Third-party risk management, built for DORA.
A self-hosted platform that covers the full ICT third-party lifecycle — governance, risk, contracts and the EBA register of information — entirely on your own infrastructure.
One platform for the whole DORA Pillar IV obligation
tprm.mlab.sh is a self-hosted Third-Party Risk Management platform covering both sides of DORA: the day-to-day governance of ICT providers, and the regulatory production of the Register of Information.
TPRM governance
The full lifecycle — due diligence, contracts, risk assessments, audits, exit strategies and third-party incidents — for every ICT provider you depend on.
DORA Register of Information
The 15 EBA ITS templates (Reporting Framework 4.0) with controlled eba_* codes, referential integrity validation, and a deposit-ready xBRL-CSV .zip package matching the official structure.
The four-stage lifecycle
Register, Assess, Contract, Report — one consistent platform from onboarding to deposit.
Register
Onboard ICT providers with full identification: category, criticality, services, data-access level and LEI.
Assess
Score risk across operational, security, compliance, financial and concentration dimensions.
Contract
Track contractual arrangements, verify Art. 30 compliance, manage SLAs and renewal dates.
Report
Generate the 15 EBA ITS templates, export the DORA register and produce the deposit package.
Who is it for?
Everyone who owns a piece of DORA Pillar IV — from the people who file the register to the people who answer to the board.
Compliance Officers
Stop rebuilding the register by hand. A consolidated register, 15 EBA templates generated automatically, integrity validation and a deposit-ready package.
Risk Managers
Defensible risk scores per provider across five dimensions, with history and review dates, plus concentration analysis by category and geography.
DPOs
Track data-storage flags, locations at rest and in processing, data sensitivity and applicable-law country — captured per contract and surfaced in the register.
CISOs & Management
One consolidated picture of your ICT third-party ecosystem and regulatory readiness — live dashboards, compliance progress and top-risk providers.
Mapped to the regulation, not bent into shape
Every module maps to a DORA article and an EBA ITS template. Here are the highlights.
Business functions
Identify critical/important functions supported by ICT providers, with RTO/RPO and discontinuity impact.
B_06.01Subcontracting chains
Map ICT supply chains with rank, LEI and one of 19 official ICT service-type codes.
B_05.02Exit strategies
Document, version and test exit plans for critical ICT dependencies.
Art. 30Third-party incidents
Report, investigate and resolve incidents involving providers, with lessons learned.
Pillar IVReporting entity info
Identify the financial entity maintaining the register, with LEI, country and entity type.
B_01.01Article 30 checklist
Verify contractual clauses required by Art. 30(2) and Art. 30(3) for critical functions.
Art. 30Self-hosted, private, yours
Your compliance data never leaves your infrastructure. Deploy the full stack with one command. No SaaS dependency, no vendor lock-in.
Rust / Actix-web
A fast, memory-safe backend built on Actix-web 4. Lean footprint, predictable performance.
MySQL + ClickHouse
MySQL for business data, ClickHouse for analytics and activity. Both included in the stack.
Docker Compose
A single docker compose up brings up app and databases. Built and shipped via GitHub Actions to GHCR.
Auto-migrations
A versioned SQL migration system (V1 → V15) runs automatically on startup. Just pull and restart.
48h grace period
License is validated hourly over HMAC. If your server goes offline, the instance keeps running for 48 hours.
Role-based access
A 12-bit permission system gives each member exactly the access they need — nothing more.
Why not spreadsheets, GRC suites or generic SaaS?
Enterprise GRC suites charge six figures. Spreadsheets cost zero but lose every thread. Generic TPRM SaaS wasn't built for DORA. tprm.mlab.sh sits where they don't.
Not spreadsheets
DORA didn't ask for another spreadsheet. It asked for a register you can defend — with referential integrity and controlled EBA codes, not formulas that break.
Not enterprise GRC
GRC-grade compliance without the GRC price tag or the year-long rollout. Self-hosted, no per-seat extortion, running in five minutes.
Not generic SaaS
Every module maps to a DORA article and EBA code — B_05.01, Art. 30, B_07.01. Not a generic vendor-risk tool with a compliance sticker.
Ready to take control of your third-party risks?
Free tier included. No credit card. Up and running in under 5 minutes.