Thoropass Review (2026): ISO 42001, EU AI Act Coverage, and Honest Verdict
Thoropass takes a different commercial model from Vanta and Drata. By delivering certification audits in-house, it removes the auditor-selection step and aligns evidence requirements with platform output.
Company snapshot
| Founded | 2019 (originally Laika) |
| Headquarters | New York, New York, US |
| Employees | ~189 (2025) |
| Funding | $95M total raised (Series C in 2022) |
| EU presence | No EU office; in-house audit team is US-based with international delivery via partner network |
- ✓Audit and platform from one provider
- ✓Reduces vendor management overhead
- ✓Predictable annual cost (audit included)
- ✓Good fit for first-time certification
- ✗Higher entry price when audit is bundled
- ✗Less choice over audit partner
- ✗Smaller integration catalogue
- ✗Limited fit for organisations with existing audit relationships
ISO 42001 in depth
Launched: 2024 — paired with the bundled audit delivery model that is Thoropass's defining feature.
Scope: ISO/IEC 42001:2023 framework configured so that evidence collected in the platform is pre-aligned with the bundled auditor's expected format. Pre-built templates and AI risk workflow.
What's automated: Evidence collection comparable to Vanta/Drata for SOC 2-style controls. The novelty is that the audit firm (delivered by Thoropass) consumes the evidence directly — there's no second-vendor handoff.
Known gaps:
- Less choice over the audit partner
- Smaller integration catalogue than Vanta
- Limited fit for organisations with existing auditor relationships
EU AI Act in depth
Status: GA · Released: 2025
| Obligation | Coverage |
|---|---|
| Provider obligations (high-risk systems) | ◐ Partial |
| Deployer obligations | ◐ Partial |
| GPAI (Article 51+) | ◐ Partial |
Conformity assessment: Bundled audit option supports formal conformity assessment workflow for high-risk systems — the only vendor in this comparison group that delivers both platform and audit-style assessment in one engagement.
EU AI Act coverage is functional rather than market-leading; the commercial differentiator is the bundled audit, not module depth.
Framework coverage
| Framework | Coverage |
|---|---|
| ISO 42001 | ◐ Partial |
| EU AI Act | ◐ Partial |
| SOC 2 | ✓ Full |
| ISO 27001 | ✓ Full |
| GDPR | ✓ Full |
| HIPAA | ✓ Full |
| PCI DSS | ✓ Full |
Features
Thoropass combines a compliance automation platform with in-house audit delivery. The ISO 42001 framework includes policy templates, control mapping, and evidence collection. The integrated audit model means the platform is configured to the auditor's expected evidence format.
Integrations
Catalogue size: ~100. Catalogue narrower than the SMB-mid-market leaders; covers the essentials.
Notable integrations:
Pricing
| Plan | Price | Included |
|---|---|---|
| Platform only | ~€8,000/yr | ISO 42001 framework, evidence collection |
| Platform + audit | ~€18,000/yr | Bundled certification audit (Stage 1 and 2) |
| Enterprise | Custom | Multi-framework, dedicated audit team |
Pricing model: Bundled (platform + audit) or platform-only. Not publicly listed.
What it really costs: Vendr lists an average Thoropass contract of $36,990/yr — notably higher than Drata's $23,100 because audit is included. Platform-only tier reported in the €7,500–€10,000/yr range; bundled (platform + Stage 1 & 2 audit) typically €16,000–€22,000/yr depending on framework count.
Implementation and audit partners
When audit is bundled, total time from kickoff to certification typically runs 16 to 22 weeks. The platform configuration phase is shorter because evidence requirements are pre-aligned with the auditor.
Auditor coverage: US, EU (via partners).
Named partners: Thoropass in-house audit team.
Thoropass operates its own audit practice — accredited for SOC 2, ISO 27001, ISO 42001, and others. EU certification work is delivered via partner accreditation bodies.
Support quality
Customer success and audit team available on all tiers. Audit team availability is the primary value driver versus self-service competitors.
What's new in 2024–2026
- Laika rebranded to ThoropassRepositioning around the bundled audit value proposition.
- ISO 42001 framework + bundled auditPlatform and audit delivered from one contract.
- EU AI Act moduleProvider, deployer, and limited GPAI coverage.
Known weaknesses
Themes drawn from G2, Vendr, third-party reviews, and vendor documentation as of May 2026.
- Higher entry price when audit is bundled (the whole point of the product)
- Less choice over audit partner
- Smaller integration library
- Not a fit for organisations with established auditor relationships
Who it is best for
- First-time ISO 42001 certifiers
- Teams that want a single vendor relationship
- Companies without an existing audit partner
Who should look elsewhere
- Organisations with established auditor relationships
- Buyers requiring extensive integration breadth
Alternatives
If Thoropass does not fit your requirements, consider: Secureframe, Vanta, Drata.
Frequently asked questions
Final verdict
Thoropass is a strong fit when an organisation wants a single contract for both the compliance platform and the certification audit. For ISO 42001, where audit experience in the market is still limited, this bundled model removes a significant procurement step.
Sources
Numeric claims in this review (pricing, integration counts, funding, employee numbers, framework launch dates) are drawn from the sources below, last verified May 2026.