What does SupplierKit verify?

SupplierKit verifies documentation completeness, freshness, and alignment to operator-stated requirements, and logs verification actions for auditability. We check that documents are present, valid-dated, and match the fields your requirements specify.

What doesn’t SupplierKit verify?

We do not assess operational safety quality, on-the-ground performance, or make underwriting decisions. Our verification is limited to the documentary evidence provided. We do not offer legal advice.

How long does verification take?

Initial verification of a supplier typically completes within 24–48 hours of document submission. Portfolio-level reviews depend on supplier count and responsiveness, but most operators receive their first Risk Exposure Report within two weeks of engagement.

Can we start with a subset of suppliers?

Yes. Most operators begin with a pilot of 3–10 suppliers to validate the process before expanding. There is no minimum portfolio size.

What happens when documents lapse?

When a tracked document passes its expiry date, the supplier’s status transitions from Fresh to Expiring (within the notification window) and then to Lapsed. Lapsed documents trigger remediation actions and are reflected in the Risk Exposure Report.

How do you handle unclear or ambiguous documents?

Any extraction with a confidence score below our threshold is flagged as an Exception and routed to human review. We never auto-approve uncertain data. If the document cannot be resolved, a remediation action is created requesting clarification from the supplier.

SupplierKit Verification Methodology

Definitions, verification scope, deliverables, and monitoring rules used to produce audit-ready supplier records.

Looking for the overview? Duty of Care & Compliance →Tour Operators →DMCs →

Last updated: February 16, 2026

Definitions

Supplier Record: A structured data object representing a single supplier, containing all collected documents, extracted fields, verification results, and status history.
Verification Certificate: A per-supplier PDF summarising which requirements were checked, what evidence was found, and the resulting status. Includes reviewer notes and timestamps.
Risk Exposure Report: A portfolio-level summary showing the Red / Yellow / Green status of every supplier against the operator’s stated requirements.
Remediation Action: A specific, documented next step generated when a gap is found: what is missing, who needs to act, and by when.
Monitoring / Freshness: The ongoing process of tracking document expiry dates and re-verification triggers to ensure records remain current.
Exception: Any item where automated extraction produces a low-confidence result or where the evidence is ambiguous. Exceptions are always routed to human review.
Audit Trail: A chronological, immutable log of every verification action taken on a supplier record: who reviewed, what changed, and when.
Operator Pack: A bundled export containing all Verification Certificates and the Risk Exposure Report for a given operator, formatted for insurer or auditor submission.

What we verify

Document presence vs required list — confirming that every document type the operator requires has been submitted.
Document validity signals — dates, named insured, carrier, policy number, and other key fields where present.
Requirement matching — extracted values checked against operator-stated minimums (e.g. coverage thresholds).
Freshness and expiry logic — tracking document dates against renewal windows and flagging upcoming lapses.
Evidence packaging — time-stamped results and reviewer notes compiled into exportable Verification Certificates.

What we don’t verify

Operational safety quality, on-the-ground performance, or supplier conduct.
Underwriting decisions or actuarial assessments of insurance policies.
Anything not evidenced in the materials provided to us.

Disclaimer: SupplierKit's verification reflects documentation posture against stated requirements. It does not constitute legal advice, an insurance opinion, or an endorsement of any supplier's operational safety.

Inputs

What we need from you to begin verification.

Supplier list — CSV with company name, country, contact email (minimum required fields). Additional columns (supplier type, region) accepted.
Operator requirements — a document or description of what you require from each supplier (insurance minimums, licence types, commercial terms).
Supplier / DMC submissions — PDF, JPG, PNG, or DOCX files. Scanned documents and photos accepted.

Outputs

What you receive after verification.

Risk Exposure Report — portfolio-level summary: Red / Yellow / Green per supplier, gap counts, and aggregate readiness score.
Verification Certificate — per supplier: document type, extracted fields, match result, reviewer notes, timestamps, and overall status.
Remediation Plan — per gap: what is missing, who needs to act, and a suggested deadline.
Clean export (CSV) — normalised field mapping: one row per supplier, columns for every tracked requirement and its status.

Risk grading logic

Each supplier receives a status based on their documentation posture relative to the operator's stated requirements. Grading reflects evidence completeness, not supplier quality.

GREEN

Requirements met

All required document types present
Key fields extracted and validated
Coverage or values meet stated minimums
All documents within validity period
No open remediation actions

YELLOW

Attention needed

One or more documents expiring within notification window
Minor field mismatches or ambiguous extractions under review
Coverage close to but not clearly below minimums
Open remediation actions with pending supplier response

RED

Gap identified

Required documents missing entirely
Documents expired past grace period
Coverage confirmed below operator minimums
Unresolved exceptions after follow-up attempts
Supplier unresponsive to remediation requests

Exceptions and audit trail

Exception handling

When automated extraction produces a low-confidence result or the evidence is ambiguous, the item is flagged as an Exception. Exceptions are never auto-approved. A human reviewer examines the source document, records a finding, and either resolves the item or creates a Remediation Action requesting clarification from the supplier.

What gets logged

Every verification action (extraction, match, approval, or rejection)
Reviewer identity and notes for all human-reviewed items
Timestamp for every state change (ISO 8601)

Follow-up tracking

Remediation Actions are tracked until resolved. Each follow-up attempt (email, notification) is recorded in the audit trail with a timestamp and outcome. If a supplier remains unresponsive after the defined follow-up cadence, the status escalates to Red.

Monitoring and freshness rules

Documents with expiry dates are tracked through a defined lifecycle. Notification cadence is designed to give suppliers time to act before a lapse affects their status.

Lifecycle states

FRESHDocument within validity period. No action required.
EXPIRINGDocument enters notification window (90 / 60 / 30 days before expiry). Supplier receives renewal reminders.
LAPSEDDocument past expiry date. Supplier status affected. Remediation Action created automatically.

Notification cadence

90 days before expiry: first renewal reminder
60 days before expiry: second reminder
30 days before expiry: urgent reminder
On expiry: status transitions to Lapsed; operator notified

Re-verification

When a supplier submits a renewed document, it goes through the same extraction and verification process. On successful verification, the status returns to Fresh and the cycle resets.

Note: SupplierKit cannot guarantee that suppliers will respond to renewal reminders. Notification delivery and supplier responsiveness are outside our control.

Data protection and access

Encryption

All documents and data are encrypted in transit (TLS 1.2+) and at rest (AES-256). Encryption keys are managed through AWS Key Management Service.

Hosting region

All data is hosted in European Union data centres (AWS eu-central-1, Frankfurt). GDPR-aligned by design.

Access control

Role-based access with least-privilege principles. Only team members assigned to your verification can access your documents. No cross-client data exposure.

Retention and deletion

Documents are retained for the duration of the service relationship. Deletion requests are processed in accordance with our Privacy Policy. For full legal terms, see our Terms of Service.

Exports and system compatibility

All verification data can be exported as a normalised CSV with one row per supplier and columns for every tracked requirement and its current status. Field mapping is consistent across exports to support integration with existing systems.

CSV export — normalised schema, one row per supplier, consistent column naming.
PDF export — Verification Certificates and Risk Exposure Reports as formatted PDFs.
Operator Pack — bundled export containing all certificates and the portfolio report.

No system replacement required. SupplierKit outputs are designed to feed into your existing compliance workflows.

Common questions

Next steps

Duty of Care & Compliance overview →For Tour Operators →For DMCs →Resources →

Talk to our team