# AI Crawler Instructions for Rapid Risk Review (RRR)
# Site: https://rrr.dev
# Last Updated: 2025-11-29
# Content Version: 2.0 - Business Tier Advanced Features Documented
# 
# This file provides comprehensive content descriptions for AI crawlers
# that cannot execute JavaScript. All page content is documented below.

# ===========================================
# SITE OVERVIEW
# ===========================================
# Rapid Risk Review (RRR) is an AI-powered Shadow IT and Shadow AI Discovery Platform
# that helps organizations discover unsanctioned SaaS tools, assess vendor risks,
# and maintain compliance through automated continuous monitoring.

# ===========================================
# HOMEPAGE (/)
# ===========================================
# URL: https://rrr.dev/

## Hero Section
Title: "Automated Shadow IT and Shadow AI Discovery Platform"
Subtitle: "Discover unsanctioned tools across your organization. Assess vendor risks instantly. Maintain compliance automatically."

## How It Works
Step 1: Enter any vendor URL or company name
Step 2: AI analyzes security, privacy, and pricing risks in real-time
Step 3: Review comprehensive risk report with actionable recommendations

## Key Features
- Continuous Shadow IT Detection: Automatically discover unauthorized SaaS tools
- Instant Risk Assessment: AI-powered analysis of security, privacy, and commercial risks
- Integration Ecosystem: Connect with Google Workspace, Microsoft 365, Okta, Vanta, Drata
- Team Collaboration: Share reports, assign reviews, track approvals
- Compliance Automation: Map findings to GDPR, HIPAA, SOC 2, and other frameworks

## Trust Signals
- SOC 2 Type II compliant platform
- GDPR and CCPA compliant
- Enterprise-grade security
- Used by security teams worldwide

# ===========================================
# PRICING PAGE (/pricing)
# ===========================================
# URL: https://rrr.dev/pricing

## Pricing Tiers

### Free Tier - $0/month
- 3 vendor assessments per month
- 1 user
- Manual vendor analysis only (no Shadow IT Discovery)
- Static risk analysis
- Public report sharing
- Community support
- Basic risk scoring (Security, Privacy, Pricing)

### Professional Tier - $199/month (or $1,990/year - save 17%)
- 50 vendor assessments per month
- Up to 5 team members
- 2 discovery integrations included
- Shadow IT Discovery via:
  - GRC Platforms (Vanta, Drata)
  - SSO/Identity Providers (Google Workspace, Microsoft 365, Okta)
  - Expense Management Systems (Expensify)
- Daily automatic sync of discovered vendors
- Private report sharing within organization
- Email support (24-hour response time)
- Assessment history and export
- Team collaboration features
- Custom categories and tags

### Business Tier - $799/month (or $7,990/year - save 17%)
- 200 vendor assessments per month
- Up to 20 team members
- Unlimited discovery integrations
- Priority sync and on-demand refresh
- Custom webhook integrations
- Bulk vendor operations
- Custom policy engine (up to 25 rules)
- 5 Compliance templates (HIPAA, SOC 2, GDPR, ISO 27001, PCI DSS)
- Custom RRR Analysis Context (AI tailored to your organization)
- Advanced analytics dashboard
- Priority support (4-hour response time)
- API access

#### Business Tier Exclusive: Contract Terms Deep Analysis
Comprehensive legal contract evaluation across six critical areas:
- Indemnification Analysis: Mutual vs one-way, scope, carve-outs, defense obligations
- Liability Caps: Cap type/period, consequential damages exclusions, super caps
- Warranties & SLA: Uptime percentages, SLA credits, warranty disclaimers
- Security & Breach Terms: Breach notification hours, audit rights, insurance coverage
- Termination & Exit: Convenience clauses, notice periods, data return commitments
- Contract Accessibility: Flags when terms are gated or NDA-required

#### Business Tier Exclusive: Procurement & Financial Analysis
Comprehensive financial intelligence for Finance and Procurement teams:
- Pricing Model Analysis: Transparency evaluation, model type, base price, minimum commitments
- Hidden Costs Detection: Implementation, training, integration, overage fees
- TCO Analysis: Year one estimate, ongoing costs, implementation complexity
- Exit Cost Analysis: Export fees, termination penalties, migration effort
- Vendor Financial Health: Funding stage, investors, years in business
- Contract Flexibility: Trial availability, billing models, discount availability
- Negotiation Leverage: Tips and strengths for contract negotiations

#### Business Tier Exclusive: Certification Gap Analysis
Organization-specific certification requirements comparison:
- Configure Required, Recommended, and Nice-to-Have certifications
- AI searches for each certification during vendor analysis
- Missing Required certifications generate HIGH risk findings
- Missing Recommended certifications generate MEDIUM risk findings
- Risk scores automatically adjusted based on certification gaps
- Industry-specific certification recommendations (HIPAA for healthcare, PCI DSS for financial, etc.)

#### Business Tier Exclusive: Assessment History & Comparison
Complete version tracking and comparison tools:
- Timeline view of all assessment versions with score deltas
- Trend chart showing risk score evolution over time
- Side-by-side comparison of any two versions
- Findings diff showing added/removed security recommendations
- Certification changes highlighted between versions
- Contract and pricing term change tracking
- Audit trail with timestamps and analyst information

#### Business Tier Exclusive: Custom RRR Analysis Context
AI-generated organizational context for tailored assessments:
- AI generates context from your settings and assessment defaults
- Includes industry, data handling, compliance requirements, risk tolerance
- Context injected into every vendor analysis prompt
- Version history with ability to restore previous versions
- Compare assessments with vs without custom context

### Enterprise Tier - Custom Pricing
- Unlimited vendor assessments
- Unlimited team members
- Custom integrations and dedicated APIs
- AI-assisted policy writing
- SSO/SAML authentication
- SLA guarantee (99.9% uptime)
- Dedicated customer success manager
- Custom training and onboarding
- On-premise deployment options
- Volume discounts available

## Pricing FAQs

Q: What counts as an assessment?
A: Each unique vendor URL analyzed counts as one assessment. Re-analyzing the same vendor uses another assessment credit. Viewing existing assessments is free.

Q: Can I change plans at any time?
A: Yes, you can upgrade or downgrade at any time. Changes take effect immediately, with prorated billing for upgrades.

Q: Do you offer a free trial?
A: Yes, Professional and Business tiers include a 14-day free trial with full feature access. No credit card required to start.

Q: What payment methods do you accept?
A: We accept all major credit cards (Visa, Mastercard, American Express, Discover) via Stripe. Enterprise customers can pay via invoice.

Q: Is there a discount for annual billing?
A: Yes, annual billing saves 17% compared to monthly billing on Professional and Business tiers.

Q: What happens if I exceed my assessment limit?
A: You'll receive a notification at 80% usage. Additional assessments can be purchased, or you can upgrade to a higher tier.

Q: Do unused assessments roll over?
A: No, assessment credits reset at the start of each billing period. We recommend choosing a plan that fits your regular usage.

Q: Can I get a refund if I'm not satisfied?
A: We offer a 30-day money-back guarantee for new subscriptions. Contact support@rrr.dev for assistance.

Q: How does team billing work?
A: Each plan includes a set number of team members. Additional members can be added for $25/user/month on Professional and $40/user/month on Business.

# ===========================================
# PRIVACY POLICY (/privacy)
# ===========================================
# URL: https://rrr.dev/privacy
# Last Updated: November 29, 2025

## 1. Introduction
Rapid Risk Review ("RRR", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our vendor risk assessment platform at rrr.dev.

