tprm.mlab.sh tprm.mlab.sh
Overview
Features
Workflow
Pricing
Docs
Changelog
  Sign in
Docs / Compliance

Licensing

How activation, validation and the grace period work — and what each tier unlocks.

Get a key

Every mlab.sh organisation has a free TPRM license auto-provisioned. Find it under Organization > TPRM on mlab.sh and paste it into LICENSE_KEY in your .env.

Free vs Licensed

FeatureFreeLicensed
ICT third-party providers5 maxUnlimited
Users3 maxUnlimited
Dashboard, providers, contractsYesYes
Risk assessments & third-party incidentsYesYes
Exit strategies, concentration riskNoYes
Business functions (B_06.01), supply chains (B_05.02)NoYes
Due diligence, audit tracking, Art. 30 checklistNoYes
DORA register & advanced analyticsNoYes
EBA export (15 templates) & validationNoYes
xBRL-CSV deposit package (.zip)NoYes
REST APIGET onlyFull CRUD

See the pricing page for the full comparison.

Validation flow

  1. On boot, app reads LICENSE_KEY and registers the instance with mlab.sh/api/v1/tprm/license/validate.
  2. Once per hour the app performs an HMAC challenge-response with mlab.sh: the server sends a nonce, the instance signs it with the secret derived from the license key.
  3. A successful response refreshes the cached license — tier, limits, expiry — kept locally.
  4. If mlab.sh is unreachable, the cached license is honored for 48 hours.
  5. After 48 hours without contact, the instance is locked: read-only, no new writes. Data is never deleted.
  6. As soon as mlab.sh is reachable again, the lock clears automatically.
License management lives on mlab.sh. Upgrades, downgrades, key rotation and deactivation all happen at mlab.sh/orga/tprm/license. The tprm.mlab.sh instance only reads the current state.

How to upgrade

  1. Sign in at mlab.sh and open Organization > TPRM > License.
  2. Choose the Licensed tier and confirm.
  3. Your running instance picks up the new tier within the hour — no restart, no reinstall. Compliance modules, EBA export and full API CRUD unlock automatically.

What if I hit a free-tier limit?

You get a banner in the UI when you reach 5 providers or 3 users. The platform keeps running for everything already in place — nothing is dropped — but you'll need to upgrade to add more or to unlock the compliance and export modules. Check your current usage under /settings/license.

Network requirements

The instance needs outbound HTTPS to mlab.sh (443) for the hourly license check. That's the only egress required. No telemetry, no usage analytics, no compliance data ever leaves your infrastructure.