Knogin
[Developers]

Defence Multi-Tier Supplier Graph and EDIP Compliance

A prime contractor knows its direct suppliers, but the components that matter for export control, origin rules, and security clearance often sit three or four tiers down, in firms the prime has never directly contracted

Back to All Modules
Category: ModulesLast Updated: Jun 1, 2026
modulesgeospatial

Overview#

A prime contractor knows its direct suppliers, but the components that matter for export control, origin rules, and security clearance often sit three or four tiers down, in firms the prime has never directly contracted with. The Defence Multi-Tier Supplier Graph and EDIP Compliance capability maps that full network for any programme, then proves origin thresholds, certificate currency, and corrective actions against it inside one audited platform.

Defence contractors and national procurement agencies use this capability to build a programme-scoped graph of buyer-to-seller tier relationships, walk it upstream and downstream to any depth, and roll up the EU, NATO, and third-country value share that European Defence Industry Programme eligibility depends on. Quality and security certificates such as AS9100D, NADCAP, AQAP-2110, and ISO/IEC 27001 are tracked through their full lifecycle with automatic expiry warnings, non-conformances drive structured corrective-action workflows, and any deviation from a requirement is captured as a time-limited waiver approved under a strict four-eyes rule. The result replaces disconnected spreadsheets and offline tools with a single source of record classified at EU RESTRICTED.

Key Features#

  • Programme-scoped supplier graph: Every buyer-to-seller relationship is recorded as a directed edge within a single programme, forming a directed acyclic graph that represents the real flow of work from prime down through subcontractors, suppliers, and distributors. Edges carry tier level, relationship type, and value share so the same supplier can sit at different depths on different programmes without ambiguity.

  • Cycle-guarded atomic edge insertion: New edges are written with a database advisory lock paired with a recursive reachability check, so the loop test and the insert run as one serialised transaction per programme. A candidate edge that would close a loop is rejected with no partial state, eliminating the race window that a separate check-then-insert flow would leave open under concurrent writes.

  • Bounded upstream and downstream traversal: Operators walk the graph in either direction from any supplier to discover who feeds a component or who consumes it, with traversal depth capped at 50 levels as a built-in safeguard against runaway recursion. This exposes hidden tier-three and tier-four dependencies that flat supplier lists never reveal.

  • Tier coverage statistics: Per-programme aggregation reports how many edges exist at tier one, tier two, tier three, and deeper, alongside the count of distinct downstream supplier organisations visible in the graph, giving programme managers an at-a-glance measure of how complete their supply-chain mapping is.

  • EDIP origin rollups: For each supplier, programme, and reporting period the platform records the EU, NATO, and third-country value percentages derived from bill-of-materials origin breakdowns on delivery lots, with the three shares constrained to reconcile to the total. Programmes carry a configurable origin threshold so eligibility can be evaluated against the rule that applies to that contract.

  • Certificate lifecycle management: Supplier certificates for AS9100D, NADCAP, AQAP-2110, and ISO/IEC 27001 are held with issuer, scope, validity dates, and status, and the platform raises staged expiry warnings at 90 days and 30 days before lapse so renewals are never missed and lapsed approvals cannot quietly remain in force.

  • Corrective-action workflows: Non-conformances are tracked as corrective actions with human-readable references, linked where relevant to the certificate that triggered them, giving auditors a closed-loop record from finding to resolution.

  • Four-eyes waivers and tamper-evident audit: Time-limited waivers against a named requirement move through a hard four-eyes approval in which the approver must differ from the requester, enforced at both the service and database layers. Edge changes, rollups, and approvals emit SHA-256 hash-chain records to the security event pipeline for tamper-evident reconstruction.

Use Cases#

Prime contractors and integrators#

Map the complete multi-tier network behind a major platform programme, trace a critical component back to its original manufacturer, and confirm that every firm in the chain holds current AS9100D or NADCAP approval before a delivery milestone. When an origin shortfall appears, raise a documented waiver and route it for independent sign-off rather than carrying the risk informally.

National procurement agencies#

Evaluate bids and ongoing contracts against European Defence Industry Programme origin and eligibility rules by reading the EU, NATO, and third-country value share for each supplier and programme directly from the platform, with a configurable threshold per programme and a full audit trail behind every figure.

