Skip to content

Add org-aware third-party vetting#1463

Draft
SachaProbo wants to merge 1 commit into
mainfrom
SachaProbo/org-aware-third-party-vetting
Draft

Add org-aware third-party vetting#1463
SachaProbo wants to merge 1 commit into
mainfrom
SachaProbo/org-aware-third-party-vetting

Conversation

@SachaProbo

@SachaProbo SachaProbo commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Decompose vendor fact-finding from org-specific risk judgment so both the common catalog and org vetting share one building block:

  • Extract a reusable, persistence-free Profiler (company profile, compliance docs, domains) and have the catalog enrichment worker use it.
  • Prime the vetting orchestrator with KnownFacts resolved from a catalog link or an on-demand profiling pass, seeded into the orchestrator message.
  • Inject broad organization context (frameworks, latest risk rating, linked data/assets/processing activities, countries) into the assessment; a user-provided procedure overrides the default playbook while org context is always applied.
  • Add Data/Assets/ProcessingActivities LoadByThirdPartyID coredata loaders.
  • Vetting form prefills and confirms vendor identity (name, legal name, website), updating the third party's identity to feed the assessment.

Summary by cubic

Make vetting org-aware by splitting general vendor profiling from org-specific risk and feeding both into the assessment. Adds a reusable Profiler, primes the orchestrator with catalog/on‑demand facts, injects organization context, and updates the vetting UI to confirm identity.

Coredata +216 -0

  • Added LoadByThirdPartyID loaders for Data, Assets, and ProcessingActivities to pull items linked to a vendor.

GraphQL API +12 -0

  • VetThirdPartyInput now accepts optional name and legalName; resolver enforces update permission and forwards fields to vetting.

Service +1037 -141

  • Extracted a reusable Profiler (company profile, compliance docs, domains) and adopted it in the catalog enrichment worker.
  • Vetting worker optionally runs the Profiler to prime assessments with KnownFacts (no writes to the catalog).
  • Injected organization context (frameworks, prior risk, linked data/assets/processing activities, countries) into the orchestrator.
  • Orchestrator and base prompt updated to consume known facts and org context; Assess now seeds them before crawling.
  • Wired probod to provide the profiler to the vetting worker when enrichment config is set; minor refactors and prompt tweaks.

App: console +47 -11

  • Vetting dialog now uses a fragment and pre-fills name, legal name, and website; only sends identity fields when changed.
  • Third-party details page passes the fragment prop to VettingDialog.

Tests +1 -1

  • Updated test to match the new Assess signature.

Written for commit db4b4ec. Summary will update on new commits.

Review in cubic

Decompose vendor fact-finding from org-specific risk judgment so both the
common catalog and org vetting share one building block:

- Extract a reusable, persistence-free Profiler (company profile, compliance
  docs, domains) and have the catalog enrichment worker use it.
- Prime the vetting orchestrator with KnownFacts resolved from a catalog link
  or an on-demand profiling pass, seeded into the orchestrator message.
- Inject broad organization context (frameworks, latest risk rating, linked
  data/assets/processing activities, countries) into the assessment; a
  user-provided procedure overrides the default playbook while org context is
  always applied.
- Add Data/Assets/ProcessingActivities LoadByThirdPartyID coredata loaders.
- Vetting form prefills and confirms vendor identity (name, legal name,
  website), updating the third party's identity to feed the assessment.

Signed-off-by: Sacha Al Himdani <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant