commit d1ca643d94cd9dc491ef516f8e07587a4ac32929
Author: rg4444 <rihards.gailums@gmail.com>
Date:   Sat Mar 21 20:17:36 2026 +0200

    init

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..ab3f14a
--- /dev/null
+++ b/README.md
@@ -0,0 +1,71 @@
+# Vendor Onboarding & Approval — UAPF Level 4 Process Package
+
+> **HeliosGroup** · Procurement Operations · Process-as-Code
+
+## Overview
+
+This repository contains a fully executable, AI-governed **Level-4 UAPF process package** for the end-to-end Vendor Onboarding & Approval workflow at HeliosGroup.
+
+The process covers everything from initial vendor submission through sanctions screening, financial risk scoring, legal review, and IT provisioning — with AI agents orchestrating compliance checks at every gate.
+
+## Process Summary
+
+| Stage | Owner | AI Role |
+|---|---|---|
+| Vendor Submission | Procurement Officer | Form validation & completeness check |
+| Sanctions & Compliance Screening | AI Compliance Agent | Real-time OFAC/EU sanctions lookup |
+| Financial Risk Scoring | Finance & Tax | DMN-driven risk tier assignment |
+| Legal Review | Legal & Contracts | AI-assisted contract clause review |
+| IT Provisioning | IT Systems | Automated account & access setup |
+| Approval & Activation | Procurement Officer | Final sign-off with audit trail |
+
+## Repository Structure
+
+```
+vendor-onboarding-l4/
+├── uapf.yaml                        # UAPF L4 package manifest
+├── enterprise/
+│   └── enterprise.yaml              # Enterprise index reference
+├── bpmn/
+│   └── vendor-onboarding.bpmn.xml  # Main process (5 swim lanes)
+├── dmn/
+│   └── vendor-risk-scoring.dmn.xml # Risk tier decision table
+├── cmmn/
+│   └── sanctions-exception.cmmn.xml # Sanctions escalation case
+├── resources/
+│   └── mappings.yaml               # System & agent bindings
+├── metadata/
+│   ├── lifecycle.yaml
+│   └── ownership.yaml
+├── processgit.mcp.yaml             # MCP server configuration
+└── agent.chat.yaml                 # AI chat assistant configuration
+```
+
+## Key Features
+
+- **AI-first design** — Sanctions screening, risk scoring, and contract review are all AI-executed tasks
+- **Sanctions exception handling** — Dedicated CMMN case manages the full escalation path when a vendor matches a watchlist
+- **DMN risk scoring** — Vendor risk tier is computed from country risk, financial health, and ownership structure
+- **MCP-accessible** — All process data is queryable by AI agents via the built-in MCP server
+- **Full audit trail** — Every decision is version-controlled and replayable
+
+## Quick Start (Chat Assistant)
+
+This repository includes an AI chat assistant. Click the **Chat** icon in the file tree to ask questions like:
+
+- *"What should I do if the onboarding organization is under sanctions?"*
+- *"Describe the full vendor onboarding process"*
+- *"What documents are required for a Tier 1 high-risk vendor?"*
+- *"Who approves vendors from high-risk jurisdictions?"*
+
+## Standards & Compliance
+
+- UAPF v1.0 compliant (Level 4 — executable process)
+- BPMN 2.0 · DMN 1.3 · CMMN 1.1
+- OFAC / EU Consolidated Sanctions List screening
+- GDPR-aware data handling (vendor PII minimized)
+- EU AI Act Art. 9 risk management documentation
+
+---
+
+*Powered by [ProcessGit](https://processgit.org) — Git for Processes*
diff --git a/agent.chat.yaml b/agent.chat.yaml
new file mode 100644
index 0000000..59d1408
--- /dev/null
+++ b/agent.chat.yaml
@@ -0,0 +1,79 @@
+version: "1.0"
+
+ui:
+  name: "Helios Procurement AI"
+  subtitle: "Vendor Onboarding & Compliance Assistant"
+  welcome_message: |
+    Welcome to the **HeliosGroup Vendor Onboarding Assistant**.
