tprm.mlab.sh · DORA Pillar IV · self-hosted

Your third-party risks deserve a real platform.

A self-hosted TPRM platform built for DORA compliance — manage ICT third-party providers, assess risks, track contracts and generate your EBA register of information, entirely on your own infrastructure.

Get started free Find my plan

Self-hosted · your compliance data never leaves your infrastructure · latest release →

Acme Cloud — core banking LEI 000000EXAMPLE0000191 · IE

critical

0/100

composite risk high exposure

Operational72

Security84

Compliance65

Financial58

Concentration90

100% self-hosted <5 min deploy DORA Pillar IV 15 EBA templates xBRL-CSV package Free tier

Workflow

From onboarding to compliance

Four clear stages, one consistent platform. See it in detail →

Register

Onboard ICT providers with full identification: category, criticality, services, data access level and LEI.

Assess

Score risk across operational, security, compliance, financial and concentration dimensions.

Contract

Track contractual arrangements, verify Art. 30 compliance, manage SLAs and renewal dates.

Report

Generate the 15 EBA ITS templates, export your DORA register and produce the deposit package.

Inside the product

One register, always audit-ready

Every ICT provider in one place — criticality, risk score, contract and exit-plan status, all mapped to the DORA register.

tprm.example.com / register

ICT third-party providers · 48 registered

register up to date

Acme Cloud SaaS — core banking critical risk 78 exit ✓

NorthData Hosting — IaaS critical risk 71 exit ✓

SecurePay — payment gateway important risk 52 Art.30 ✓

MailRelay — comms important risk 44 review

DeskHelp — ticketing standard risk 21 ok

AnalyticsCo — BI tooling standard risk 18 ok

Built for

Made for the people who own the risk

Whatever your seat at the table, tprm.mlab.sh gives you exactly what you need to meet DORA Pillar IV.

Persona / Compliance Officer

Stop rebuilding the register by hand.

"Every reporting cycle I rebuild the register of information from a dozen spreadsheets and hope nothing's stale."

A consolidated register, 15 EBA templates generated automatically, referential validation, and a deposit-ready xBRL-CSV package.

Persona / Risk Manager

Score and monitor, don't guess.

"I need a defensible risk score per provider and a clear view of where we're over-concentrated."

Five-dimension scoring with history and review dates, plus concentration analysis by category and geography.

Persona / CISO & Management

A view you can take to the board.

"I want one consolidated picture of our ICT third-party ecosystem and our regulatory readiness."

Live dashboards, compliance progress bars, top-risk providers and expiring contracts — exportable on demand.

EBA ITS · Reporting Framework 4.0

All 15 templates, generated for you

Every module feeds the register. tprm.mlab.sh aggregates your data into the complete set of EBA ITS templates with controlled eba_* codes.

Register of Information · RF 4.0 assembling…

B_01.01Entity maintaining register

B_01.02Entities in scope

B_01.03Branches

B_02.01Contractual — general

B_02.02Contractual — specific

B_02.03Arrangement links

B_03.01Signing entities

B_03.02ICT TPSP signing

B_03.03Service providers

B_04.01Entities using services

B_05.01ICT third parties

B_05.02Supply chain

B_06.01Functions supported

B_07.01Criticality assessment

B_99.01Definitions

0 / 15 templates validated referential integrity

register-2026Q2.zip xBRL-CSV · 15 templates · deposit-ready

How EBA export works →

Why tprm.mlab.sh

GRC-grade compliance, without the GRC price tag

Enterprise GRC suites charge six figures. Spreadsheets cost zero but lose every thread. tprm.mlab.sh sits between — a proper, DORA-specific platform you actually own.

Your infrastructure, your data

Runs entirely on your servers. We never see your providers, contracts or assessments. No SaaS, no exfiltration risk.

5 minutes to running

docker compose up and you're done. App, MySQL and ClickHouse included. Migrations run on startup.

DORA-specific, not generic

Every module maps to a DORA article and EBA code. Not a generic vendor-risk tool bent into shape.

Stack honesty

Stop using spreadsheets for DORA compliance

	Spreadsheets & drives	Enterprise GRC	Generic TPRM SaaS	tprm.mlab.sh
Self-hosted
Deploy in < 5 min
DORA-specific
EBA ITS export
Risk scoring
REST API
Free tier
No vendor lock-in

0

min to deploy

0

EBA templates

0

self-hosted

0

to start

"DORA didn't ask for another spreadsheet. It asked for a register you can defend — where the provider, the contract, the risk and the exit plan all live together. That's the whole product."

The mlab team / Cyber Dream

FAQ

Common questions

No. The only outbound call is a license validation HMAC every hour. No provider, contract, assessment or register data ever leaves your infrastructure.

Yes. It generates all 15 EBA ITS templates (Reporting Framework 4.0) with controlled EBA codes, runs a referential integrity validation, and builds the deposit-ready xBRL-CSV (.zip) package matching the official structure.

Yes, for up to 48 hours at a time — that's the grace window. Beyond that the instance locks until you restore outbound HTTPS to mlab.sh for the hourly license check.

Up to 5 ICT providers and 3 users, with dashboard, provider management, contracts, risk assessments and third-party incidents. DORA register, EBA export, exit strategies, due diligence, audits and analytics are unlocked on the Licensed tier.

Rust / Actix-web with MySQL for business data and ClickHouse for analytics. Deploy the whole stack with a single docker compose up. Database migrations run automatically on startup.

Ready to take control of your third-party risks?

Free tier included. No credit card. Up and running in under 5 minutes.

Get started View pricing