TTechTonicTrustSimplify tech. Build trust.

Completed examples from the playbook

See the Playbook in action

Four completed documents from a real-style vendor assessment — showing exactly what the finished output looks like. Every field, score, condition and recommendation is produced by the TechTonicTrust workflow, not a placeholder.

Get the Playbook — A$249.99 See pricing & contents
Completed outputs DataSync AI walkthrough Works out of the box

Demo assessment

DataSync AI
🇦🇺 Australian SMB 🔗 Customer data integration ⚠️ Medium-High risk
DOC00 — Intake DOC02 — VTI Scorecard DOC03 — Vendor Risk Assessment Report DOC09 — Board Briefing
4

Completed example documents

1

Vendor walkthrough (DataSync AI)

6

Risk conditions demonstrated

6

Scorecard domains scored

01 Completed intake form

Vendor Intake & Triage — DOC00

The Playbook's Quick Start Intake form captures the vendor's identity, purpose, data exposure and business context — then triages the risk tier before work begins.

IN

Vendor Intake Form — DataSync AI

Completed by Sarah Chen, Head of Technology · 1 Sep 2026
DOC00 — Quick Start / Intake
Vendor name DataSync AI
Service type AI-powered data integration platform
Data accessed Customer PII, CRM records, API logs PII
Annual spend (est.) A$36,000 AUD
Business owner Sarah Chen, Head of Technology
Requestor James Park, Marketing Operations Lead
Risk tier determined ⚠ Medium-High
Review date scheduled 15 Sep 2026
Triage rationale AI-powered platform that will hold customer PII with API-level access to the production CRM. No existing SOC 2 certification. Hosted primarily in US data centres. Medium-High trigger based on data sensitivity + AI model opacity + cross-border data flow.
⬡ The Intake form is the first gate — it flags risk tier, assigns ownership and triggers the appropriate evidence review path. Found in DOC00 of the Playbook →
02 Completed scorecard

Vendor Trust Index Scorecard — DOC02

The VTI scorecard evaluates the vendor across six security and governance domains. Each domain is rated 1–5, producing an aggregate score and a clear risk-based decision.

VT

VTI Scorecard — DataSync AI

Assessment date: 15 Sep 2026 · Assessor: Sarah Chen
DOC02 — VTI Scorecard
Domain Score Assessment
Governance & Compliance
3.2
/5
Basic security program with policy documentation. Privacy policy references APPs but no binding DPA shared at assessment.
Data Protection
4.0
/5
Encryption at rest (AES-256) and in transit (TLS 1.3). Data segregation controls exist. No Australian data residency commitment.
AI Controls & Model Governance
2.8
/5
No published AI ethics policy. Model training opt-out not clearly documented. Model behaviour changes without customer notification.
Identity & Access Management
3.5
/5
SSO available (SAML/OIDC). Role-based access controls exist. MFA available but not enforced for all users. No just-in-time access.
Vulnerability Management
3.8
/5
Regular pen tests performed (annually). Bug bounty program active. Patch SLA documented but not independently verified.
Security Monitoring & Incident Response
3.0
/5
SIEM monitoring in place. Incident response policy exists but notification SLA unclear. No guaranteed <24hr notification for data breaches.
VTI Score 3.4 / 5
Risk rating ⚠ Medium-High
Decision Approve with conditions
Next review 15 Dec 2026
⬡ The VTI Scorecard turns vendor responses into an objective, repeatable score — no guesswork, no siloed judgement. Found in DOC02 of the Playbook →
03 Completed approval brief

Vendor Risk Assessment Report — DOC03

The Vendor Risk Assessment Report synthesises the intake triage, VTI scorecard and evidence review into a concise recommendation — ready for a manager or committee to sign off with clear conditions.

