{"id":50529308,"url":"https://github.com/bogdanticu88/acerta","last_synced_at":"2026-06-03T11:30:40.302Z","repository":{"id":358152724,"uuid":"1240249267","full_name":"bogdanticu88/acerta","owner":"bogdanticu88","description":"EU vendor security due diligence platform. CIA-based risk tiering, adaptive DDQ across 12 domains, and OSINT vetting for high-risk vendors. Aligned to GDPR, NIS2, and DORA.","archived":false,"fork":false,"pushed_at":"2026-05-16T00:29:09.000Z","size":1597,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-05-16T02:26:46.651Z","etag":null,"topics":["dora","due-diligence","eu-compliance","gdpr","nextjs","nis2","security","typescript","vendor-risk"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bogdanticu88.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-15T23:28:43.000Z","updated_at":"2026-05-16T00:29:12.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/bogdanticu88/acerta","commit_stats":null,"previous_names":["bogdanticu88/acerta"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/bogdanticu88/acerta","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bogdanticu88%2Facerta","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bogdanticu88%2Facerta/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bogdanticu88%2Facerta/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bogdanticu88%2Facerta/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bogdanticu88","download_url":"https://codeload.github.com/bogdanticu88/acerta/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bogdanticu88%2Facerta/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33863265,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-03T02:00:06.370Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dora","due-diligence","eu-compliance","gdpr","nextjs","nis2","security","typescript","vendor-risk"],"created_at":"2026-06-03T11:30:38.636Z","updated_at":"2026-06-03T11:30:40.240Z","avatar_url":"https://github.com/bogdanticu88.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"public/logo.png\" alt=\"Acerta\" width=\"200\" /\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eAcerta\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  EU vendor security due diligence. CIA-based risk tiering. OSINT-backed verification.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://bogdanticu88.github.io/acerta\"\u003e\u003cimg src=\"https://img.shields.io/badge/demo-live-991B1B\" alt=\"Live demo\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/bogdanticu88/acerta/actions/workflows/deploy.yml\"\u003e\u003cimg src=\"https://img.shields.io/github/actions/workflow/status/bogdanticu88/acerta/deploy.yml?branch=master\u0026label=deploy\" alt=\"Deploy status\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/bogdanticu88/acerta/commits/master\"\u003e\u003cimg src=\"https://img.shields.io/github/last-commit/bogdanticu88/acerta?color=991B1B\" alt=\"Last commit\" /\u003e\u003c/a\u003e\n  \u003cimg src=\"https://img.shields.io/badge/TypeScript-5-3178C6?logo=typescript\u0026logoColor=white\" alt=\"TypeScript\" /\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Next.js-14-000000?logo=nextdotjs\u0026logoColor=white\" alt=\"Next.js\" /\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Tailwind_CSS-3-06B6D4?logo=tailwindcss\u0026logoColor=white\" alt=\"Tailwind CSS\" /\u003e\n  \u003cimg src=\"https://img.shields.io/badge/license-MIT-991B1B\" alt=\"License\" /\u003e\n\u003c/p\u003e\n\n---\n\n## Why this matters\n\nVendor security due diligence in most EU companies is still done with Excel spreadsheets, manually updated questionnaires, and email threads. When a supplier breaches GDPR, causes a NIS2-notifiable incident, or fails a DORA ICT audit, the root cause is often that no structured assessment was done before onboarding.\n\nEU legislation now sets a high bar:\n\n- **GDPR Art.28** requires a signed Data Processing Agreement and documented due diligence for every processor with access to personal data.\n- **NIS2 Art.21(d)** mandates supply chain security controls, including supplier assessments.\n- **DORA Art.28** requires financial entities to assess ICT third-party risk before contract signature and periodically throughout the relationship.\n\nAcerta replaces the spreadsheet with a structured, legislation-aligned workflow. It assigns an inherent risk tier before the vendor is contacted, adapts the questionnaire depth to that tier, and for high-risk vendors adds an OSINT vetting layer that self-attestation alone cannot cover.\n\n---\n\n## How it works\n\nFour stages, all running in the browser:\n\n```\n[1] IRQ Intake  -\u003e  [2] CIA Tier Assignment  -\u003e  [3] Adaptive DDQ  -\u003e  [4] OSINT + Report\n```\n\nStages 1 and 2 are completed by the internal requester (procurement or security team) before the vendor is contacted. Stage 3 simulates the vendor-facing questionnaire portal. Stage 4 applies to Tier 1 and Tier 2 vendors only.\n\n### Stage 1: Inherent Risk Questionnaire (IRQ)\n\nSix questions determine the CIA exposure vector.\n\n| # | Question | CIA Dimension |\n|---|---|---|\n| 1 | What type of personal data will the vendor access? | Confidentiality |\n| 2 | Estimated number of data subjects in scope? | Confidentiality |\n| 3 | What level of system or network access is required? | Integrity |\n| 4 | How critical is this vendor to business operations? | Availability |\n| 5 | Will the vendor use sub-processors with data access? | Confidentiality |\n| 6 | Will the vendor process personal data on behalf of your organisation? | Confidentiality |\n\nCIA scores update in real time as answers are selected.