Your third-party risks
deserve a real platform.
A self-hosted TPRM platform built for DORA compliance — manage third-party ICT providers, assess risks, track contracts and generate your EBA register, entirely on your own infrastructure.
From onboarding to compliance
tprm.mlab.sh structures the full third-party risk lifecycle into four clear stages.
Register
Onboard your ICT providers with full identification: category, criticality, services, data access level.
Assess
Evaluate risks across operational, security, compliance, financial and concentration dimensions.
Contract
Track contractual arrangements, verify Art. 30 compliance, manage SLAs and renewal dates.
Report
Generate the 15 EBA ITS templates, export your DORA register, and produce compliance reports.
Everything DORA requires, nothing you don't need
Built for compliance teams managing ICT third-party risks under the DORA regulation. Every module maps to a specific regulatory requirement.
Third-Party Management
Central registry of all ICT providers with full identification, criticality assessment and service mapping.
- 8 provider categories (Cloud, ICT, Data, Security…)
- Criticality levels & data access tracking
- Linked contracts, assessments & incidents
Risk Assessment
Score providers across five risk dimensions with full history tracking and review scheduling.
- Global risk score (1–100)
- Operational, security, compliance, financial, concentration
- Assessment history & next review dates
Contract Management
Track all contractual arrangements with expiration alerts, Art. 30 checklist verification and SLA monitoring.
- Master agreements, SLAs, service contracts
- 90-day expiration alerts
- Art. 30 clause compliance checklist
DORA Register & EBA Export
Consolidated register per Art. 28(3) with automated generation of all 15 EBA ITS templates.
- Full DORA information register
- 15 EBA templates (B_01 to B_99)
- CSV export (individual or batch)
Due Diligence & Audits
Pre-contractual due diligence per Art. 28(4) and ongoing audit tracking per Art. 28(5-6).
- Due diligence checklists & decisions
- Audit types: on-site, remote, certification
- Corrective action tracking
Analytics & Concentration
Advanced dashboards with concentration risk analysis, compliance metrics and trend monitoring.
- Concentration by category & geography
- Compliance progress bars
- Risk distribution & incident trends
Full Pillar IV coverage
Every module in tprm.mlab.sh maps to specific DORA articles and EBA ITS requirements.
Business Functions
Identify critical/important functions (B_06.01) with RTO/RPO and provider mapping.
Subcontracting Chains
Map ICT sub-outsourcing chains (B_05.02) with rank tracking and data processing locations.
Exit Strategies
Document and test exit plans (Art. 30) for critical ICT dependencies with version control.
Incidents
Track third-party incidents with severity, impact, resolution and lessons learned.
Entity Information
LEI, entity type, competent authority — everything needed for B_01.01 reporting.
Art. 30 Checklist
Verify contractual clauses for Art. 30(2) and 30(3), including critical function requirements.
Self-hosted, private, yours
Your compliance data never leaves your infrastructure. Deploy with Docker Compose in under 5 minutes. No SaaS dependency, no vendor lock-in.
Docker Compose
Single docker compose up to deploy the full stack. App, MySQL & ClickHouse included.
Minimal requirements
2 GB RAM, 10 GB disk. Runs on any Linux server, VPS or local machine.
Auto-migrations
Database schema updates run automatically on startup. Just pull and restart.
48h grace period
License checks every hour via HMAC. If your server goes offline, tprm.mlab.sh keeps running for 48 hours.
Core features at no cost
Self-hosted deployment
Run on your own infrastructure. Compliance data stays with you.
Role-based access control
12-bit permission system with granular module-level access.
Third-party management
Register, categorize and assess your ICT providers.
Contract & incident tracking
Manage contractual arrangements and third-party incidents.
Risk assessments
Score providers across five dimensions with review scheduling.
REST API (read)
Programmatic access to your third-party data via API keys.
Automatic database migrations
Schema updates apply on startup. No manual SQL needed.
48-hour license resilience
Grace period ensures continuity if license server is temporarily unreachable.
Stop using spreadsheets for DORA compliance
Most teams still manage third-party risks with Excel files, shared drives and email threads. tprm.mlab.sh gives you a proper platform without the enterprise GRC price tag.
| Spreadsheets & Shared Drives |
Enterprise GRC |
Generic TPRM SaaS |
tprm.mlab.sh | |
|---|---|---|---|---|
| Self-hosted | ||||
| Deploy in <5 min | ||||
| DORA-specific | ||||
| EBA ITS export | ||||
| Risk scoring | ||||
| REST API | ||||
| Free tier available | ||||
| No vendor lock-in |
Who is it for?
Compliance Officers
Meet DORA Pillar IV requirements with built-in templates, checklists and automated reporting.
Risk Managers
Assess, score and monitor ICT provider risks with concentration analysis and trend tracking.
DPOs
Track data processing locations, subcontracting chains and access levels across all providers.
CISOs & Management
Get a consolidated view of your ICT third-party ecosystem, risks and regulatory readiness.
Ready to take control of your third-party risks?
Deploy tprm.mlab.sh in under 5 minutes. Free tier included, no credit card required.