Compliance & certifications
Which certifications are in force, their scope, and the date of last attestation: SOC 2 Type II, ISO 27001, ISO 42001, GDPR, and HIPAA.
SOC 2 Type II · 2024 · trust center
Every score is built from evidence on the record. Each vendor is evaluated against four weighted dimensions, every finding cites the primary document or signal it rests on, and every vendor is reassessed weekly.
Swanum scores governance readiness from evidence that can be cited and checked. No surveys, no analyst sentiment, no pay-to-rank. A vendor cannot buy a position, and an opinion cannot move a score.
Each vendor is evaluated against four independent dimensions, combined into a single 0–100 score.
Which certifications are in force, their scope, and the date of last attestation: SOC 2 Type II, ISO 27001, ISO 42001, GDPR, and HIPAA.
SOC 2 Type II · 2024 · trust center
DPA availability, sub-processor disclosure, data residency, retention terms, and whether customer data trains the vendor's models — read from the binding terms themselves.
DPA · published · data not used for training
Email authentication (SPF / DKIM / DMARC), TLS configuration, known CVE exposure, and public breach records — tested against live infrastructure and public registries.
DMARC · p=reject · live DNS
Operating history, ownership and funding transparency, and operational continuity — objective indicators of whether the vendor is durable, never opinion.
Incorporated 2019 · funding disclosed
Every finding carries one of two grades, shown alongside it. The distinction is the honest core of the score: what Swanum tested, versus what a vendor has stated on the record.
Signals tested against the vendor's live infrastructure and public records — email authentication, TLS, CVE exposure, and breach history — observed at assessment time. Swanum produces these findings firsthand.
TLS 1.3 · valid chain · observed 2026-07-12
Certifications and legal terms originate from the vendor's own published record — certification registry, trust center, DPA. Swanum records the attestation and links the primary document. This is not an independent audit; it confirms what the vendor has stated, and where.
ISO 27001 · certification registry · linked
The 0–100 score maps to four tiers.
Every tracked vendor is re-evaluated weekly. Each document and signal is compared against its prior state, so a single changed clause, a dropped certification, or a newly disclosed vulnerability is detected and surfaced. Score history is retained, so the trajectory of a vendor's governance — improving or eroding — stays on the record alongside the current score.
Every Swanum vendor brief is built this way, each finding linked to its primary source and graded. Browse the governance readiness leaderboard or request enterprise access.