Transparency & Sources

Every fact in a Swanum vendor brief is traced to an authoritative source and linked. Nothing is produced by guessing. Here is exactly where the data comes from and what independence means to us.

Independence Policy

Swanum does not accept paid placement, sponsored reviews, or vendor payments of any kind. No AI tool company can influence its governance readiness score. Every fact is drawn from official, publicly verifiable sources — never from vendor-supplied marketing or pay-to-play arrangements.

Where the Data Comes From

We only use authoritative, primary sources. A signal is attributed to a vendor only when the source itself attributes it — we never keyword-match or infer.

  • NVD / NIST — known vulnerabilities (CVEs), matched to a vendor only via the official CPE product identifier.
  • CISA KEV — vulnerabilities confirmed as actively exploited.
  • SEC EDGAR — material cyber-incident disclosures (Form 8-K Item 1.05) for public companies.
  • OpenSSF Scorecard — open-source supply-chain security posture.
  • Have I Been Pwned — known data-breach history.
  • DNS / TLS — DMARC email-spoofing protection and web certificate validity, checked directly.
  • Vendor trust centers & official documentation — SOC 2, ISO 27001, GDPR/HIPAA evidence, privacy policies, DPAs, and sub-processor lists, read from the vendor's own pages.

We do not use Reddit, forums, social-media sentiment, star ratings, or community opinion. Those are not verifiable facts about a vendor's security posture.

How the Score Is Calculated

The 0–100 governance readiness score is derived only from deterministic, source-cited evidence — verified certifications, contract terms, and authoritative security signals. Each component is shown with its rationale, and any signal we cannot verify is marked “unknown” rather than counted against the vendor. The full weighting is documented on our Methodology page.

Score Interpretation

Enterprise Enterprise Ready — Strong, verifiable governance posture. Suitable for enterprise evaluation.
Conditional Conditional — Some assurance gaps. Review the specific factors before procurement.
High Risk High Risk — Significant unverified or adverse signals. Extended due diligence recommended.

Update Cadence

Tracked vendors are re-scanned on a weekly cycle: we refresh security signals, re-fetch each vendor's legal and policy documents, and hash-compare them against the prior version. Material changes are surfaced — critical ones as an immediate alert, the rest in a weekly change digest. See Methodology → When We Alert You.

Corrections & Disputes

If you believe a fact is incorrect (wrong product referenced, outdated CVE attribution, a certification we missed, etc.), please contact us. We investigate all factual disputes within 5 business days. We never adjust a score based on vendor preference — only verified factual errors.