## 2. Information We Collect

### Account Information
- Email address (required for account creation)
- Full name (optional)
- Organization name and domain
- Password (encrypted, never stored in plain text)

### Vendor Assessment Data
- URLs of vendors you analyze
- Risk assessment results and reports
- Custom notes and tags you add
- Team collaboration data (comments, approvals)

### Payment Information
- Billing email address
- Payment method details (processed securely by Stripe)
- Subscription tier and billing history
- We do NOT store full credit card numbers

### Usage Data
- Pages visited and features used
- Assessment frequency and patterns
- Browser type and device information
- IP address (for security and fraud prevention)

### Discovery Integration Data
- OAuth tokens for connected integrations (encrypted)
- List of third-party applications discovered
- User counts and usage patterns for discovered apps
- We do NOT access email content, documents, or files

## 3. How We Use Your Information
- Provide and improve our risk assessment services
- Process transactions and send billing notifications
- Send service updates and security alerts
- Analyze usage patterns to improve features
- Prevent fraud and enforce our terms of service
- Comply with legal obligations

## 4. Third-Party Service Providers

### Supabase (Database & Authentication)
- Stores account data and assessment results
- Provides authentication services
- Data center location: United States

### OpenAI (AI Processing)
- Powers risk analysis and recommendations
- Processes vendor website content for analysis
- We do NOT use your data to train OpenAI models

### Firecrawl (Web Scraping)
- Retrieves vendor website content for analysis
- Only accesses publicly available web pages

### Stripe (Payment Processing)
- Processes subscription payments
- PCI DSS Level 1 compliant
- We never see or store full card numbers

### Google reCAPTCHA (Bot Protection)
- Protects forms from automated abuse
- May collect device and usage data per Google's privacy policy

### Resend (Email Delivery)
- Sends transactional emails (notifications, reports)
- Does not use email content for marketing

## 5. Data Security
- All data transmitted via HTTPS/TLS 1.3 encryption
- Data at rest encrypted using AES-256
- Regular security audits and penetration testing
- Role-based access controls for employees
- SOC 2 Type II compliant infrastructure

## 6. Data Retention
- Active account data: Retained while account is active
- Deleted account data: Removed within 30 days of deletion request
- Assessment history: 24 months for inactive accounts
- Audit logs: Retained for 7 years for compliance

## 7. Your Rights Under GDPR (EU Users)
- Right to Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate personal data
- Right to Erasure: Request deletion of your personal data
- Right to Restrict Processing: Limit how we use your data
- Right to Data Portability: Export your data in machine-readable format
- Right to Object: Object to processing for legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact: privacy@rrr.dev

## 8. Your Rights Under CCPA (California Users)
- Right to Know: What personal information we collect
- Right to Delete: Request deletion of personal information
- Right to Opt-Out: Opt out of sale of personal information (we do not sell data)
- Right to Non-Discrimination: Equal service regardless of privacy choices

## 9. Cookies and Tracking
We use cookies for:
- Authentication and session management (essential)
- Remembering your preferences (functional)
- Analytics and performance monitoring (optional)

You can manage cookie preferences in your browser settings.

## 10. Children's Privacy
RRR is not intended for users under 18 years of age. We do not knowingly collect data from children.

## 11. International Data Transfers
Data may be transferred to and processed in the United States. We use standard contractual clauses to protect EU data transfers.

## 12. Changes to This Policy
We may update this policy periodically. Material changes will be notified via email or in-app notification at least 30 days before taking effect.

## 13. Contact Information
Privacy Officer: privacy@rrr.dev
Data Protection Representative (EU): privacy@rrr.dev
Address: 28 Geary Street, Ste 650 #1637, San Francisco, CA 94108, USA

# ===========================================
# TERMS OF SERVICE (/terms)
# ===========================================
# URL: https://rrr.dev/terms
# Last Updated: November 29, 2025

## 1. Acceptance of Terms
By accessing or using Rapid Risk Review ("RRR", "Service"), you agree to be bound by these Terms of Service. If you do not agree, do not use the Service.

## 2. Service Description
RRR provides:
- AI-powered vendor risk assessment and scoring
- Shadow IT and Shadow AI discovery through integrations
- Team collaboration tools for vendor management
- Risk reports and compliance documentation
- Integration with identity providers and GRC platforms

## 3. Account Registration
- You must provide accurate and complete information
- You are responsible for maintaining account security
- One account per person; no shared accounts
- You must be 18+ years old to use the Service
- Business accounts must be authorized by the organization

## 4. Subscription Plans and Billing

### Payment Terms
- Subscriptions are billed monthly or annually in advance
- Payment processed securely via Stripe
- Prices are in USD unless otherwise specified
- Taxes may apply based on your location

### Billing Cycle
- Monthly subscriptions renew on the same day each month
- Annual subscriptions renew on the anniversary date
- Failed payments may result in service suspension

### Price Changes
- We may change prices with 30 days notice
- Price changes apply at next renewal
- You may cancel before price increase takes effect

## 5. Cancellation and Refunds

### Cancellation Policy
- Cancel anytime from account settings
- Cancellation takes effect at end of current billing period
- Access continues until period ends
- No partial refunds for unused time

### Refund Policy
- 30-day money-back guarantee for new subscriptions
- Refunds processed within 5-10 business days
- No refunds for accounts terminated for violations

### Data After Cancellation
- Data retained for 30 days after cancellation
- Export your data before cancellation
- Request permanent deletion via privacy@rrr.dev

## 6. Acceptable Use
You agree NOT to:
- Use the Service for illegal purposes
- Attempt to gain unauthorized access
- Reverse engineer or copy the Service
- Share account credentials
- Submit malicious content or code
- Violate others' intellectual property rights
- Use automated tools to scrape or abuse the Service
- Resell or redistribute the Service without permission

## 7. AI Disclaimer
IMPORTANT: RRR uses artificial intelligence to analyze vendor risks. AI outputs are:
- Probabilistic assessments, not guarantees
- Based on publicly available information
- Subject to errors and limitations
- NOT legal, financial, or compliance advice

You should:
- Verify AI findings independently
- Consult qualified professionals for legal/compliance decisions
- Use RRR as one input among many in vendor decisions
- Report inaccurate assessments to improve the system

## 8. Intellectual Property
- RRR owns all rights to the Service, software, and content
- You retain ownership of data you submit
- You grant RRR license to process your data for the Service
- Feedback you provide may be used to improve the Service

## 9. Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY LAW:
- RRR liability is limited to the lesser of:
  - $100 USD, or
  - Fees paid in the 12 months before the claim
- RRR is NOT liable for:
  - Indirect, incidental, or consequential damages
  - Lost profits or business interruption
  - Decisions made based on AI assessments
  - Third-party actions or services
  - Service interruptions or data loss

## 10. Indemnification
You agree to indemnify and hold harmless RRR from claims arising from:
- Your use of the Service
- Your violation of these Terms
- Your violation of third-party rights
- Content you submit to the Service

## 11. Dispute Resolution

### Informal Resolution
Contact support@rrr.dev first. Most disputes can be resolved informally.

### Arbitration
Disputes not resolved informally will be settled by binding arbitration:
- Administered by AAA (American Arbitration Association)
- Location: Wilmington, Delaware, USA
- Language: English
- One arbitrator
- Decision is final and binding

### Class Action Waiver
You waive the right to participate in class actions or class arbitrations.

### Exceptions
You may bring claims in small claims court if eligible.

## 12. Governing Law
These Terms are governed by the laws of Delaware, USA, without regard to conflict of law principles.

## 13. General Provisions

### Entire Agreement
These Terms constitute the entire agreement between you and RRR.

### Severability
If any provision is unenforceable, other provisions remain in effect.

### Waiver
Failure to enforce a right does not waive that right.

### Assignment
You may not assign these Terms. RRR may assign to successors.

### Modifications
We may modify Terms with 30 days notice. Continued use constitutes acceptance.

## Contact
Legal inquiries: legal@rrr.dev
Support: support@rrr.dev
Address: 28 Geary Street, Ste 650 #1637, San Francisco, CA 94108, USA

# ===========================================
# INTEGRATIONS (/integrations)
# ===========================================
# URL: https://rrr.dev/integrations

## Available Integrations

### Google Workspace (Available)
- Status: Generally Available
- Authentication: OAuth 2.0
- API Used: Admin SDK Audit Reports API
- What It Discovers:
  - Third-party applications authorized by users
  - OAuth grants and scopes
  - User counts per application
  - Last used timestamps
- Requirements: Google Workspace Admin access
- Sync Frequency: Daily automatic, on-demand available
- Privacy Note: RRR only accesses app authorization data. We do NOT read emails, documents, or Drive files.