+
+    I have full knowledge of our vendor onboarding process, risk scoring rules, sanctions procedures, and compliance requirements.
+
+    Ask me anything — for example:
+    - *"What should I do if the vendor is under sanctions?"*
+    - *"Describe the full vendor onboarding process"*
+    - *"What documents are required for a high-risk vendor?"*
+    - *"Who approves a Tier 1 vendor from a high-risk country?"*
+
+  quick_questions:
+    - "What should I do if the onboarding organization is under sanctions?"
+    - "Describe the full vendor onboarding process step by step"
+    - "What documents are required for vendor onboarding?"
+    - "How is vendor risk tier calculated?"
+    - "Who has authority to approve a high-risk Tier 1 vendor?"
+    - "What is the difference between a direct and indirect sanctions match?"
+
+llm:
+  provider: "anthropic"
+  model: "claude-sonnet-4-5"
+  api_key_ref: "ANTHROPIC_API_KEY"
+  max_tokens: 1500
+  temperature: 0.2
+  system_prompt: |
+    You are the HeliosGroup Procurement AI Assistant — an expert on the company's
+    Vendor Onboarding & Approval process.
+
+    You have access to the complete process documentation through MCP tools, including:
+    - The full BPMN onboarding workflow with 5 swim lanes
+    - DMN risk scoring rules (Tier 1/2/3 classification)
+    - CMMN sanctions exception and escalation case
+    - System and agent resource mappings
+
+    Your role is to help procurement officers, legal staff, and finance teams
+    understand and navigate the vendor onboarding process confidently.
+
+    Communication style:
+    - Be clear, concise, and actionable
+    - Always cite the specific process step or rule when relevant
+    - For sanctions questions, be precise about escalation paths
+    - For risk questions, explain the scoring criteria clearly
+    - Use numbered steps for procedural answers
+
+    When a user asks about sanctions, always:
+    1. Explain what the AI Compliance Agent does first (automatic screening)
+    2. Describe the escalation path to Legal
+    3. Mention the CMMN exception case that is opened
+    4. Clarify that direct matches require CEO/CLO review
+
+    When a user asks about risk tiers:
+    - Tier 1 = Enhanced Due Diligence, CPO + legal approval, 30-day review
+    - Tier 2 = Standard Due Diligence, Director approval, 10-14 days
+    - Tier 3 = Simplified Due Diligence, Officer approval, 5-7 days
+
+mcp:
+  use_repo_mcp: true
+  allowed_tools:
+    - search
+    - get_entity
+    - list_entities
+    - describe_model
+    - generate_document
+
+access:
+  visibility: "public"
+  rate_limits:
+    requests_per_minute: 20
+    requests_per_day: 200
+    max_conversation_turns: 30
+
+history:
+  enabled: false
diff --git a/enterprise.yaml b/enterprise.yaml
new file mode 100644
index 0000000..9d8d805
--- /dev/null
+++ b/enterprise.yaml
@@ -0,0 +1,13 @@
+kind: uapf.enterprise.index
+level: 0
+enterprise:
+  id: heliosgroup
+  name: HeliosGroup
+  description: >
+    HeliosGroup enterprise process catalog — AI-governed operational
+    processes across procurement, finance, legal, and IT domains.