AB

Risk Assessment Report — DataSync AI

Prepared for: Technology Review Board · 15 Sep 2026
DOC03 — Vendor Risk Assessment Report
Recommendation: Approve with 6 conditions
VTI Score 3.4/5 — Medium-High risk · Prepared by Sarah Chen
SOC 2 Type II Data residency Pen test results Model training opt-out SSO / MFA enforced Incident notification
  1. 01
    SOC 2 Type II report — DataSync AI must provide a SOC 2 Type II audit report (dated within 12 months) before full production deployment. Interim access limited to non-production data.
  2. 02
    Data residency in Australia — Customer data (including PII and CRM records) must be hosted and processed in an Australian data centre, with contractual commitment and quarterly verification.
  3. 03
    Annual penetration test results — Evidence of third-party pen tests covering the DataSync AI platform, shared within 30 days of completion. First result due before production go-live.
  4. 04
    Model training opt-out clause — Contractual commitment that customer data (including inputs, prompts and API payloads) will not be used for model training, fine-tuning or improvement.
  5. 05
    SSO with mandatory MFA — Single sign-on (SAML/OIDC) must be configured and MFA enforced for all administrator and user accounts accessing the tenant.
  6. 06
    Incident notification within 24 hours — Any security incident involving customer data must be notified to TechTonicTrust's security contact within 24 hours of discovery, with written SLA in the contract.
Next review 15 Dec 2026
Decision owner Sarah Chen, Head of Technology
Risk tier ⚠ Medium-High
⬡ The Risk Assessment Report is a ready-to-submit document — sign-off fields, conditions tracker and review schedule built in. Found in DOC03 of the Playbook →
04 Completed board briefing

Board Briefing Excerpt — DOC09

The Board Briefing translates technical findings into an executive summary — key stats, risk exposure, recommendation and actionable next steps, ready for a board pack.

BB

Board Briefing — DataSync AI

For the Technology Review Board · Q3 2026
DOC09 — Board Briefing Template

Executive summary

Proposed engagement: DataSync AI — AI-powered data integration platform
Business ownerSarah Chen
Annual spendA$36,000 AUD
Risk rating⚠ Medium-High
VTI Score3.4 / 5
3.2 /5
Governance
4.0 /5
Data Protection
2.8 /5
AI Controls
Key risk exposure: DataSync AI will process customer PII through AI models hosted primarily in US data centres. The vendor lacks a published AI ethics policy and does not offer a contractual opt-out from model training on customer data. No SOC 2 certification exists. These gaps are each directly addressed by the conditions in the approval brief.
📋
Recommendation: Approve with 6 conditions Full production deployment gated on SOC 2 Type II, Australian data residency, mandatory pen test evidence, model training opt-out clause, SSO/MFA enforcement and 24-hour incident notification SLA. Next review: 15 Dec 2026.
⬡ The Board Briefing gives your leadership a one-page view — risk, recommendation and business context — without the technical detail. Found in DOC09 of the Playbook →
From intake to board sign-off

The complete workflow, end to end

These four examples are just a glimpse. The full Playbook contains 18 editable documents and workbooks (DOCX and XLSX) plus an overview guide, covering every stage of the vendor risk lifecycle — from the first intake request through triage, evidence collection, incident reporting, scoring, approval, ongoing monitoring and offboarding.

Stage 1 — Assess
  • Quick Start Intake (DOC00)
  • Evidence Review Questionnaire (DOC01)
  • VTI Scorecard (DOC02)
  • Vendor Risk Register (DOC06)
Stage 2 — Approve & Monitor
  • Risk Assessment Report (DOC03)
  • Board Briefing (DOC09)
  • AI Tool Register (DOC12)
  • Onboarding & Offboarding Checklist (DOC08)

AI & Vendor Risk Playbook

Produce outputs like these for every vendor you review.

The complete Playbook is A$249.99 — once-off, no subscription. You get 18 editable documents and workbooks, plus a preview PDF, manifest and internal-use licence.

Buy now — A$249.99 Try the free overview guide
Once-off payment No subscription Editable Office formats NIST CSF 2.0 aligned