### Microsoft 365 (Available)
- Status: Generally Available
- Authentication: OAuth 2.0 via Azure AD
- API Used: Microsoft Graph API (Audit Logs)
- What It Discovers:
  - Enterprise applications in Azure AD
  - Third-party app registrations
  - User sign-in activities to apps
  - Service principal permissions
- Requirements: Azure AD Global Admin or Application Administrator
- Sync Frequency: Daily automatic, on-demand available
- Privacy Note: RRR only accesses application and sign-in metadata. We do NOT read emails, files, or Teams messages.

### Okta (Available)
- Status: Generally Available
- Authentication: API Token
- API Used: Okta Applications API
- What It Discovers:
  - All applications in Okta catalog
  - User assignments per application
  - Application status and settings
  - SAML/OIDC configurations
- Requirements: Okta Admin API token with read access
- Sync Frequency: Daily automatic, on-demand available

### Vanta (Available)
- Status: Generally Available
- Authentication: API Key
- What It Discovers:
  - Vendor inventory from Vanta
  - Compliance status per vendor
  - Risk assessments already performed
- Requirements: Vanta API key with vendor read access
- Sync Frequency: Daily automatic
- Use Case: Sync existing vendor data from GRC platform

### Drata (Available)
- Status: Generally Available
- Authentication: API Key
- What It Discovers:
  - Vendor inventory from Drata
  - Compliance evidence and status
  - Vendor risk scores from Drata
- Requirements: Drata API key with vendor read access
- Sync Frequency: Daily automatic
- Use Case: Sync existing vendor data from compliance platform

### Expensify (Available)
- Status: Generally Available
- Authentication: Partner Credentials
- What It Discovers:
  - SaaS vendors from expense reports
  - Spend amounts per vendor
  - Payment frequency
- Requirements: Expensify Admin access
- Sync Frequency: Daily automatic
- Use Case: Identify Shadow IT from expense data

### CSV Upload (Available)
- Status: Generally Available
- Authentication: None required
- What It Supports:
  - Manual vendor list import
  - Custom fields mapping
  - Bulk vendor addition
- Format: CSV with headers (vendor_name, vendor_url, notes)

### Webhook API (Available)
- Status: Generally Available
- Authentication: Webhook secret
- Capabilities:
  - Receive vendor data from any source
  - Real-time sync triggers
  - Custom integration support
- Documentation: Available in-app for Business tier

## Coming Soon Integrations

### Ramp (Coming Soon)
- Corporate card and expense management
- Automatic SaaS spend detection

### Brex (Coming Soon)
- Corporate card transaction analysis
- Vendor categorization from spend data

### SAP Concur (Coming Soon)
- Enterprise expense management integration
- Multi-subsidiary support

### Chrome Enterprise (Coming Soon)
- Browser extension usage tracking
- Chrome Web Store app detection

## Integration FAQs

Q: How do I connect an integration?
A: Go to Admin > Discovery Integrations, click "Connect" on the desired integration, and follow the OAuth or API key setup flow.

Q: What permissions are required?
A: Each integration requires specific admin permissions. Google Workspace requires Super Admin, Microsoft 365 requires Global Admin or Application Administrator, Okta requires Admin API token.

Q: How often does sync occur?
A: By default, integrations sync daily at 2 AM UTC. Business tier users can trigger on-demand syncs and configure custom schedules.

Q: Is my data secure during sync?
A: Yes. All API credentials are encrypted at rest. Connections use HTTPS/TLS. OAuth tokens are refreshed automatically and can be revoked anytime.

Q: Can I disconnect an integration?
A: Yes, you can disconnect any integration from Admin > Discovery Integrations. This revokes RRR's access and stops future syncs. Historical data remains until you delete it.

Q: What if an integration fails?
A: You'll receive email notification of sync failures. Check Admin > Discovery > Sync Logs for error details. Common issues include expired tokens (reconnect) or permission changes.

# ===========================================
# DOCUMENTATION (/docs)
# ===========================================
# URL: https://rrr.dev/docs

## Quick Start Guide

### Step 1: Enter a Vendor URL
- Go to the RRR homepage or dashboard
- Enter any vendor website URL (e.g., slack.com, notion.so)
- Click "Analyze" to start the assessment

### Step 2: AI Analysis (30-60 seconds)
- RRR crawls the vendor's public web pages
- AI analyzes security practices, privacy policy, and pricing
- Risk scores are calculated across multiple dimensions

### Step 3: Review Your Report
- Overall risk score (0-10 scale)
- Security risk assessment with findings
- Privacy and legal compliance analysis
- Pricing transparency evaluation
- Actionable recommendations

## Understanding Risk Scores

### Score Scale (0-10)
- 0-2: Low Risk - Vendor demonstrates strong practices
- 2-4: Low-Medium Risk - Generally acceptable with minor concerns
- 4-5: Medium Risk - Some concerns requiring review
- 5-6: Medium-High Risk - Significant concerns, proceed with caution
- 6-8: High Risk - Major concerns, additional due diligence required
- 8-10: Critical Risk - Severe issues, not recommended without mitigation

### Risk Categories
1. Security Risk: Technical controls, certifications, incident response
2. Privacy Risk: Data handling, third-party sharing, user rights
3. Pricing Risk: Transparency, hidden costs, contract flexibility

## Core Features

### Vendor Risk Assessment
- AI-powered analysis of vendor websites
- Security certification verification (SOC 2, ISO 27001, GDPR)
- Privacy policy analysis and compliance checking
- Pricing model evaluation and hidden cost detection

### Shadow IT Discovery
- Automatic detection of unauthorized SaaS tools
- Integration with identity providers (Google, Microsoft, Okta)
- Expense report analysis for SaaS spend
- GRC platform sync (Vanta, Drata)

### Team Collaboration
- Share reports with team members
- Comment and discuss findings
- Approval workflows for vendor decisions
- Role-based access control (Admin, Analyst, Viewer)

### Compliance Mapping
- Map findings to compliance frameworks
- GDPR, HIPAA, SOC 2, ISO 27001 coverage
- Custom policy templates
- Audit-ready documentation

### Analytics Dashboard
- Portfolio risk overview
- Trend analysis over time
- Discovery insights and patterns
- Assessment activity tracking

## Business Tier Advanced Features

### Contract Terms Deep Analysis
Comprehensive legal contract evaluation for Business tier users:
- Indemnification Analysis: Mutual vs one-way structures, scope, carve-outs
- Liability Caps: Cap type/period, consequential damages, super caps
- Warranties & SLA: Uptime percentages, SLA credits, disclaimers
- Security Terms: Breach notification hours, audit rights, insurance
- Termination & Exit: Convenience clauses, notice periods, data return
- Contract Accessibility: Flags gated or NDA-required terms

### Procurement & Financial Analysis
Comprehensive financial intelligence for Business tier users:
- Pricing Model: Transparency, model type, base price, minimums
- Hidden Costs: Implementation, training, integration, overage fees
- TCO Analysis: Year one estimate, ongoing costs, complexity
- Exit Costs: Export fees, termination penalties, migration effort
- Vendor Health: Funding stage, investors, years in business
- Contract Flexibility: Trial availability, billing, discounts
- Negotiation Leverage: Tips and strengths for negotiations

### Certification Gap Analysis
Organization-specific certification requirements:
- Configure Required, Recommended, Nice-to-Have certifications
- AI searches for each during vendor analysis
- Missing Required certs generate HIGH risk findings
- Missing Recommended certs generate MEDIUM risk findings
- Risk scores auto-adjusted based on gaps
- Industry-specific recommendations