+packages:
+  - ref: ../vendor-onboarding-l4
+    level: 4
+    domain: procurement
+    description: Vendor Onboarding & Approval with AI compliance screening
diff --git a/lifecycle.yaml b/lifecycle.yaml
new file mode 100644
index 0000000..5f299d9
--- /dev/null
+++ b/lifecycle.yaml
@@ -0,0 +1,18 @@
+kind: uapf.metadata.lifecycle
+status: stable
+version: 1.0.0
+effectiveFrom: "2026-01-01"
+effectiveUntil: null
+reviewCycle: annual
+lastReview: "2026-01-15"
+nextReview: "2027-01-15"
+approvals:
+  - approver: Chief Procurement Officer
+    date: "2026-01-15"
+    status: approved
+  - approver: Chief Legal Officer
+    date: "2026-01-15"
+    status: approved
+  - approver: Chief Compliance Officer
+    date: "2026-01-15"
+    status: approved
diff --git a/mappings.yaml b/mappings.yaml
new file mode 100644
index 0000000..d3879e1
--- /dev/null
+++ b/mappings.yaml
@@ -0,0 +1,75 @@
+version: "1.0"
+mappings:
+  - taskId: Task_ValidateSubmission
+    type: human_role
+    resource: procurement-officer
+    role: Procurement Officer
+
+  - taskId: Task_RegisterVendor
+    type: system_api
+    resource: master-data-management
+    endpoint: /api/v1/vendors/register
+
+  - taskId: Task_SanctionsScreening
+    type: ai_agent
+    resource: ai-compliance-agent
+    capabilities:
+      - ofac_screening
+      - eu_sanctions_lookup
+      - un_consolidated_list
+    endpoint: /api/v1/compliance/sanctions-check
+
+  - taskId: Task_OwnershipCheck
+    type: ai_agent
+    resource: ai-compliance-agent
+    capabilities:
+      - ubo_analysis
+      - corporate_structure_mapping
+      - pep_screening
+
+  - taskId: Task_RiskScoring
+    type: decision_engine
+    resource: dmn-engine
+    decisionRef: Decision_VendorRiskTier
+    inputs:
+      - countryCode
+      - creditScore
+      - ownershipStructure
+      - annualContractValue
+      - yearsTrading
+
+  - taskId: Task_LegalReview
+    type: human_role
+    resource: legal-counsel
+    role: Legal & Compliance Officer
+
+  - taskId: Task_ContractDrafting
+    type: human_role
+    resource: legal-counsel
+    role: Contract Specialist
+    ai_assist: true
+    ai_capabilities:
+      - clause_suggestion
+      - risk_clause_detection
+
+  - taskId: Task_CreateVendorProfile
+    type: system_api
+    resource: sap-erp
+    endpoint: /api/v1/vendors/create
+    system: SAP S/4HANA
+
+  - taskId: Task_ProvisionPortalAccess
+    type: system_api
+    resource: vendor-portal
+    endpoint: /api/v1/access/provision
+
+  - taskId: Task_SetupPaymentDetails
+    type: system_api
+    resource: treasury-system
+    endpoint: /api/v1/payment/setup
+
+  - taskId: Task_IntegrateERP
+    type: system_api
+    resource: sap-erp
+    endpoint: /api/v1/vendors/activate
+    system: SAP S/4HANA
diff --git a/ownership.yaml b/ownership.yaml
new file mode 100644
index 0000000..06d1bc0
--- /dev/null
+++ b/ownership.yaml
@@ -0,0 +1,24 @@
+kind: uapf.metadata.ownership
+owner:
+  team: procurement-ops
+  contact: procurement@heliosgroup.com
+  department: Group Procurement Operations
+
+stakeholders:
+  - name: Legal & Compliance
+    role: Process Reviewer
+    contact: legal@heliosgroup.com
+  - name: Finance & Tax
+    role: Risk Scoring Owner
+    contact: finance@heliosgroup.com
+  - name: IT & Systems
+    role: Integration Owner
+    contact: it@heliosgroup.com
+  - name: Group Risk Committee
+    role: Oversight
+    contact: risk@heliosgroup.com
+
+escalation:
+  level_1: procurement@heliosgroup.com
+  level_2: legal@heliosgroup.com
+  level_3: cpo@heliosgroup.com
diff --git a/processgit.mcp.yaml b/processgit.mcp.yaml
new file mode 100644
index 0000000..9b6ab58
--- /dev/null
+++ b/processgit.mcp.yaml
@@ -0,0 +1,54 @@
+version: 1
+
+server:
+  name: "HeliosGroup Vendor Onboarding MCP"
+  description: >
+    MCP server for the HeliosGroup Vendor Onboarding & Approval process package.
+    Provides AI agents with structured access to process definitions, risk scoring
+    rules, sanctions handling procedures, and compliance requirements.
+  instructions: >
+    This server exposes the complete Vendor Onboarding & Approval process at HeliosGroup.
