Fourth-Party Disclosure Tracker: Surface the Subcontractors Hiding Behind Your Vendors

The problem this kills

You've done the work on your third parties. You scored your vendors, collected their SOC 2s, signed the DPAs. But every one of those vendors quietly leans on someone else to deliver — a hosting provider, an offshore support shop, a data-enrichment API, a payments processor. Those are your fourth parties, and most of the time you have no idea who they are or where they sit.

That's where the real surprises live. A single sub-processor can sit behind a dozen of your vendors at once, so an outage or breach there hits you many times over — concentration risk you never measured. A vendor's subcontractor might be in a country your data isn't allowed to touch. A "trusted" supplier might be handing your customer records to a fourth party you've never assessed. The dependency is real; it's just one layer down where your usual due diligence doesn't reach. You don't need to be a developer to drag it into the light.

What you'll build

A simple internal web tool for your vendor-risk, security, and compliance team. You load your vendor list, then send each vendor a disclosure request. Vendors submit the subcontractors and subprocessors they rely on to serve you — name, what they do, where they're located, and what data they can access — through a form (or you paste a CSV/Sheet they send back). The tool then maps your concentration: which single fourth party sits behind many of your vendors, which sit in risky locations, and which touch sensitive data. Your vendor-risk owner reviews each disclosed fourth party and clicks Accept or Flag for follow-up before anything is logged. Only accepted-or-flagged entries land in your fourth-party register, which you export as a clean CSV. When a vendor hasn't responded, Resend sends the follow-up for you, and the whole request re-runs annually.

What's inside the Implementation Plan

The downloadable plan is a step-by-step file you paste into an AI coding agent. It opens by interviewing you about your business — how you track vendors today, the systems and spreadsheets you use, the exact fields and naming your vendor records use, how many vendors you have and how many subs each tends to disclose, your rules for what counts as a risky location or sensitive data access, and the messy edge cases (a vendor that is someone else's sub, a sub that's also a direct vendor, a refusal to disclose). It reads a short spec back to you for a thumbs-up, then builds the tool around your answers instead of a generic template. From there it walks the agent through the data model, the vendor disclosure form, the CSV/Sheet import path, the concentration map, the review-and-decide screen, the human approval gate, the Resend follow-ups, and the register export. Every step ends with a ready-to-copy prompt.

The governance it includes (this is the point)

This isn't a toy. The plan builds in the controls a real risk function needs: login so only your team can use it, row-level security so people only ever see their own organization's vendors and disclosures, a complete audit trail of every accept/flag decision (who, what, when, and why), a hard human-approval gate so no fourth party is logged until your owner decides, and duplicate guards keyed on vendor + subcontractor so the same disclosure can't be counted twice. The tool exists to make a careful human decision easy — vendors disclose, the AI maps and surfaces the risk, and a person makes the call.

Who it's for

Vendor-risk managers, third-party risk and security leads, and compliance teams who suspect their real exposure is hiding one layer down and want to finally see it. If you can name your vendors and say what "risky" means in your world, you can build this.

You've got this — open the plan, paste the first prompt, and you'll be requesting your first real disclosures this afternoon.