### Custom RRR Analysis Context
AI-generated organizational context:
- Generated from settings and assessment defaults
- Includes industry, data handling, compliance needs
- Injected into every vendor analysis prompt
- Version history with restore capability
- Compare with vs without custom context

### Assessment History & Comparison
Complete version tracking:
- Timeline view with score deltas
- Trend chart of risk evolution
- Side-by-side version comparison
- Findings diff (added/removed)
- Certification change tracking
- Contract/pricing term changes
- Full audit trail

## Privacy Commitment
RRR is built with privacy-first principles:
- We only access vendor usage metadata from integrations
- We NEVER read email content, documents, or files
- OAuth scopes are minimal and clearly documented
- All data is encrypted in transit and at rest
- You can export or delete your data anytime

## API Documentation
Business and Enterprise tiers include API access:
- RESTful API for programmatic access
- Webhook notifications for real-time updates
- Bulk assessment endpoints
- Full API reference available in-app

# ===========================================
# CONTACT (/contact)
# ===========================================
# URL: https://rrr.dev/contact

## Contact Information

### Mailing Address
Rapid Risk Review
28 Geary Street, Ste 650 #1637
San Francisco, CA 94108
United States

### Phone
+1 (408) 290-0177

### Email Addresses
- General Support: support@rrr.dev
- Sales Inquiries: sales@rrr.dev
- Privacy Concerns: privacy@rrr.dev
- Legal Inquiries: legal@rrr.dev
- AI Compliance: ai-compliance@rrr.dev
- Security Issues: security@rrr.dev

### Business Hours
Monday - Friday: 9:00 AM - 6:00 PM PST
Saturday - Sunday: Closed
Response Time: Within 24 hours for support, 4 hours for Business tier

### Social Media
- LinkedIn: linkedin.com/company/rapid-risk-review
- Twitter/X: @rapidriskreview

## Contact Form Topics
- General Inquiry
- Sales Question
- Technical Support
- Partnership Opportunity
- Feature Request
- Bug Report
- Security Vulnerability (use security@rrr.dev for sensitive reports)

# ===========================================
# AI DISCLOSURE (/ai-disclosure)
# ===========================================
# URL: https://rrr.dev/ai-disclosure

## How RRR Uses AI

### AI-Powered Analysis
RRR uses artificial intelligence to:
- Analyze vendor website content for security indicators
- Evaluate privacy policies and terms of service
- Assess pricing transparency and contract terms
- Generate risk scores and recommendations
- Identify compliance gaps and certification status

### AI Technologies Used
- Natural Language Processing (NLP) for document analysis
- Pattern recognition for security indicator detection
- Large Language Models (LLMs) for report generation
- Machine learning for risk scoring algorithms

### AI Processing Overview
1. Web crawling collects publicly available vendor information
2. Content is processed to extract relevant data points
3. AI models analyze data against risk frameworks
4. Probabilistic scores are generated for each risk category
5. Human-readable reports summarize findings

## Data Privacy and AI

### Training Data Policy
IMPORTANT: RRR does NOT use customer data to train external AI models.
- Your assessment data is not shared with AI providers for training
- Analysis uses pre-trained models with fixed parameters
- Your data is processed, not used for model improvement

### Data Retention
- Assessment data retained per our Privacy Policy
- AI processing logs retained for 30 days for debugging
- No persistent storage of data by AI providers

## AI Subprocessors

### OpenAI
- Purpose: Powers risk analysis and report generation
- Data Shared: Vendor website content (public data only)
- Processing: Real-time, no data retained by OpenAI
- Compliance: SOC 2 Type II, GDPR compliant

### Google Gemini
- Purpose: Alternative AI model for analysis
- Data Shared: Vendor website content (public data only)
- Processing: Real-time inference
- Compliance: ISO 27001, SOC 2

### Firecrawl
- Purpose: Web content extraction
- Data Shared: URLs of vendors to analyze
- Processing: Extracts text from public web pages
- Note: Only accesses publicly available content

### Supabase
- Purpose: Database and authentication
- Data Shared: All account and assessment data
- Processing: Data storage and retrieval
- Compliance: SOC 2 Type II, HIPAA available

### Lovable.dev
- Purpose: Application hosting and development
- Data Shared: Application code and configuration
- Processing: Cloud hosting and deployment

### Resend
- Purpose: Transactional email delivery
- Data Shared: Email addresses and notification content
- Processing: Email sending only

## Human Oversight

### Quality Assurance
- AI outputs are regularly audited for accuracy
- User feedback is reviewed to improve assessments
- Known issues are documented and addressed
- Human review available for contested findings

### Escalation Process
If you believe an AI assessment is inaccurate:
1. Use the "Report Issue" button on any assessment
2. Provide details about the inaccuracy
3. Our team reviews within 2 business days
4. Corrections are made if warranted

## Limitations of AI

### What AI Cannot Do
- Guarantee accuracy of all findings
- Access non-public vendor information
- Replace professional legal or security advice
- Predict future vendor behavior
- Assess internal vendor security controls

### Known Limitations
- Websites with heavy JavaScript may be partially analyzed
- Non-English content may have reduced accuracy
- Recently updated websites may show stale information
- AI may miss context-specific nuances

## User Rights

### Regarding AI Processing
You have the right to:
- Know when AI is used in processing your requests
- Request human review of AI-generated assessments
- Challenge or dispute AI findings
- Opt out of certain AI features (contact support)
- Export your data including AI-generated reports

### Data Subject Rights
Under GDPR and similar regulations:
- Request explanation of AI decision-making logic
- Access data used in AI processing
- Correct inaccurate AI-derived information
- Delete AI-generated assessments

## Liability

### AI Output Disclaimer
AI-generated content is provided "as is" without warranty. RRR is not liable for:
- Business decisions made based on AI assessments
- Inaccuracies in AI-generated reports
- Third-party reliance on AI outputs
- Consequential damages from AI recommendations

### Your Responsibility
Users should:
- Verify critical findings independently
- Consult qualified professionals for important decisions
- Use AI assessments as one input among many
- Report inaccuracies to improve the system

## Updates to AI Systems

### Model Updates
- AI models may be updated to improve accuracy
- Major changes are communicated via changelog
- Historical assessments retain their original analysis
- Re-analysis available to apply new models

## Contact for AI Concerns
AI Compliance: ai-compliance@rrr.dev
Privacy Officer: privacy@rrr.dev

# ===========================================
# COOKIE POLICY (/cookies)
# ===========================================
# URL: https://rrr.dev/cookies

## Cookie Categories

### Strictly Necessary Cookies
These cookies are essential for the website to function:
- Authentication cookies (maintain login session)
- Security cookies (CSRF protection, bot detection)
- Load balancing cookies (ensure performance)
- Session state cookies (remember page state)

Cannot be disabled. Required for basic functionality.

### Functional Cookies
These cookies remember your preferences:
- Theme preference (light/dark mode)
- Language settings
- Dashboard layout preferences
- Recently viewed vendors

Can be disabled. Site will work but won't remember preferences.

### Analytics Cookies
These cookies help us improve the service:
- Page view tracking
- Feature usage analytics
- Performance monitoring
- Error tracking

Can be disabled via browser settings or opt-out tools.