+    Use 'search' to find process steps, compliance rules, or risk criteria by keyword.
+    Use 'get_entity' to retrieve full details of specific tasks, decisions, or cases.
+    Use 'list_entities' to browse by type (task, decision, case, resource).
+    Use 'generate_document' to produce a formatted process summary.
+    Key entities: vendor-onboarding-process (BPMN), vendor-risk-scoring (DMN),
+    sanctions-exception (CMMN), resource-mappings.
+
+sources:
+  - path: "bpmn/vendor-onboarding.bpmn.xml"
+    type: "xml"
+    description: >
+      Main vendor onboarding BPMN process — 5 swim lanes covering Procurement,
+      AI Compliance, Legal, Finance, and IT. Includes sanctions screening path,
+      parallel compliance checks, risk-tiered due diligence, and IT provisioning.
+
+  - path: "dmn/vendor-risk-scoring.dmn.xml"
+    type: "xml"
+    description: >
+      Vendor risk scoring DMN decision tables. Computes risk tier (1/2/3),
+      required due diligence level, approval authority, and review timeline
+      based on country risk, financial health, and ownership structure.
+      Includes country risk classification and FATF/sanctions list checks.
+
+  - path: "cmmn/sanctions-exception.cmmn.xml"
+    type: "xml"
+    description: >
+      Sanctions exception and escalation CMMN case. Activated when AI agent
+      detects a sanctions match. Covers initial assessment, legal investigation,
+      executive escalation (for direct matches or contracts > €500K),
+      and formal resolution with audit trail.
+
+  - path: "resources/mappings.yaml"
+    type: "xml"
+    description: >
+      System and agent resource mappings — shows which AI agents, human roles,
+      and enterprise systems (SAP ERP, vendor portal, treasury) handle each task.
+
+  - path: "uapf.yaml"
+    type: "xml"
+    description: "UAPF package manifest with process metadata, owners, and tags."
+
+  - path: "README.md"
+    type: "xml"
+    description: "Process overview, stage summary table, compliance standards."
diff --git a/sanctions-exception.cmmn.xml b/sanctions-exception.cmmn.xml
new file mode 100644
index 0000000..21e2abd
--- /dev/null
+++ b/sanctions-exception.cmmn.xml
@@ -0,0 +1,145 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<cmmn:definitions xmlns:cmmn="http://www.omg.org/spec/CMMN/20151109/MODEL"
+                  xmlns:cmmndi="http://www.omg.org/spec/CMMN/20151109/CMMNDI"
+                  xmlns:dc="http://www.omg.org/spec/CMMN/20151109/DC"
+                  id="SanctionsExceptionCase"
+                  targetNamespace="https://processgit.org/heliosgroup/sanctions-exception">
+
+  <cmmn:case id="Case_SanctionsException" name="Sanctions Exception &amp; Escalation Case">
+    <cmmn:casePlanModel id="CasePlanModel_1" name="Sanctions Match — Manual Review &amp; Override Process">
+
+      <!-- Stage 1: Initial Assessment -->
+      <cmmn:planItem id="PI_InitialAssessment" definitionRef="Stage_InitialAssessment">
+        <cmmn:entryCriterion id="EC_1" sentryRef="Sentry_CaseOpened"/>
+      </cmmn:planItem>
+
+      <!-- Stage 2: Legal Investigation -->
+      <cmmn:planItem id="PI_LegalInvestigation" definitionRef="Stage_LegalInvestigation">
+        <cmmn:entryCriterion id="EC_2" sentryRef="Sentry_AssessmentComplete"/>