Quality and supplier-assurance teams#

Run certificate-expiry reviews from a single dashboard, open corrective actions against findings, and follow each one to closure. Staged 90-day and 30-day warnings turn certificate renewal from a manual diary task into a managed pipeline.

Compliance and security officers#

Demonstrate tenant-isolated, EU RESTRICTED handling of sensitive supplier data, show that no waiver was self-approved, and reconstruct the exact sequence of graph and rollup changes from the hash-chained event record during an external audit.

Integration#

The capability is exposed through the platform's GraphQL and REST surfaces, so a customer's existing procurement, ERP, or quality systems can read the supplier network, post new tier edges, retrieve origin rollups, and manage certificates and waivers programmatically. All access is protected by OAuth2 and JWT-based authentication, and every write is attributed to an authenticated actor.

Supplier records normalise external identifiers such as CAGE codes, DUNS numbers, and NATO supplier codes, which lets customers reconcile their internal supplier master against authoritative registries and against partner systems without bespoke mapping for each connector. Bill-of-materials origin data flows in on delivery lots and is rolled up into the EU, NATO, and third-country shares that downstream reporting consumes.

Outbound, hash-chained audit records are emitted to a standard security event pipeline for retention and tamper-evident reconstruction, and webhooks can notify external workflow tools when a certificate nears expiry or a waiver awaits approval. The benefit to a customer is that the supplier graph becomes a shared, machine-readable backbone that existing tools plug into, rather than another silo to keep in step by hand.

Open Standards#

  • CAGE Code (NATO and US DoD supplier identification, MIL-HDBK-67): Each defence supplier carries its Commercial and Government Entity code, the standard identifier used across NATO and allied defence procurement.
  • DUNS Number (ISO 6523 D-U-N-S identifier): Suppliers are keyed to their Data Universal Numbering System identifier, allowing reconciliation against the globally recognised business-entity registry.
  • AQAP-2110 (NATO Allied Quality Assurance Publication): Supplier certificates can record AQAP-2110 approval covering quality assurance requirements for design, development, and production, the NATO baseline for defence contracts.
  • AS9100D (SAE and IAQG Aerospace Quality Management Systems): The platform tracks AS9100D certification, the aerospace-sector quality management standard built on ISO 9001 and maintained by the International Aerospace Quality Group.
  • NADCAP (National Aerospace and Defence Contractors Accreditation Programme, PRI): Special-process accreditation under NADCAP, administered by the Performance Review Institute, is held as a recognised certificate type with full lifecycle tracking.
  • ISO/IEC 27001 (Information Security Management Systems): Information-security certification to ISO/IEC 27001 is tracked alongside the quality standards, evidencing a supplier's information-security posture.
  • EDIP (EU Regulation 2024/1252, European Defence Industry Programme): Origin rollups and configurable per-programme thresholds implement the EU, NATO, and third-country value-share logic that European Defence Industry Programme origin and eligibility rules require.
  • EU RESTRICTED (NATO and EU security classification, per NATO INFOSEC policy and EU Council Decision 2013/488/EU): Defence supplier data defaults to the EU RESTRICTED classification level, and access is gated against the caller's clearance accordingly.

Security & Compliance#

Defence supplier data is classified at EU RESTRICTED by default, and every read or write checks that the calling user holds equivalent or higher clearance before any row is touched. All tables in the capability carry database row-level security policies that enforce tenant isolation, so one organisation can never see or modify another's supplier graph, certificates, rollups, or waivers.

Integrity controls run end to end. Tier-edge insertion is serialised and cycle-guarded so the graph can never be corrupted into an impossible loop, certificate expiry is enforced through staged warnings and status transitions, and waivers cannot be self-approved because the approver is required to differ from the requester at both the service and database layers. Every material change emits a SHA-256 hash-chain record to the security event pipeline, giving auditors a tamper-evident, reconstructable history of who changed what and when.

Last Reviewed: 2026-06-01 Last Updated: 2026-06-02

Ready to Build?

Get started with our APIs or contact our integration team for support.