## Specific Cookies Used

### RRR Cookies
- sb-auth-token: Authentication session (essential)
- sb-refresh-token: Session refresh (essential)
- theme: UI theme preference (functional)
- sidebar-collapsed: Dashboard layout (functional)

### Third-Party Cookies

#### Supabase
- Authentication and session management
- Duration: Session to 7 days
- Purpose: Maintain secure login

#### Google reCAPTCHA
- Bot protection on forms
- May set cookies per Google's policy
- Purpose: Prevent automated abuse

#### Google Analytics (if enabled)
- _ga: Distinguishes users (2 years)
- _gid: Distinguishes users (24 hours)
- _gat: Throttles request rate (1 minute)
- Purpose: Usage analytics

## Managing Cookies

### Browser Settings
Most browsers allow you to:
- Block all cookies
- Block third-party cookies only
- Delete cookies on exit
- View and delete specific cookies

### Browser-Specific Instructions
- Chrome: Settings > Privacy and security > Cookies
- Firefox: Settings > Privacy & Security > Cookies
- Safari: Preferences > Privacy > Cookies
- Edge: Settings > Privacy > Cookies

### Google Analytics Opt-Out
Install the Google Analytics Opt-out Browser Add-on:
https://tools.google.com/dlpage/gaoptout

### Do Not Track
RRR respects Do Not Track (DNT) browser signals where technically feasible.

## Cookie Consent

### How We Obtain Consent
- Essential cookies: No consent required (necessary for service)
- Non-essential cookies: Implied consent on continued use
- You can withdraw consent by clearing cookies and adjusting settings

### Updating Preferences
To change your cookie preferences:
1. Clear existing cookies in your browser
2. Adjust browser settings as desired
3. Revisit rrr.dev to apply new preferences

## Contact
Cookie questions: privacy@rrr.dev

# ===========================================
# PUBLIC RISK REPORTS (/p/*)
# ===========================================
# URL Pattern: https://rrr.dev/p/{vendor-slug}

## What Are Public Reports?
Community-shared vendor risk assessments that anyone can access. These reports:
- Are voluntarily shared by RRR users
- Contain AI-generated risk analysis
- Show security, privacy, and pricing assessments
- May include user attribution (optional)

## Example Public Reports
- /p/slack - Slack risk assessment
- /p/notion - Notion risk assessment
- /p/dropbox - Dropbox risk assessment
- /p/zoom - Zoom risk assessment

## Report Contents
Each public report includes:
- Overall risk score (0-10)
- Security risk analysis and findings
- Privacy compliance assessment
- Pricing transparency evaluation
- Certification status (SOC 2, ISO 27001, etc.)
- Actionable recommendations
- Analysis date and methodology

# ===========================================
# CRAWLING PERMISSIONS
# ===========================================

User-agent: *
Allow: /
Allow: /pricing
Allow: /integrations
Allow: /privacy
Allow: /terms
Allow: /ai-disclosure
Allow: /docs
Allow: /contact
Allow: /cookies
Allow: /p/*
Allow: /r/*

Disallow: /dashboard
Disallow: /admin
Disallow: /superadmin
Disallow: /auth

# ===========================================
# RATE LIMITING
# ===========================================
Crawl-delay: 1

# ===========================================
# CONTACT FOR AI CRAWLERS
# ===========================================
Contact: ai-compliance@rrr.dev

# ===========================================
# SECURITY CONTACT (RFC 9116)
# ===========================================
# Security vulnerability reports: security@rrr.dev
# Security.txt location: https://rrr.dev/.well-known/security.txt
# Security Policy: https://rrr.dev/security-policy
# We appreciate responsible disclosure and aim to respond within 48 business hours.

# ===========================================
# SECURITY POLICY (Responsible Disclosure)
# URL: /security-policy
# ===========================================
# 
# How to Report Vulnerabilities:
# - Primary: security@rrr.dev
# - Alternative: Contact form with Security subject
# - Security.txt: https://rrr.dev/.well-known/security.txt
#
# What to Include in Reports:
# - Clear description of the vulnerability
# - Steps to reproduce the issue
# - Impact assessment and affected components
# - Proof of concept (screenshots, code snippets)
# - Your contact information for follow-up
#
# Response Timeline:
# - Initial acknowledgment: 48 business hours
# - Triage and assessment: 5 business days
# - Status updates: Every 7 days until resolution
# - Resolution target: 90 days for critical/high severity
#
# Safe Harbor Provisions:
# - We will not pursue legal action against good-faith researchers
# - Research is authorized under CFAA and DMCA
# - Exempt from Terms of Service testing restrictions
# - We will support researchers if third parties initiate legal action
#
# In Scope:
# - rrr.dev web application and subdomains
# - API endpoints and backend services
# - Authentication and authorization systems
# - Edge functions and serverless infrastructure
#
# Out of Scope:
# - Third-party services (Supabase, Stripe, OpenAI)
# - Social engineering, DoS attacks, physical security
# - Automated scanning without permission
# - Testing on accounts you don't own
#
# Responsible Disclosure Guidelines:
# - Do NOT access/modify other users' data
# - Do NOT disrupt service availability
# - Do NOT publicly disclose until patch is available
# - Provide 90 days for coordinated disclosure
#
# Recognition:
# - Acknowledgment in security hall of fame (with permission)
# - Written confirmation of report and resolution
# - No paid bug bounty program currently

# ===========================================
# FEATURE PAGES
# ===========================================

# ===========================================
# AI RISK ASSESSMENT FEATURE (/features/ai-risk-assessment)
# ===========================================
# URL: https://rrr.dev/features/ai-risk-assessment

## AI-Powered Vendor Risk Assessment

### How It Works
1. Enter Vendor URL: Simply paste any vendor's website URL
2. AI Analyzes: Our AI crawls trust centers, privacy policies, security pages, and pricing information
3. Get Risk Report: Receive a comprehensive report with risk scores, findings, and source citations

### Three Risk Pillars
Every vendor is analyzed across three critical dimensions:

#### Security Risk
Evaluates technical security controls, certifications, and incident response capabilities:
- Security certifications (SOC 2, ISO 27001, FedRAMP, etc.)
- Encryption and data protection measures
- Breach notification policies
- Trust center availability

#### Privacy & Legal Risk
Assesses regulatory compliance, data handling practices, and legal protections:
- GDPR, CCPA, HIPAA compliance status
- Data retention and deletion policies
- Third-party data sharing practices
- User rights and consent mechanisms

#### Commercial Risk
Analyzes pricing transparency, vendor stability, and contract flexibility:
- Pricing transparency assessment
- Contract flexibility evaluation
- Vendor lock-in indicators
- Company stability signals

### Risk Scoring Methodology
- Scores range from 1-10 (higher = higher risk)
- Low Risk (1-3): Green indicators
- Medium Risk (4-6): Amber indicators
- High Risk (7-10): Red indicators
- Every finding includes source citations for verification
- Clear distinction between verified and unverified claims

### Cross-Functional Value
Built for multiple stakeholders:
- IT & Security: Technical controls, certifications, breach response
- Legal & Compliance: Regulatory compliance, contract terms, liability
- Privacy Teams: Data handling, sharing practices, user rights
- Finance & Procurement: Pricing, vendor health, contract flexibility

### FAQs
Q: How does the AI analyze vendor risk?
A: Our AI crawls the vendor's website including privacy policies, security pages, trust centers, and pricing pages. It then analyzes this information across three risk pillars using enterprise-grade language models trained on TPRM best practices.

Q: What certifications does the AI look for?
A: The AI searches for SOC 2 Type I/II, ISO 27001, GDPR compliance, HIPAA, PCI DSS, CCPA, FedRAMP, and many more.

Q: How long does an analysis take?
A: Most analyses complete within 2-5 minutes depending on the vendor's website size and complexity.