+      </cmmn:planItem>
+
+      <!-- Stage 3: Executive Escalation (conditional) -->
+      <cmmn:planItem id="PI_ExecutiveEscalation" definitionRef="Stage_ExecutiveEscalation">
+        <cmmn:entryCriterion id="EC_3" sentryRef="Sentry_EscalationRequired"/>
+      </cmmn:planItem>
+
+      <!-- Stage 4: Resolution -->
+      <cmmn:planItem id="PI_Resolution" definitionRef="Stage_Resolution">
+        <cmmn:entryCriterion id="EC_4" sentryRef="Sentry_DecisionMade"/>
+      </cmmn:planItem>
+
+      <!-- Milestone: Case Closed -->
+      <cmmn:planItem id="PI_CaseClosed" definitionRef="Milestone_CaseClosed">
+        <cmmn:entryCriterion id="EC_5" sentryRef="Sentry_ResolutionComplete"/>
+      </cmmn:planItem>
+
+      <!-- SENTRIES -->
+      <cmmn:sentry id="Sentry_CaseOpened">
+        <cmmn:planItemOnPart id="POP_1" sourceRef="PI_InitialAssessment">
+          <cmmn:standardEvent>create</cmmn:standardEvent>
+        </cmmn:planItemOnPart>
+      </cmmn:sentry>
+      <cmmn:sentry id="Sentry_AssessmentComplete">
+        <cmmn:planItemOnPart id="POP_2" sourceRef="PI_InitialAssessment">
+          <cmmn:standardEvent>complete</cmmn:standardEvent>
+        </cmmn:planItemOnPart>
+      </cmmn:sentry>
+      <cmmn:sentry id="Sentry_EscalationRequired">
+        <cmmn:ifPart id="IP_1">
+          <cmmn:condition id="Cond_1"><cmmn:body>sanctionsMatchType == "DIRECT" || contractValue &gt; 500000</cmmn:body></cmmn:condition>
+        </cmmn:ifPart>
+      </cmmn:sentry>
+      <cmmn:sentry id="Sentry_DecisionMade">
+        <cmmn:planItemOnPart id="POP_3" sourceRef="PI_LegalInvestigation">
+          <cmmn:standardEvent>complete</cmmn:standardEvent>
+        </cmmn:planItemOnPart>
+      </cmmn:sentry>
+      <cmmn:sentry id="Sentry_ResolutionComplete">
+        <cmmn:planItemOnPart id="POP_4" sourceRef="PI_Resolution">
+          <cmmn:standardEvent>complete</cmmn:standardEvent>
+        </cmmn:planItemOnPart>
+      </cmmn:sentry>
+
+      <!-- STAGE DEFINITIONS -->
+
+      <!-- Stage 1: Initial Assessment -->
+      <cmmn:stage id="Stage_InitialAssessment" name="Initial Sanctions Assessment">
+        <cmmn:planItem id="PI_ReviewAlert" definitionRef="Task_ReviewSanctionsAlert"/>
+        <cmmn:planItem id="PI_ClassifyMatch" definitionRef="Task_ClassifyMatchType">
+          <cmmn:entryCriterion id="EC_S1_1" sentryRef="Sentry_S1_AlertReviewed"/>
+        </cmmn:planItem>
+        <cmmn:planItem id="PI_CheckFalsePositive" definitionRef="Task_CheckFalsePositive">
+          <cmmn:entryCriterion id="EC_S1_2" sentryRef="Sentry_S1_Classified"/>
+        </cmmn:planItem>
+        <cmmn:sentry id="Sentry_S1_AlertReviewed">
+          <cmmn:planItemOnPart id="POP_S1_1" sourceRef="PI_ReviewAlert">
+            <cmmn:standardEvent>complete</cmmn:standardEvent>
+          </cmmn:planItemOnPart>
+        </cmmn:sentry>
+        <cmmn:sentry id="Sentry_S1_Classified">
+          <cmmn:planItemOnPart id="POP_S1_2" sourceRef="PI_ClassifyMatch">
+            <cmmn:standardEvent>complete</cmmn:standardEvent>
+          </cmmn:planItemOnPart>
+        </cmmn:sentry>
+        <cmmn:humanTask id="Task_ReviewSanctionsAlert" name="Review Sanctions Alert Details"/>
+        <cmmn:humanTask id="Task_ClassifyMatchType" name="Classify: Direct / Indirect / False Positive"/>
