Supply chain due diligence software reads every supplier code of conduct, certificate, and audit on arrival - flagging risk before a CSDDD finding.
Sopact is the risk-intelligence layer for supply chain due diligence. It reads every code of conduct, certificate, and audit report your suppliers submit — the moment it lands — and surfaces the labor, environmental, or governance risk before it becomes a CSDDD finding or a forced-labor headline. It is built for the procurement, supply-chain, and compliance teams who answer for what their suppliers do.
By Unmesh Sheth · Founder & CEO, Sopact · Updated May 22, 2026
Most supply chain due diligence is a gate: a questionnaire run once, when a supplier is onboarded. The labor and environmental risk it screens for does not stop at approval. Here is the same supplier, run both ways.
An onboarding form is a point in time. It clears the supplier on the answer the supplier chose to give — and goes quiet until the next annual audit.
Continuous diligence is a layer, not a gate. It reads every supplier document on arrival — so a risk surfaces while you can still act on the relationship.
It is the same supplier risk on both tracks. Onboarding names it at the violation; continuous diligence names it on arrival. The months between those two dates are the months the risk sat in your chain, undisclosed.
Supply chain due diligence is the process of identifying, assessing, and acting on the environmental, social, and human-rights risks in a company’s suppliers — across every tier of the chain. The weak version is a one-time onboarding questionnaire and an annual audit. The strong version reads every supplier document on arrival — the code of conduct, the certificate, the audit report, the grievance log — scores it against your framework, and keeps the diligence live for as long as the supplier relationship lasts.
Under the EU Corporate Sustainability Due Diligence Directive (CSDDD) and national supply chain acts, this is no longer optional or one-time — it is a continuous, evidenced legal duty.
A supplier risk is rarely invisible. By the time it becomes a violation, it has been written down — in a questionnaire, an audit, a grievance log, a news report. Supplier diligence reads two of those places reliably. The other four are collected and filed.
The numeric answers on the onboarding questionnaire, tallied into a supplier score. The part diligence never struggled with.
The direct suppliers you contract with, named and tracked. The visible edge of the chain — and only the first tier of it.
The signed supplier code of conduct and the policy text behind it. Collected at onboarding, opened by no one after.
The factory audit, the social-compliance certificate, the corrective-action log. Where the real finding sits — filed as a PDF.
The worker complaint, the safety incident, the whistleblower report. The earliest signal a supplier is in trouble — and the one diligence rarely reaches.
The labor investigation, the spill, the supplier’s own suppliers two tiers down. Public, consequential, and outside every onboarding form.
The four unread sources are where the supply chain violation actually sits. A diligence that scores only the questionnaire is reading the answer the supplier chose to give — not the risk three tiers down.
A supply chain due diligence checklist covers three domains of supplier risk. The scope below is the standard, aligned to the OECD guidance and CSDDD. What decides whether the diligence works is not which boxes are on the list — it is whether anyone read the document behind each one.
These eighteen lines are the standard supply chain due diligence scope. But a checklist is a list of questions, not a verdict. The diligence is only as strong as the reading behind each box — and across hundreds of suppliers, that reading almost never happens.
For decades, supply chain due diligence was a corporate-responsibility program. A code of conduct was published, suppliers signed it, an annual audit covered the highest-risk sites, and a sustainability report described the effort. It was voluntary, and it was judged on intent.
Regulation closed that era. Germany’s Supply Chain Act, the EU’s Corporate Sustainability Due Diligence Directive, and similar laws elsewhere make supply chain due diligence a legal duty — companies must identify, prevent, and remediate human-rights and environmental harms across their chains, operate a grievance mechanism, and evidence the work. A signed code of conduct is no longer diligence. It is a starting point a regulator expects you to have read.
Meanwhile the documents kept arriving — the audits, the certificates, the grievances, the news — and the onboarding form had no way to read them. So the value moved. It is no longer in the questionnaire or the supplier score. It is in the layer that reads every supplier document on arrival and keeps the diligence current. The voluntary era published a policy. The regulated era has to prove it read one.
This is not an argument that questionnaires and audits are useless — they remain the way supplier evidence is gathered. It is an argument that gathering supplier evidence and reading it are two different jobs — and the regulator now asks for the second.
Sopact is a risk-intelligence layer that reads what supply chain diligence already collects. It does not replace your procurement system or your supplier portal. It reads the material those systems gather and never interpret — the code of conduct attestations, the certificates, the audit reports, the grievance logs, the public coverage — against the risk framework you defined, the moment each document arrives.