# ===========================================
# CONTRACT ANALYSIS FEATURE (/features/contract-analysis)
# ===========================================
# URL: https://rrr.dev/features/contract-analysis
# Access: Business Tier Exclusive

## Contract Terms Deep Analysis

### Six Critical Contract Dimensions

#### 1. Indemnification
- Mutual vs one-way indemnification
- Scope and carve-outs
- Defense obligations

#### 2. Limitation of Liability
- Cap type and period
- Consequential damages exclusions
- Super cap provisions

#### 3. Warranties & SLA
- Uptime percentage guarantees
- SLA credits and remedies
- Warranty disclaimers

#### 4. Security & Breach
- Breach notification timeframes
- Audit rights
- Insurance requirements

#### 5. Termination & Exit
- Termination for convenience
- Data return/deletion commitments
- Transition assistance

#### 6. Contract Accessibility
- Public availability status
- Registration requirements
- NDA requirements flagged

### Configurable Thresholds
Business tier organizations can set specific requirements:
- Minimum liability cap (e.g., 24 months of fees)
- Maximum breach notification hours (e.g., 72 hours)
- Required termination for convenience clauses
- Minimum uptime SLA percentage

### Use Cases
- Know your leverage before vendor negotiations
- Identify red flags (one-sided indemnification, low liability caps)
- Save legal review time with structured summaries

# ===========================================
# PROCUREMENT ANALYSIS FEATURE (/features/procurement-analysis)
# ===========================================
# URL: https://rrr.dev/features/procurement-analysis
# Access: Business Tier Exclusive

## Procurement & Financial Analysis

### Six Financial Analysis Areas

#### 1. Pricing Model Analysis
- Pricing transparency assessment
- Model type (per-seat, usage, flat)
- Base price and minimums

#### 2. Hidden Costs Detection
- Implementation fees
- Training and onboarding costs
- Overage and integration fees

#### 3. TCO (Total Cost of Ownership) Analysis
- Year one estimate
- Ongoing costs breakdown
- Implementation complexity rating

#### 4. Exit Cost Analysis
- Data export fees
- Termination penalties
- Migration effort estimate

#### 5. Vendor Financial Health
- Funding stage and investors
- Years in business
- Market presence signals

#### 6. Contract Flexibility
- Free trial availability
- Billing model options
- Discount availability

### TCO Framework
The listed price is rarely the true cost. Our TCO framework calculates:
1. Base Subscription Cost: Monthly/annual fees × contract length
2. Implementation & Setup: One-time fees, professional services, training
3. Ongoing Variable Costs: Overages, add-ons, premium support
4. Exit Costs: Data export, termination fees, migration

### Negotiation Intelligence
- Discount potential identification
- Market position analysis
- Cost reduction suggestions

# ===========================================
# CERTIFICATION REQUIREMENTS FEATURE (/features/certification-requirements)
# ===========================================
# URL: https://rrr.dev/features/certification-requirements
# Access: Free tier basic discovery, Business tier full gap analysis

## Certification Requirements & Gap Analysis

### Overview
Configure vendor certification requirements with 100+ certifications across 7 categories.
Ensure every vendor meets your organization's compliance standards with AI-powered gap analysis.

### 7 Certification Categories

#### 1. AI & Machine Learning (12 certifications)
- AI TRiSM Framework
- ISO 42001
- NIST AI RMF
- EU AI Act Compliance

#### 2. Security (25 certifications)
- SOC 2 Type II
- ISO 27001
- PCI DSS
- CSA STAR

#### 3. Privacy (18 certifications)
- GDPR
- CCPA/CPRA
- ISO 27701
- Privacy Shield

#### 4. Healthcare (10 certifications)
- HIPAA
- HITRUST CSF
- HITECH
- FDA 21 CFR Part 11

#### 5. Government (14 certifications)
- FedRAMP
- StateRAMP
- CMMC
- FISMA

#### 6. Financial Services (12 certifications)
- SOX
- GLBA
- PCI DSS
- FINRA

#### 7. Regional (15 certifications)
- Cyber Essentials (UK)
- IRAP (Australia)
- C5 (Germany)
- ISMAP (Japan)

### AI-Powered Suggestions
- Enter your domain and AI suggests relevant certifications
- Suggestions based on industry, location, and regulatory environment
- Healthcare orgs get HIPAA, HITRUST, HITECH
- EU companies see GDPR and regional requirements
- Financial services get PCI DSS, SOX, GLBA
- Accept or reject each suggestion

### Importance Levels & Risk Impact
- REQUIRED: Missing certifications generate HIGH risk findings
- RECOMMENDED: Missing certifications generate MEDIUM risk findings
- NICE TO HAVE: Noted in reports but no risk penalty

### Gap Analysis Workflow (Business Tier)
1. Configure Requirements: Select expected certifications, set importance levels
2. Analyze Vendor: AI searches for each certification in your requirements
3. Review Gap Analysis: See which certs are present, missing, or unverified
4. Take Action: Use findings in negotiations or risk acceptance decisions

### Custom Certifications
- Add proprietary or niche certifications
- Specify category, importance, and reason
- Full flexibility for specialized compliance needs

### FAQ
Q: What certifications are supported?
A: 100+ industry certifications across 7 categories. You can also add custom certifications.

Q: How does gap analysis affect risk scores?
A: Required certifications generate HIGH risk if missing. Recommended generate MEDIUM risk.

Q: What's the difference between free and Business tier?
A: Free includes basic discovery. Business adds full gap analysis with automatic flagging.

# ===========================================
# COMPARE ALTERNATIVES PAGE (/alternatives)
# ===========================================
# URL: https://rrr.dev/alternatives

## Hero Section
Title: "AI-Powered Vendor Risk Management Built for Cross-Functional Teams"
Subtitle: Move beyond questionnaire-based TPRM. Get instant vendor insights from a URL, multi-dimensional risk analysis, and intelligence that serves security, legal, finance, and procurement teams.

## The Problem: Legacy TPRM Is Broken
Traditional vendor risk management was designed for a world with fewer vendors, slower procurement cycles, and security-only stakeholders.

### Pain Points with Legacy Solutions
1. Questionnaire Fatigue - Endless vendor questionnaires taking weeks to complete, providing point-in-time snapshots that are outdated before completion
2. Months to First Insight - 6+ month implementation projects with professional services, training, and complex configurations before seeing value
3. Security-Only Focus - Designed for security teams, leaving legal, finance, and procurement without the contract, pricing, and commercial intelligence they need
4. Generic, Context-Free Ratings - One-size-fits-all risk scores that don't account for industry, compliance requirements, or specific risk tolerance

## The RRR Difference

### AI-Native Architecture (vs. questionnaire-based)
Built on AI from day one, not questionnaires with AI bolted on. Analyze any vendor from just a URL in minutes.

### Minutes to Insight (vs. months of implementation)
Enter a URL. Get comprehensive risk intelligence. No implementation project, no professional services, no waiting.

### Multi-Dimensional Analysis (vs. security-only focus)
Security + Privacy/Legal + Commercial risk analysis. Contract terms. Procurement intelligence. Certification gaps.

### Organization-Aware Intelligence (vs. generic ratings)
Custom context injection tailors every assessment to your industry, compliance needs, and risk tolerance.

## Cross-Functional Stakeholder Value

### Security Teams
- Instant security posture assessment
- Certification verification and gap analysis
- Shadow IT and Shadow AI discovery
- Continuous vendor monitoring

### Legal & Compliance Teams
- Contract terms deep analysis
- Privacy policy evaluation
- Regulatory compliance mapping
- Liability and indemnification review

### Finance & Procurement Teams
- TCO and hidden cost analysis
- Vendor financial health assessment
- Exit cost and lock-in evaluation
- Negotiation intelligence

### IT Operations
- Automatic Shadow IT discovery
- Integration with existing systems
- Vendor consolidation insights
- Usage pattern analysis

## Capability Comparison Matrix

| Capability | RRR | Legacy TPRM |
|------------|-----|-------------|
| AI-powered real-time analysis | ✓ | ✗ |
| No vendor participation required | ✓ | ✗ |
| Minutes to first assessment | ✓ | ✗ |
| Multi-dimensional risk analysis | ✓ | ✗ |
| Contract terms deep analysis | ✓ | ✗ |
| TCO and procurement intelligence | ✓ | ✗ |
| Organization-specific context | ✓ | ✗ |
| Automatic Shadow IT discovery | ✓ | Partial |
| Certification gap analysis | ✓ | Partial |
| Cross-functional stakeholder support | ✓ | ✗ |
| Assessment version history | ✓ | Partial |
| No implementation project required | ✓ | ✗ |

## Built For

### Fast-Growing Companies
Scale vendor oversight without scaling headcount. Get enterprise-grade risk intelligence without enterprise implementation timelines.

### Cross-Functional Teams
Bridge the gap between security, legal, finance, and procurement with intelligence that serves all stakeholders.