+        <cmmn:humanTask id="Task_CheckFalsePositive" name="Verify False Positive against Source Lists"/>
+      </cmmn:stage>
+
+      <!-- Stage 2: Legal Investigation -->
+      <cmmn:stage id="Stage_LegalInvestigation" name="Legal Investigation">
+        <cmmn:planItem id="PI_RequestLegalOpinion" definitionRef="Task_RequestLegalOpinion"/>
+        <cmmn:planItem id="PI_ReviewUBO" definitionRef="Task_ReviewUBOStructure">
+          <cmmn:itemControl id="IC_UBO"><cmmn:manualActivationRule/></cmmn:itemControl>
+        </cmmn:planItem>
+        <cmmn:planItem id="PI_ContactAuthorities" definitionRef="Task_ContactRegulatoryAuthorities">
+          <cmmn:itemControl id="IC_Auth"><cmmn:manualActivationRule/></cmmn:itemControl>
+        </cmmn:planItem>
+        <cmmn:planItem id="PI_DocumentFindings" definitionRef="Task_DocumentLegalFindings"/>
+        <cmmn:humanTask id="Task_RequestLegalOpinion" name="Request Legal Opinion from Counsel"/>
+        <cmmn:humanTask id="Task_ReviewUBOStructure" name="Review Ultimate Beneficial Ownership Structure"/>
+        <cmmn:humanTask id="Task_ContactRegulatoryAuthorities" name="Contact Regulatory Authorities (if required)"/>
+        <cmmn:humanTask id="Task_DocumentLegalFindings" name="Document Legal Findings &amp; Recommendation"/>
+      </cmmn:stage>
+
+      <!-- Stage 3: Executive Escalation -->
+      <cmmn:stage id="Stage_ExecutiveEscalation" name="Executive Escalation">
+        <cmmn:planItem id="PI_PrepareExecBrief" definitionRef="Task_PrepareExecutiveBriefing"/>
+        <cmmn:planItem id="PI_ExecReview" definitionRef="Task_ExecutiveReview"/>
+        <cmmn:planItem id="PI_BoardNotification" definitionRef="Task_BoardNotification">
+          <cmmn:itemControl id="IC_Board"><cmmn:manualActivationRule/></cmmn:itemControl>
+        </cmmn:planItem>
+        <cmmn:humanTask id="Task_PrepareExecutiveBriefing" name="Prepare Executive Briefing Document"/>
+        <cmmn:humanTask id="Task_ExecutiveReview" name="CEO / CLO Decision Review"/>
+        <cmmn:humanTask id="Task_BoardNotification" name="Notify Board Audit &amp; Risk Committee"/>
+      </cmmn:stage>
+
+      <!-- Stage 4: Resolution -->
+      <cmmn:stage id="Stage_Resolution" name="Case Resolution">
+        <cmmn:planItem id="PI_RecordDecision" definitionRef="Task_RecordFinalDecision"/>
+        <cmmn:planItem id="PI_UpdateWatchlist" definitionRef="Task_UpdateInternalWatchlist"/>
+        <cmmn:planItem id="PI_NotifyProcurement" definitionRef="Task_NotifyProcurement"/>
+        <cmmn:humanTask id="Task_RecordFinalDecision" name="Record Final Decision in Audit Trail"/>
+        <cmmn:serviceTask id="Task_UpdateInternalWatchlist" name="Update Internal Vendor Watchlist"/>
+        <cmmn:humanTask id="Task_NotifyProcurement" name="Notify Procurement of Outcome"/>
+      </cmmn:stage>
+
+      <cmmn:milestone id="Milestone_CaseClosed" name="Sanctions Case Closed"/>
+
+    </cmmn:casePlanModel>
+  </cmmn:case>
+
+  <cmmndi:CMMNDI>
+    <cmmndi:CMMNDiagram id="CMMNDiagram_1">
+      <cmmndi:CMMNShape id="CS_CasePlan" cmmnElementRef="CasePlanModel_1"><dc:Bounds x="50" y="50" width="1100" height="600"/></cmmndi:CMMNShape>
