Every feature, in detail.

3PMA is a deal-centric workspace that takes a target from first look to full integration. Below, exactly what each capability does, what it produces, and why it matters.

Schedule a Demo See it in action
Built-in AI

Your first draft is already written.

AI runs ahead of you. Every output that would otherwise need an analyst's first pass is already drafted by the time you open the deal. You review and approve. The work moves at the speed of decisions, not the speed of typing.

Reads everything
Tagged, summarized, and surfaced in a unified Documents view on upload. SOC 2, ISO, policies, contracts, SBOMs.
Pre-fills assessments
Drop a SOC 2 or ISO report and AI walks every control with proposed evidence and ratings. Review, don't transcribe.
Drafts every output
Gap descriptions, control narratives, exec summaries. Every claim cites its source; flags fire when source docs change.
Live deal score
A composite that recomputes as findings, vendor dispositions, and policy gaps land. The IC sees what you see.
Technology & Cost

Quantify integration cost before you sign

A complete inventory of the target's stack with overlap detection and a consolidation savings model. The numbers your operating partner needs to defend the IRR.

  • SaaS, on-prem, infrastructure, and developer tooling, categorized across 40+ functions
  • Per-tool: vendor, function, owner, contract end date, annual spend
  • Auto-flagging of duplicates with your existing stack
  • Consolidation savings, integration cost, and Net Year-1 impact, all defensible to the IC
  • Day-1 / Day-30 / Day-90 consolidation roadmap
Methodology
Savings use the target's actual spend, not list prices. Integration cost is calibrated against your past deals (or benchmarks). Every number is auditable to source.
Cost analysis showing tool consolidation savings, remediation cost, and net Year-1 integration impact
Inherited Vendor Risk

The target's vendors become yours at close

A complete map of the third-party relationships you're inheriting, with criticality, spend, and disposition all in one view. No surprises Day 1.

  • Criticality: Critical, High, Medium, Low (production-path through commodity)
  • Disposition: Retain, Consolidate, Review, Exit (drag-and-drop kanban)
  • Spend visibility and contract terms inline on every vendor
  • Decisions feed straight into the Integration Plan with owners and dates
How we use it
The same view runs through Day 1 and beyond. Six months post-close you still know exactly which inherited vendors are open.
Vendor disposition kanban with cards across Retain, Consolidate, Review, and Exit columns
Inherited vendor list with criticality, spend, and contract terms
Assessment

Control-by-control assessment with AI scoring

A structured assessment mapped to the framework that matters. Scales from a 2-day pre-LOI screen to a 3-week confirmatory deep dive on the same platform.

  • AI-drafted gap descriptions and remediation cost per control, you edit
  • Bulk AI pre-fill: drop a SOC 2 or ISO report and AI walks every control
  • Shareable fill-in links to target-company respondents
  • Multi-respondent flow with per-respondent status tracking
  • Evidence uploads with PDF and DOCX text extraction
Frameworks
3PMA DD
NIST CSF 2.0
SOC 2 Type II
ISO 27001:2022
NIST 800-53
CIS Controls v8
HIPAA
PCI DSS 4.0
GDPR
Why it scales
The 3PMA DD Assessment is a 60-control framework calibrated for diligence depth and tempo. Pre-LOI screen or full SOC 2 / ISO mapping. Same platform, same artifact.
Due diligence assessment showing control-by-control evaluation with ratings, gaps, and AI scoring
Assessment worksheet detail showing inline AI assist, evidence uploads, and multi-respondent status
Policy Analysis

Side-by-side policy comparison

A 23-policy-area comparison matrix between the target and your firm. Alignment ratings, missing policies flagged, harmonization plan ready to hand to the integration team.

  • 23 policy areas covered: information security, access control, incident response, vendor management, encryption, business continuity, and more
  • Alignment matrix: target vs. acquirer, area by area
  • Major gap flags with severity classification
  • Harmonization plan with priority and effort estimates
  • Day-1 policy actions for the combined entity
Policy comparison matrix showing side-by-side analysis of acquirer and target policies
Per-policy alignment view with gap flags and harmonization plan
Supply Chain

SBOM analysis: see the software risk

Upload an SBOM and get instant CVE analysis, license risk classification, and severity breakdown. The technical risk view that doesn't fit in a data room.

Supported formats

  • CycloneDX (1.4, 1.5, 1.6) in JSON or XML
  • SPDX 2.3 in JSON, YAML, or RDF
  • Direct upload or generation from common build tools

What you get out

  • Component inventory with version and origin
  • CVE enrichment from NVD and OSV, with CVSS severity
  • License classification: permissive, copyleft, restricted, unknown
  • Highest-risk components ranked for remediation
  • AI-generated narrative summary of the supply-chain posture
Why it matters in M&A
License risk in a target's codebase can block downstream commercial use, especially in PE platform-build scenarios. SBOM analysis surfaces those issues before they become an integration blocker or a customer escalation.
SBOM analysis showing CVE breakdown, license risk, and vulnerability severity
Reporting

Investment-committee-ready in one click

A DD Intelligence Report with composite scoring, weighted risk components, executive summary, and full findings detail. The artifact you hand to the IC, the GP, or the board.

  • Composite DD score with letter grade and weighting rationale
  • Executive summary written for the GP, not buried in technical jargon
  • Full findings detail by category with severity and remediation cost
  • Integration cost summary and Day-1 action list
  • PDF export, shareable link, or branded handoff
Findings

Every finding, in one register

A consolidated risk register that pulls findings from every assessment, policy gap, vendor review, and SBOM analysis. The artifact your IC and your integration team both work from.

  • Severity, cost estimate, owner, target date, and status per finding
  • Source citation: which assessment or framework surfaced it
  • Evidence references with stale-evidence flags
  • Risk-acceptance link if formally accepted, with audit trail
Why one register matters
Without consolidation, the integration team rebuilds the picture from PDFs. The Findings register travels from DD straight into Day 1.
Consolidated findings register showing severity, cost, evidence references, and remediation status
Finding detail view with severity, cost, evidence, and risk acceptance
Personnel

Map the team you're inheriting

A roster of the target's tech and security staff with role, tenure, and key-person dependency flags. Spot retention risk before close.

  • Role, function, and reporting structure
  • Tenure and time-in-role indicators
  • Key-person dependency flags for critical knowledge holders
  • Retention-risk scoring with notes for comp, retention packages, or transition concerns
Why it matters
Tech and security teams are built on a small number of people. Lose two in the first 90 days and the integration plan stops working. Personnel surfaces the people the deal actually depends on.
Personnel roster showing roles, tenure, and key-person dependency flags
Personnel detail view with retention risk and key-person flags
Infrastructure & Architecture

Cloud, on-prem, and what it takes to integrate

Cloud composition, on-prem footprint, and architectural complexity. Migration cost and risk surface immediately, before they become an integration surprise.

  • Cloud provider mix (AWS, GCP, Azure, others) with workload split
  • On-prem footprint with location, age, and refresh status
  • Critical dependencies and single points of failure
  • Architectural patterns and their integration implications
  • Network topology, identity providers, and data flow boundaries
Why it matters
Most integration cost surprises live in infrastructure. Hidden on-prem dependencies, mismatched cloud, or homegrown identity stacks can each add millions to the bill. This view forces the conversation early.
Infrastructure and Architecture view showing cloud composition, on-prem footprint, and migration complexity
Infrastructure detail view with dependencies and migration complexity scoring
Integration Plan

Diligence becomes the integration plan

The findings, vendor dispositions, and cost estimates that justified the deal auto-organize into a 4-phase post-close roadmap. Configurable risk tolerance, accepted risks logged with an audit trail, and the same workspace that ran DD now runs Day 1 and beyond.

The four phases

  • Stabilization. Critical Day-1 actions: ownership transfer, access provisioning, identity cutover, must-keep vendors
  • Remediation. Findings the deal turned on, with owners, target dates, and budget
  • Consolidation. Tool migrations, vendor exits, contract terminations, license rationalization
  • Maturity. Bringing the target up to platform standards: policies, programs, certifications

Risk tolerance toggle

  • Conservative. Tighter remediation timelines, fewer accepted risks, higher integration spend
  • Balanced. Default mode, calibrated against typical deal economics
  • Aggressive. Looser timelines for non-critical findings, more accepted risks logged formally
Why this is the killer feature
Most diligence platforms produce a PDF and disappear at close. 3PMA stays. The plan is built from the same data the IC saw, so the integration team works against the same baseline the deal was priced on. Risk acceptance lives in an audit trail that shows up across every source tab, so a single accepted risk is consistent everywhere.
Integration Plan showing 4 post-close phases populated from findings, vendor dispositions, and cost estimates
Documents

Every artifact, in one place

A unified workspace for assessment evidence, phase uploads, and target-submitted documents. AI classifies and summarizes on upload, and a source filter shows you exactly where each artifact lives in the deal.

What the workspace gives you

  • Auto-classification across 8 document types: SOC 2, ISO certifications, policies, contracts, SBOMs, and more
  • AI-generated summary per document, available without opening the file
  • Source filter: assessment evidence, integration phase uploads, or all
  • Stale-evidence flags when documents referenced by findings go out of date
  • PDF and DOCX text extraction for inline search and AI grounding
Why it's worth its own tab
The default state for diligence documents is "buried in someone's email." 3PMA's Documents tab is the opposite: every artifact uploaded anywhere in the platform shows up here, classified and summarized, with a source filter so you always know what came from where.
Unified Documents view with auto-classification, AI summaries, and source filter

See it on a real deal

A 30-minute walkthrough with the founder. Bring a target, bring a thesis, or just bring questions.

Schedule a Demo For PE Firms