### Compliance-Driven Organizations
Map vendor risks to SOC 2, HIPAA, GDPR, and other frameworks. Demonstrate due diligence with comprehensive audit trails.

### Shadow IT/AI Concerned Teams
Discover unsanctioned tools across your organization before they become security incidents or compliance violations.

## FAQ

Q: How does RRR differ from traditional TPRM solutions?
A: RRR is AI-native from the ground up, delivering instant vendor insights from a URL alone. No questionnaires, no vendor participation, no months-long implementations.

Q: Can RRR replace our existing TPRM process?
A: RRR can serve as your primary vendor risk assessment platform or complement existing processes by providing rapid initial assessments, continuous monitoring, and cross-functional intelligence.

Q: What makes RRR's multi-dimensional analysis different?
A: Unlike traditional security-focused ratings, RRR analyzes vendors across Security, Privacy/Legal, and Commercial/Financial dimensions. Business tier adds Contract Terms Deep Analysis and Procurement Intelligence.

Q: How does Shadow IT Discovery work without accessing sensitive data?
A: RRR integrates with existing systems through metadata analysis: we see what apps are in use, not the content within them. This privacy-first approach provides visibility without security concerns.

Q: Is RRR suitable for enterprise organizations?
A: Yes. Business tier provides custom organizational context, certification gap analysis, contract intelligence, and procurement analysis. Enterprise tier adds SSO/SAML, dedicated support, and SLAs.

Q: How quickly can we see value from RRR?
A: Run your first vendor assessment within minutes. Just enter a URL. Shadow IT Discovery begins surfacing unknown vendors immediately after connecting integrations.

# ===========================================
# COMPETITOR COMPARISON PAGES
# ===========================================

# ===========================================
# COMPARE LANDING PAGE (/compare)
# ===========================================
# URL: https://rrr.dev/compare

## Overview
Filterable comparison grid of 18 TPRM competitors organized by category:
- Security Rating Platforms: BitSight, SecurityScorecard, RiskRecon, Black Kite
- Traditional TPRM: OneTrust, Prevalent, ProcessUnity
- GRC + VRM: Vanta, Drata, Sprinto, Scrut, MetricStream
- Hybrid: UpGuard, Panorays
- Shadow IT Discovery: Flexera, ConductorOne, Nudge Security, Zylo

## Quick Comparison Table
RRR advantages over all competitor categories:
- AI-Native Analysis: Full support (competitors: limited or none)
- No Questionnaires Required: Yes (competitors: mostly require questionnaires)
- Multi-Dimensional Risk: Security + Privacy + Commercial (competitors: security-focused)
- Contract Terms Analysis: Business tier (competitors: not available)
- Procurement Intelligence: Business tier (competitors: not available)
- Organization-Aware Context: Yes (competitors: generic ratings)
- Shadow IT Discovery: Yes (competitors: limited)
- Minutes to First Assessment: Yes (competitors: weeks to months)

# ===========================================
# VANTA COMPARISON (/compare/vanta)
# ===========================================
# URL: https://rrr.dev/compare/vanta

## Hero
Title: "TPRM Excellence vs Compliance Platform Feature"
Subtitle: Vanta helps you get certified. RRR helps you evaluate if your vendors measure up.

## Key Differentiators
- Purpose-built for TPRM vs VRM as compliance platform add-on
- No vendor participation needed vs questionnaire workflows
- Contract & procurement intelligence (Business tier)
- Cross-functional value beyond compliance teams

# ===========================================
# DRATA COMPARISON (/compare/drata)
# ===========================================
# URL: https://rrr.dev/compare/drata

## Hero
Title: "Complete Vendor Intelligence vs GRC Module"
Subtitle: Drata automates your compliance. RRR analyzes your vendors.

## Key Differentiators
- TPRM-focused platform vs VRM module in GRC suite
- True AI-native analysis eliminates questionnaires entirely
- Contract & procurement intelligence (Business tier)
- Multi-dimensional analysis by default

# ===========================================
# PREVALENT COMPARISON (/compare/prevalent)
# ===========================================
# URL: https://rrr.dev/compare/prevalent

## Hero
Title: "AI-Native vs AI-Bolted-On TPRM"

## Key Differentiators
- AI-native from day one vs AI features added to legacy questionnaire platform
- Self-service deployment vs professional services required
- Minutes to first assessment vs lengthy implementation
- Contract & procurement intelligence (Business tier)

# ===========================================
# PROCESSUNITY COMPARISON (/compare/processunity)
# ===========================================
# URL: https://rrr.dev/compare/processunity

## Hero
Title: "Escape Questionnaire Workflows"

## Key Differentiators
- Instant AI analysis vs complex workflow automation
- Self-service vs professional services
- Cross-functional value vs security team focus
- Contract & procurement intelligence (Business tier)

# ===========================================
# PANORAYS COMPARISON (/compare/panorays)
# ===========================================
# URL: https://rrr.dev/compare/panorays

## Hero
Title: "Complete Vendor Intelligence Beyond Cyber Risk"

## Key Differentiators
- Multi-dimensional analysis (Security + Privacy + Commercial) vs cyber-focused
- Zero questionnaire dependency vs automated questionnaires
- Contract & procurement intelligence (Business tier)
- Cross-functional stakeholder support

# ===========================================
# SPRINTO COMPARISON (/compare/sprinto)
# ===========================================
# URL: https://rrr.dev/compare/sprinto

## Hero
Title: "TPRM Excellence vs Compliance Platform Feature"

## Key Differentiators
- Purpose-built for TPRM vs VRM as GRC feature
- Instant AI-powered analysis vs questionnaire workflows
- Multi-dimensional analysis vs compliance checklist focus
- Contract & procurement intelligence (Business tier)

# ===========================================
# SCRUT COMPARISON (/compare/scrut)
# ===========================================
# URL: https://rrr.dev/compare/scrut

## Hero
Title: "Dedicated TPRM vs GRC Module"

## Key Differentiators
- Dedicated vendor risk intelligence vs VRM module
- Instant AI analysis vs workflow dependency
- Multi-dimensional risk coverage vs compliance focus
- Contract & procurement intelligence (Business tier)

# ===========================================
# BITSIGHT COMPARISON (/compare/bitsight)
# ===========================================
# URL: https://rrr.dev/compare/bitsight

## Hero
Title: "Looking Beyond Security Ratings?"
Subtitle: BitSight provides security-focused external ratings. RRR delivers multi-dimensional vendor intelligence (Security, Privacy, Legal, Commercial, and Procurement) with organization-specific context for your entire team.

## Key Differentiators: RRR vs BitSight

### Multi-Dimensional Analysis
BitSight focuses on security ratings from external scanning. RRR analyzes Security, Privacy/Legal, AND Commercial risks, serving your entire vendor evaluation team, not just security.

### Organization-Aware Intelligence
BitSight provides generic industry ratings. RRR injects your organization's specific context (industry, compliance needs, certification requirements) into every assessment for tailored insights.

### Contract & Procurement Analysis (Business Tier)
BitSight doesn't analyze contracts or pricing. RRR's Business tier delivers deep contract terms analysis (liability, indemnification, termination) and TCO/procurement intelligence.

### Minutes to Insight
BitSight requires complex implementation. RRR delivers comprehensive risk intelligence from just a URL. Enter a vendor, get instant analysis.

## When to Choose RRR Over BitSight
- Analysis that serves Security, Legal, Finance, AND Procurement teams
- Contract terms intelligence (indemnification, liability, termination clauses)
- TCO analysis and hidden cost detection for procurement decisions
- Organization-specific certification gap analysis
- Instant assessments without lengthy implementation

# ===========================================
# SECURITYSCORECARD COMPARISON (/compare/securityscorecard)
# ===========================================
# URL: https://rrr.dev/compare/securityscorecard

## Hero
Title: "Vendor Risk Intelligence for Your Entire Organization"
Subtitle: SecurityScorecard delivers security ratings for security teams. RRR provides multi-dimensional vendor intelligence (Security, Privacy, Legal, Commercial) that serves your entire vendor evaluation team.

