
Canonical: https://acmecorp.com/.well-known/security.txt
Policy: https://acmecorp.com/security/policy
Hiring: https://acmecorp.com/careers/security

privacy

URL: https://acmecorp.com/privacy
Status: 200
Content-Type: text/html; charset=utf-8
Length: 38,402 bytes
Duration: 318ms
Snippet:
Acme Software, Inc. Privacy Policy. Last updated April 14, 2026.
This Privacy Policy describes how Acme Software, Inc. ("Acme", "we", "us", or "our") collects,
uses, and shares information when you use our products and services...

sub_processors

URL: https://acmecorp.com/sub-processors
Status: 200
Content-Type: text/html; charset=utf-8
Length: 8,902 bytes
Duration: 198ms
Snippet:
Sub-processors. Last updated March 30, 2026. The following sub-processors may process Customer
Data on behalf of Acme: Amazon Web Services (US), Stripe (US), Twilio (US), Datadog (US),
Cloudflare (US), Mailgun (US), Segment (US), Mixpanel (US), Auth0 (US), Sentry (US),
Snowflake (US), HubSpot (US), Zendesk (US), Linear (US).

Appendix B: Methodology Limits

This deliverable reflects only data the target chose to publish or that was visible at the DNS or TLS layer at the time of the scrape. Absence of a published surface is not evidence of absence of a control. This bundle is not legal advice and does not constitute a SOC 2 audit, an ISO 27001 audit, a penetration test, or a controls attestation. Palavir LLC offers no opinion of fitness for any particular purpose. The buyer is responsible for any procurement, contracting, or risk-treatment decisions made on the basis of this report.