\n\n### Stage 2: CIA Tier Assignment\n\n```\nC score = Q1 + Q2 + Q5 + Q6  (normalised to 0-5)\nI score = Q3                   (normalised to 0-5)\nA score = Q4                   (normalised to 0-5)\n\nTier = max(C, I, A):\n  5    -\u003e Tier 1 Critical  -\u003e Full DDQ + OSINT + Analyst Review\n  4    -\u003e Tier 2 High      -\u003e Full DDQ + OSINT\n  3    -\u003e Tier 3 Medium    -\u003e Standard DDQ (~45 questions)\n  1-2  -\u003e Tier 4 Low       -\u003e Lite DDQ (~15 questions)\n```\n\n### Stage 3: Adaptive DDQ\n\nQuestions are organised into 12 domains aligned to EU legislation. Each vendor receives only the questions proportionate to their tier.\n\n| Domain | Tier 4 | Tier 3 | Tier 2 | Tier 1 | Key Legislation |\n|---|---|---|---|---|---|\n| Information Security \u0026 Access Control | Yes | Yes | Yes | Yes | NIS2 Art.21, DORA |\n| Data Privacy \u0026 GDPR Compliance | - | Yes | Yes | Yes | GDPR Art.28, 32, 35 |\n| Incident Response \u0026 Breach Notification | Yes | Yes | Yes | Yes | GDPR Art.33-34, NIS2 Art.23 |\n| Business Continuity \u0026 Resilience | - | Yes | Yes | Yes | DORA Art.11, NIS2 |\n| ICT Risk Management | - | - | Yes | Yes | DORA Art.5-15 |\n| Supply Chain \u0026 Nth Party Risk | - | Yes | Yes | Yes | DORA Art.28, NIS2 Art.21(d) |\n| AI \u0026 Emerging Technology | - | - | Yes | Yes | EU AI Act 2024/1689 |\n| Application \u0026 Cloud Security | - | Yes | Yes | Yes | NIS2, DORA |\n| Physical \u0026 Environmental Security | - | - | Yes | Yes | ISO 27001 |\n| Certifications \u0026 Audit Evidence | Yes | Yes | Yes | Yes | DORA Art.30 |\n| Contractual \u0026 Legal (DPA, SLA) | - | Yes | Yes | Yes | GDPR Art.28, DORA Art.30 |\n| Financial Stability \u0026 Viability | - | - | Yes | Yes | DORA (concentration risk) |\n\nEach answer is scored: Yes / Partial / No / N/A, with per-question weights.\n\n### Stage 4: OSINT Vetting (Tier 1 and Tier 2)\n\nAutomated checks simulated in this prototype with realistic mock data:\n\n| Source | Data |\n|---|---|\n| OpenCorporates | Company registration, officers, filing status |\n| EU Financial Sanctions List | Entity screening against the EU consolidated list |\n| OpenSanctions | 332-source global sanctions and PEPs database |\n| HaveIBeenPwned | Known data breaches involving the vendor domain |\n| Shodan | Exposed services, outdated TLS, open ports (passive) |\n| Adverse media | Regulatory fines, court records, negative press |\n\nFollowed by a structured analyst review checklist. Sign-off is required before report generation.\n\n---\n\n## Scoring model\n\n```\nDDQ Score     = weighted sum of answers (0-100)\nOSINT Score   = automated finding severity, inverted (100 = clean)\nAnalyst Score = RAG checklist average (0-100)\n\nTier 1 / 2:  DDQ * 0.5 + OSINT * 0.3 + Analyst * 0.2\nTier 3 / 4:  DDQ only\n\n80-100  LOW RISK    -\u003e Approve\n60-79   MEDIUM RISK -\u003e Conditional approval\n40-59   HIGH RISK   -\u003e Escalate to CISO\n0-39    CRITICAL    -\u003e Reject\n```\n\n---\n\n## Demo scenarios\n\nThree pre-configured vendors cover the main risk bands:\n\n| Scenario | Tier | Description |\n|---|---|---|\n| ACME Cloud GmbH | Tier 1 Critical | SaaS HR and payroll processor, 200k+ EU employee records, admin access |\n| MediSoft Solutions SL | Tier 3 Medium | Medical scheduling software, clinic staff data only, read access |\n| PrintQuick BV | Tier 4 Low | Physical printing supplier, no data access, non-critical service |\n\n---\n\n## Running locally\n\n```bash\ngit clone https://github.com/bogdanticu88/acerta\ncd acerta\nnpm install\nnpm run dev\n```\n\nOpen `http://localhost:3000`.\n\n---\n\n## Deploying\n\nThe app exports as a fully static site. No server required.\n\n```bash\nnpm run build\n# output is in /out\n```\n\nThe repository includes a GitHub Actions workflow that deploys to GitHub Pages on every push to `main`.\n\n---\n\n## Tech stack\n\n| Layer | Choice |\n|---|---|\n| Framework | Next.js 14 (static export) |\n| Styling | Tailwind CSS |\n| State | Zustand |\n| Charts | Recharts |\n| Deploy | GitHub Pages via GitHub Actions |\n\n---\n\n## EU legislation references\n\n| Regulation | Relevance |\n|---|---|\n| GDPR 2016/679 Art.28 | Data Processing Agreements with processors |\n| GDPR 2016/679 Art.32 | Technical and organisational security measures |\n| GDPR 2016/679 Art.33-34 | Breach notification requirements |\n| GDPR 2016/679 Art.35 | Data Protection Impact Assessment (DPIA) |\n| NIS2 2022/2555 Art.21 | Security measures for essential and important entities |\n| NIS2 2022/2555 Art.21(d) | Supply chain security requirements |\n| NIS2 2022/2555 Art.23 | Incident reporting obligations |\n| DORA 2022/2554 Art.5-15 | ICT risk management framework |\n| DORA 2022/2554 Art.11 | Business continuity and disaster recovery |\n| DORA 2022/2554 Art.28 | ICT third-party risk management |\n| DORA 2022/2554 Art.30 | Key contractual provisions for ICT services |\n| EU AI Act 2024/1689 | AI system risk classification and obligations |\n\n---\n\n## License\n\nMIT. See [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbogdanticu88%2Facerta","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbogdanticu88%2Facerta","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbogdanticu88%2Facerta/lists"}