## Key Differentiators: RRR vs SecurityScorecard

### Cross-Functional Value
SecurityScorecard is built for security teams. RRR serves your entire vendor evaluation team: Security, Legal/Compliance, Privacy, Finance, and Procurement.

### Privacy & Legal Deep Analysis
SecurityScorecard focuses on technical security signals. RRR analyzes privacy policies, data handling practices, GDPR/CCPA compliance, and contractual legal terms.

### Shadow IT Discovery
RRR integrates with Google Workspace, Microsoft 365, Okta, Vanta, Drata, and expense systems to discover unsanctioned tools through internal app usage.

### Contract & Procurement Intelligence (Business Tier)
RRR's Business tier delivers contract terms analysis and procurement intelligence (TCO, hidden costs, exit costs).

## When to Choose RRR Over SecurityScorecard
- Vendor intelligence that serves Legal, Finance, and Procurement, not just Security
- Privacy policy and data handling analysis for compliance teams
- Contract terms deep analysis
- Shadow IT discovery through identity and expense system integrations

# ===========================================
# UPGUARD COMPARISON (/compare/upguard)
# ===========================================
# URL: https://rrr.dev/compare/upguard

## Hero
Title: "AI-Native Vendor Intelligence"
Subtitle: UpGuard combines ratings with vendor questionnaires. RRR delivers instant AI-powered analysis. No questionnaires, no vendor participation, no waiting weeks for responses.

## Key Differentiators: RRR vs UpGuard

### AI-Native, Not Questionnaire-Based
UpGuard combines security ratings with vendor questionnaires that require vendor participation. RRR is AI-native. Enter a URL and get comprehensive analysis without any vendor involvement.

### Minutes, Not Weeks
UpGuard questionnaire-based assessments take weeks as you wait for vendor responses. RRR delivers comprehensive risk intelligence instantly.

### Organization-Aware Context
UpGuard provides generic ratings. RRR injects your specific organizational context into every assessment.

## When to Choose RRR Over UpGuard
- Instant vendor assessments without waiting for questionnaire responses
- AI-powered analysis that doesn't require vendor participation
- Multi-dimensional analysis beyond security
- Rapid triage of new vendors

# ===========================================
# RISKRECON COMPARISON (/compare/riskrecon)
# ===========================================
# URL: https://rrr.dev/compare/riskrecon

## Hero
Title: "Organization-Aware Vendor Assessment"
Subtitle: RiskRecon provides generic security ratings. RRR delivers vendor intelligence tailored to YOUR organization: your industry, your compliance needs, your certification requirements.

## Key Differentiators: RRR vs RiskRecon

### Organization-Aware Assessment
RiskRecon provides generic security ratings. RRR injects YOUR organization's context (industry, compliance needs, risk tolerance, certification requirements) into every assessment.

### Your Certification Requirements
RiskRecon checks for standard certifications. RRR compares vendor certifications against YOUR specific requirements: Required vs Recommended vs Nice-to-Have.

### Cross-Functional Intelligence
RiskRecon serves security teams. RRR provides analysis for Security, Legal/Compliance, Privacy, Finance, and Procurement.

## When to Choose RRR Over RiskRecon
- Vendor assessments tailored to YOUR organization's specific context
- Certification gap analysis against YOUR requirements
- Multi-dimensional analysis serving all stakeholders

# ===========================================
# BLACK KITE COMPARISON (/compare/blackkite)
# ===========================================
# URL: https://rrr.dev/compare/blackkite

## Hero
Title: "Complete Vendor Risk Analysis"
Subtitle: Black Kite quantifies cyber risk in dollars. RRR provides complete vendor intelligence (Security, Privacy, Legal, Commercial, Contract Terms, and Procurement) for comprehensive due diligence.

## Key Differentiators: RRR vs Black Kite

### Complete Vendor Analysis
Black Kite focuses on cyber risk quantification and financial impact modeling. RRR provides complete vendor analysis: Security + Privacy/Legal + Commercial + Contract Terms + Procurement Intelligence.

### Contract Terms Deep Analysis (Business Tier)
Black Kite doesn't analyze vendor contracts. RRR's Business tier examines indemnification, liability caps, warranty terms, breach notification, termination clauses.

### Procurement Intelligence
Beyond financial impact modeling, RRR analyzes real procurement concerns: TCO, hidden costs, exit costs, vendor financial health, negotiation leverage.

## When to Choose RRR Over Black Kite
- Complete vendor due diligence beyond just cyber risk
- Contract terms intelligence
- TCO analysis and practical procurement intelligence
- Cross-functional reports for legal, finance, procurement

# ===========================================
# ONETRUST TPRM COMPARISON (/compare/onetrust)
# ===========================================
# URL: https://rrr.dev/compare/onetrust

## Hero
Title: "Escape Questionnaire Fatigue"
Subtitle: OneTrust TPRM centers on vendor questionnaires. RRR delivers instant AI-powered vendor intelligence. No questionnaires, no vendor participation, no waiting weeks for responses.

## Key Differentiators: RRR vs OneTrust TPRM

### Escape Questionnaire Fatigue
OneTrust TPRM centers on sending, tracking, and managing vendor questionnaires. RRR's AI analyzes vendor risk from publicly available information. No questionnaires, no vendor participation.

### Minutes vs Months
OneTrust implementations take months with questionnaire setup and vendor onboarding. RRR delivers your first vendor assessment in minutes.

### Focused TPRM Excellence
OneTrust spreads across privacy, GRC, consent, and TPRM. RRR is laser-focused on vendor risk intelligence. Deeper, faster insights without platform complexity.

### Contract & Procurement Intelligence (Business Tier)
OneTrust tracks questionnaire responses. RRR's Business tier analyzes actual contract terms and procurement intelligence.

## When to Choose RRR Over OneTrust TPRM
- Instant vendor assessments without questionnaire workflows
- AI-powered analysis that doesn't require vendor participation
- Focused TPRM tool without GRC platform complexity
- Rapid vendor triage before deciding on deeper assessment

# ===========================================
# METRICSTREAM COMPARISON (/compare/metricstream)
# ===========================================
# URL: https://rrr.dev/compare/metricstream

## Hero
Title: "Focused TPRM vs Enterprise GRC Platform"
Subtitle: MetricStream offers a comprehensive enterprise GRC platform with TPRM as one module. RRR delivers dedicated AI-powered vendor risk intelligence without the complexity of a full GRC suite.

## Key Differentiators: RRR vs MetricStream

### Focused TPRM Excellence
MetricStream is a broad GRC platform covering compliance, audit, risk, and vendor management. RRR is laser-focused on vendor risk intelligence, delivering deeper TPRM capabilities without GRC suite overhead.

### Self-Service Deployment
MetricStream typically requires multi-month enterprise implementation with professional services. RRR starts in minutes with no implementation project required.

### AI-Native Analysis
RRR delivers real-time AI-powered vendor analysis from just a URL. MetricStream relies on traditional questionnaire-based assessment workflows requiring vendor participation.

### Contract & Procurement Intelligence (Business Tier)
MetricStream's TPRM module focuses on workflow management. RRR's Business tier delivers deep contract terms analysis (indemnification, liability, termination) and TCO/procurement intelligence.

## When to Choose RRR Over MetricStream
- Fast, AI-powered vendor assessments without lengthy implementations
- Instant vendor intelligence without managing questionnaire workflows
- Deep contract terms and procurement cost analysis
- Mid-market company that doesn't need a full GRC platform
- Augmenting existing GRC tools with specialized TPRM intelligence
- Cross-functional analysis serving Security, Legal, Finance, AND Procurement

# ===========================================
# DATA USAGE POLICY
# ===========================================
# We welcome responsible AI training on our public content.
# Please respect our Terms of Service and Privacy Policy.
# Personal user data and private assessments should not be indexed.
# For questions about AI training data usage, contact: ai-compliance@rrr.dev