Three things happen on every supplier document, in order. None of them waits for the annual review.
Every questionnaire answer, certificate, audit report, and grievance log is read the day it lands — in any language a supplier writes in, tied to one record per supplier. Nothing is filed unread.
Each document is scored on the labor, environmental, and governance risks you defined — an expired certificate, a failed audit clause, a grievance pattern — with the source sentence kept behind every flag, tier by tier.
A standing risk view shows which suppliers are exposed, across every tier of the chain. The red flag surfaces while you can still act — a corrective-action plan, a re-audit, a sourcing decision — and the evidence is board-ready and audit-ready.
A supplier audit read at the annual review is a record of a violation. The same audit read on arrival is a chance to require a fix before it spreads. The only variable is when it gets read.
Sending a supplier code of conduct questionnaire to a thousand suppliers is the part that already works. Reading the thousand sets of answers and attachments that come back is the part that does not.
You send a code of conduct questionnaire to every supplier. They sign it, answer the numeric questions, and attach their certificates and policies. The signatures are logged, the scores tally, the attachments are filed in the supplier portal. At a thousand suppliers, no one reads the attachments — the volume is the whole problem.
The same questionnaires arrive, and every one is read — the answers, the signed code of conduct, every attached certificate and audit — against the framework you defined. An expired certificate, a contradicted clause, a weak answer is flagged. The volume stops being the problem, because the reading no longer depends on a person.
Ask of any supplier questionnaire platform: at a thousand suppliers, who reads the thousandth set of attachments? If the honest answer is “no one,” the platform scales the sending and leaves the diligence undone.
AI is now on the label of almost every supplier diligence tool. Two paragraphs on what it genuinely changes, then the test.
What AI genuinely changes is the cost of reading supplier documents — codes of conduct, audit reports, grievance logs, news coverage — against a defined set of risks. Work that took a compliance analyst weeks of manual review now runs in minutes, and re-runs every time a new document arrives. That is the single change that makes continuous supply chain diligence possible at the scale of a real supplier base.
What AI does not change is where the reading has to sit. There is a real difference between asking a general AI to summarize a supplier file and a layer reading each document against your framework on arrival. Run the same supplier through a chat window twice and the risk rating drifts — a medium one day, a low the next — because nothing holds the definitions still.
You paste a supplier’s documents into a chat window and ask where the risk is. It answers — once. There is no fixed definition of what counts as a red flag, no link from this supplier to the last review, and no source sentence behind the rating. Ask again next quarter and the answer has moved.
The risk framework is defined once and held. Every supplier document is read against that same definition, tied to one record per supplier, with the source sentence kept behind every flag. Run the same supplier in March and in June and the method is identical — what changed is the supplier, not the ruler.
Ask any AI diligence tool: run the same supplier twice, a quarter apart — does the risk rating hold, and can you see the sentence behind it? A locked answer is a finding a regulator will accept. A drifting one is a guess with a logo.
Procurement onboarding suppliers, a sustainability team mapping risk across tiers, a compliance function meeting a CSDDD deadline — different mandates, the same job: see the supplier risk before it becomes a finding.
Hundreds of suppliers, each with a questionnaire, a code of conduct, and a stack of certificates. The risk is in the attachments the onboarding never reads.
Every supplier’s documents read on arrival, not at the annual review.
One layer reads the whole base — no duplicate screening across providers.
A high-risk supplier flagged before the contract is signed.
The real exposure is rarely in tier one. It is in the supplier’s supplier — the sub-tier no questionnaire ever reached.
Risk traced through the tiers without a manual mapping exercise.
Board-level supply-chain risk reporting built from the live record.
A sub-tier issue surfaced from its own documents, not from a headline.
A continuous legal duty to identify, prevent, and remediate harms across the chain — and to evidence every step of it.
The diligence file stays current and complete between audits.
One layer instead of a consultancy engagement each reporting cycle.
A defensible, cited diligence record when a regulator asks.
Procurement, sustainability, and compliance run the same loop: a supplier document arrives, a risk is in it, someone has to read it before the deadline. They differ on the mandate and the regulator — not on where the violation hides, and not on what it costs to miss it.
Supply chain due diligence is no longer a voluntary program. International guidance defines how it should be done, and a wave of regulation has turned that guidance into law.
The OECD Due Diligence Guidance for Responsible Business Conduct defines the method — a six-step, risk-based cycle that runs continuously across the supply chain, not a one-time check.
The Corporate Sustainability Due Diligence Directive obliges in-scope companies to identify, prevent, and remediate human-rights and environmental harms across their chains — and to operate a grievance mechanism.
