Assessment Methodology

How Swanum assesses AI vendor risk

Every score is built from evidence on the record. Each vendor is evaluated against four weighted dimensions, every finding cites the primary document or signal it rests on, and every vendor is reassessed weekly.

Core principle

Swanum scores governance readiness from evidence that can be cited and checked. No surveys, no analyst sentiment, no pay-to-rank. A vendor cannot buy a position, and an opinion cannot move a score.

  • Evidence on the record. Every finding traces to a certification, a contract clause, a DNS record, a CVE, or a public filing — never to a community vote or a marketing claim.
  • Each finding cites its source. Every signal links to the primary document or record it rests on, so any score can be traced back to what produced it.
  • Reassessed weekly. Each vendor is re-evaluated on a weekly cycle. A score reflects the current state of the record, not a one-time snapshot.
  • Unverifiable is not penalized. A signal that cannot be confirmed is recorded as unknown, not counted against the vendor.

The four weighted dimensions

Each vendor is evaluated against four independent dimensions, combined into a single 0–100 score.

35%

Compliance & certifications

Which certifications are in force, their scope, and the date of last attestation: SOC 2 Type II, ISO 27001, ISO 42001, GDPR, and HIPAA.

SOC 2 Type II · 2024 · trust center
25%

Legal & data governance

DPA availability, sub-processor disclosure, data residency, retention terms, and whether customer data trains the vendor's models — read from the binding terms themselves.

DPA · published · data not used for training
25%

Security posture

Email authentication (SPF / DKIM / DMARC), TLS configuration, known CVE exposure, and public breach records — tested against live infrastructure and public registries.

DMARC · p=reject · live DNS
15%

Market & stability

Operating history, ownership and funding transparency, and operational continuity — objective indicators of whether the vendor is durable, never opinion.

Incorporated 2019 · funding disclosed

How each finding is graded

Every finding carries one of two grades, shown alongside it. The distinction is the honest core of the score: what Swanum tested, versus what a vendor has stated on the record.

Directly verified

Signals tested against the vendor's live infrastructure and public records — email authentication, TLS, CVE exposure, and breach history — observed at assessment time. Swanum produces these findings firsthand.

TLS 1.3 · valid chain · observed 2026-07-12
Attested and cited

Certifications and legal terms originate from the vendor's own published record — certification registry, trust center, DPA. Swanum records the attestation and links the primary document. This is not an independent audit; it confirms what the vendor has stated, and where.

ISO 27001 · certification registry · linked

Risk tiers

The 0–100 score maps to four tiers.

85–100 Low risk Strong, current evidence across all four dimensions with no material gaps.
65–84 Moderate risk Solid governance evidence with a small number of gaps or dated attestations.
45–64 Conditional Meaningful gaps in evidence; suitable only with added controls or contractual safeguards.
0–44 High risk Missing, expired, or contradicted evidence on core governance and security signals.

Reassessment

Every tracked vendor is re-evaluated weekly. Each document and signal is compared against its prior state, so a single changed clause, a dropped certification, or a newly disclosed vulnerability is detected and surfaced. Score history is retained, so the trajectory of a vendor's governance — improving or eroding — stays on the record alongside the current score.

Scope & limitations

  • Swanum assesses each vendor from public and vendor-published evidence.
  • Swanum does not perform penetration testing and does not audit internal controls.
  • A high score reflects strong public governance evidence — it is not a guarantee of security.
  • Findings are current as of each weekly assessment; the record can change between cycles.

See the methodology applied

Every Swanum vendor brief is built this way, each finding linked to its primary source and graded. Browse the governance readiness leaderboard or request enterprise access.