Germany’s Supply Chain Act (LkSG) and Norway’s Transparency Act already require supply chain due diligence and public reporting — with penalties for the companies that cannot evidence it.
Sopact cites these frameworks to share their method and vocabulary — the OECD six-step cycle, the UN Guiding Principles on Business and Human Rights — not to certify against them. Compliance is a conversation for your counsel; a defensible, cited diligence record is one this page can help with.
A supply chain due diligence platform is not a questionnaire portal with a dashboard. It is the set of jobs that turn the documents your suppliers submit into a risk you can act on and evidence. Sopact runs six, in one place.
Send the supplier questionnaire and code of conduct through Sopact, or read a procurement system you already run. One record per supplier from the first document.
Every document read on arrival, in any language — the questionnaire, the code of conduct, the certificate, the audit, the grievance log. Nothing is filed unread.
Each document scored against the labor, environmental, and governance risks you defined, with the source sentence kept behind every flag.
Every supplier’s answers, attachments, and history on one continuous record — and the risk traced from tier one to the tiers beneath it.
The same framework applied to every supplier, every cycle — so a risk rating is comparable across the base, not improvised per reviewer.
A board-level supply-chain risk view and a CSDDD-ready diligence record, generated from the live data — every finding traceable to its source document.
Bring a real supplier batch — a set of questionnaires, codes of conduct, and audit reports. We will run it through Sopact and show you the supplier risk read on arrival.
Most supply chain due diligence software searches start with the wrong question. “Which platform should we buy” returns a shortlist of questionnaire portals and rating services that all demo well. The useful question is narrower: walk one supplier from onboarding to its third annual review, and find the seam where the risk goes unread.
If the questionnaire is sent at scale but the attachments are never opened, the gap is reading. If every supplier is rated by a different analyst with a different definition, the gap is a locked framework. If diligence goes quiet between annual audits, the gap is continuity. If the risk in tier one is visible but tier three is dark, the gap is reach. And if a finding cannot be traced to the document it came from, the gap is evidence — the part a CSDDD audit will ask for.
That diagnosis decides whether you need a better questionnaire portal or a different layer over the whole supplier base. A team that skips it buys a faster way to send the code of conduct — and the audit report that held the real violation is still sitting in the portal, unopened.
Take one supplier file from a relationship that later produced an issue. Ask of any tool you are evaluating: would this have surfaced that document before the violation? If the answer is “only if a compliance analyst had opened it,” it collects supplier diligence — it does not read risk.
Supply chain due diligence is the process of identifying, assessing, and acting on the environmental, social, and human-rights risks in a company’s suppliers, across every tier of the chain. The weak version is a one-time onboarding questionnaire and an annual audit. The strong version reads every supplier document on arrival — the code of conduct, the certificate, the audit report, the grievance log — scores it against a framework, and keeps the diligence live for the life of the supplier relationship.
Supply chain due diligence software is the system a company uses to run supplier diligence — send questionnaires, store responses, track audits, and manage supplier records. The capable version goes further than storage: it reads every supplier document on arrival, scores it against a defined risk framework, keeps the source behind every flag, and maintains a continuous record per supplier. Sopact is built for the reading and the record — the parts a questionnaire portal leaves to a compliance analyst.
A supply chain due diligence platform is the software layer that turns the documents suppliers submit into a risk a company can act on and evidence. A questionnaire portal collects answers; a platform reads them. The platform handles the full job: collect or connect to supplier documents, read each one on arrival, score it against a framework, connect it to a continuous supplier record, compare across the base, and produce a board-ready and audit-ready diligence record.
The Corporate Sustainability Due Diligence Directive (CSDDD) is EU law requiring in-scope companies to carry out human-rights and environmental due diligence across their value chains. It obliges companies to identify and assess adverse impacts, prevent or mitigate them, operate a grievance mechanism, monitor the work, and report on it — on an ongoing basis, not once. It turns supply chain due diligence from a voluntary program into a continuous, evidenced legal duty.
The German Supply Chain Act — the Lieferkettensorgfaltspflichtengesetz, or LkSG — requires companies above a size threshold to perform human-rights and environmental due diligence on their suppliers. It mandates risk analysis, preventive measures, a complaints procedure, and annual public reporting, with financial penalties for non-compliance. It is one of several national supply chain laws, alongside Norway’s Transparency Act, that were already in force before the EU CSDDD.
The terms overlap. Supplier due diligence usually means examining an individual supplier — its policies, certificates, and audits — typically at onboarding. Supply chain due diligence is the broader, ongoing discipline: examining risk across the whole chain, including the sub-tier suppliers behind your direct ones, as a continuous duty under CSDDD. Supplier due diligence is a step; supply chain due diligence is the standing program that step belongs to.
Sending supplier code of conduct questionnaires at scale is straightforward — most procurement systems do it. The hard part is reading the answers and attachments that come back. The best approach is a platform that reads every returned questionnaire and every attached certificate and policy on arrival, scores each against your framework, and flags the contradictions — so the diligence does not depend on a person opening the thousandth supplier’s file. Collecting the questionnaire is not the same as reading it.
Automated or AI supplier due diligence uses AI to read supplier documents — codes of conduct, certificates, audit reports, grievance logs, news — against a defined set of risks, replacing weeks of manual analyst review. The distinction that matters is whether the AI runs against a locked framework. A general AI summarising a supplier file drifts between runs; a layer reading each document against a fixed framework, on arrival, produces a rating that holds and a finding traceable to its source.
Most supply chain risk sits below tier one — in the supplier’s own suppliers. Traceability in due diligence means following the risk down those tiers: reading the documents a tier-one supplier provides about its sources, and connecting sub-tier audits, certificates, and disclosures to the supplier record. Sopact reads and connects those documents to trace risk through the tiers; it is a risk-reading layer, not a physical goods track-and-trace system. The two are complementary.
Board-level supply chain due diligence reporting needs three things a questionnaire score cannot give: a current view of risk across the whole supplier base, not a year-old snapshot; findings traceable to the source documents behind them, so the board is briefed on evidence; and the same framework applied to every supplier, so the picture is comparable. A report generated from a live, read record meets all three. A report assembled by hand from a portal export rarely does.
A supplier grievance mechanism is a channel through which workers and communities affected by a supply chain can raise complaints — and have them addressed. CSDDD and the German Supply Chain Act both require in-scope companies to operate one. The diligence challenge is not collecting grievances but reading them: a pattern across several complaints is an early signal of a serious problem. Reading grievance submissions on arrival, against the same framework as every other document, turns the mechanism into a risk signal.
The OECD Due Diligence Guidance defines a six-step cycle: embed responsible business conduct into policies and management; identify and assess actual and potential adverse impacts; cease, prevent, and mitigate those impacts; track implementation and results; communicate how impacts are addressed; and provide for or cooperate in remediation. It is a continuous loop, not a one-time checklist — which is why reading supplier documents on arrival, rather than once a year, matters.
Supply chain due diligence is a subset of ESG due diligence focused on suppliers and the value chain. ESG due diligence is the broader discipline — it also covers an investment target or an acquired company, and it is used by investors as well as procurement teams. Supply chain due diligence concentrates on third-party and supplier risk, and it is driven hard by regulation like CSDDD. A company doing both will use the same reading layer for each.
Enterprise compliance tracking for supply chains means knowing, at any moment, which suppliers are compliant, which are flagged, and where the evidence sits — across thousands of suppliers and several regulations. Software helps when it does more than store status: when it reads every incoming document, updates each supplier’s risk on arrival, and keeps a cited record. The tracking is then a by-product of the reading, not a separate spreadsheet a team maintains by hand.
Start from where the current process breaks, not from a feature list. Walk one supplier from onboarding through several annual reviews and find the seam where the risk goes unread. If questionnaires are sent at scale but attachments are never opened, the gap is reading. If every supplier is rated differently, the gap is a locked framework. If diligence stops between audits, the gap is continuity. If tier one is visible but tier three is dark, the gap is reach. The diagnosis decides what you need.
Framework, regulation, and product names referenced on this page are the property of their respective organizations. Information is based on publicly available documentation as of May 2026 and may have changed since. To suggest a correction, email unmesh@sopact.com.
Supply chain due diligence is risk intelligence applied to the supplier base. The pillar covers the reading layer beneath it — what Sopact is.
The broader discipline — ESG due diligence for investment targets and funds, not only suppliers.
The organization side of risk intelligence — reading every partner and investee record for the drift before it becomes a loss.
Bring a real set of supplier material — a batch of questionnaires, codes of conduct, certificates, and audit reports, in whatever languages your suppliers wrote them. We will run it through Sopact and show you the supplier risk read on arrival: the expired certificate, the failed audit clause, the grievance pattern — every flag traceable to the document it came from. A parallel pilot you can run alongside the process you have today.
30 minutes · your real supplier files · no migration commitment