+      <cmmndi:CMMNShape id="CS_S1" cmmnElementRef="PI_InitialAssessment"><dc:Bounds x="100" y="100" width="220" height="180"/></cmmndi:CMMNShape>
+      <cmmndi:CMMNShape id="CS_S2" cmmnElementRef="PI_LegalInvestigation"><dc:Bounds x="360" y="100" width="220" height="200"/></cmmndi:CMMNShape>
+      <cmmndi:CMMNShape id="CS_S3" cmmnElementRef="PI_ExecutiveEscalation"><dc:Bounds x="620" y="100" width="220" height="180"/></cmmndi:CMMNShape>
+      <cmmndi:CMMNShape id="CS_S4" cmmnElementRef="PI_Resolution"><dc:Bounds x="880" y="100" width="220" height="180"/></cmmndi:CMMNShape>
+      <cmmndi:CMMNShape id="CS_Milestone" cmmnElementRef="PI_CaseClosed"><dc:Bounds x="880" y="450" width="100" height="60"/></cmmndi:CMMNShape>
+      <cmmndi:CMMNShape id="CS_EC2" cmmnElementRef="EC_2"><dc:Bounds x="350" y="175" width="20" height="28"/></cmmndi:CMMNShape>
+      <cmmndi:CMMNShape id="CS_EC3" cmmnElementRef="EC_3"><dc:Bounds x="610" y="175" width="20" height="28"/></cmmndi:CMMNShape>
+      <cmmndi:CMMNShape id="CS_EC4" cmmnElementRef="EC_4"><dc:Bounds x="870" y="175" width="20" height="28"/></cmmndi:CMMNShape>
+    </cmmndi:CMMNDiagram>
+  </cmmndi:CMMNDI>
+</cmmn:definitions>
diff --git a/uapf.yaml b/uapf.yaml
new file mode 100644
index 0000000..44d1ed4
--- /dev/null
+++ b/uapf.yaml
@@ -0,0 +1,35 @@
+kind: uapf.package
+id: uapf.heliosgroup.vendor-onboarding
+name: Vendor Onboarding & Approval
+description: >
+  End-to-end vendor onboarding process with AI-powered sanctions screening,
+  financial risk scoring, legal review, and IT provisioning.
+  Fully executable at Level 4 with MCP-accessible process data.
+level: 4
+version: 1.0.0
+includes: []
+cornerstones:
+  bpmn: true
+  dmn: true
+  cmmn: true
+  resources: true
+paths:
+  bpmn: bpmn
+  dmn: dmn
+  cmmn: cmmn
+  resources: resources
+  metadata: metadata
+owners:
+  - type: team
+    id: procurement-ops
+    contact: procurement@heliosgroup.com
+  - type: team
+    id: legal-compliance
+    contact: legal@heliosgroup.com
+lifecycle: stable
+tags:
+  - procurement
+  - vendor-management
+  - sanctions-screening
+  - ai-governance
+  - eu-ai-act
diff --git a/vendor-onboarding.bpmn.xml b/vendor-onboarding.bpmn.xml
new file mode 100644
index 0000000..7c3b110
--- /dev/null
+++ b/vendor-onboarding.bpmn.xml
@@ -0,0 +1,567 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bpmn:definitions xmlns:bpmn="http://www.omg.org/spec/BPMN/20100524/MODEL"
+                  xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI"
+                  xmlns:dc="http://www.omg.org/spec/DD/20100524/DC"
+                  xmlns:di="http://www.omg.org/spec/DD/20100524/DI"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                  id="Definitions_VendorOnboarding"
+                  targetNamespace="https://processgit.org/heliosgroup/vendor-onboarding"
+                  name="Vendor Onboarding &amp; Approval">
+
+  <!-- ═══════════════════════════════════════════════════════
+       MESSAGES
+  ═══════════════════════════════════════════════════════ -->
+  <bpmn:message id="Msg_VendorSubmission" name="VendorSubmissionReceived"/>
+  <bpmn:message id="Msg_SanctionsResult" name="SanctionsScreeningResult"/>
+  <bpmn:message id="Msg_RiskScoreResult" name="RiskScoringComplete"/>
+  <bpmn:message id="Msg_LegalApproval" name="LegalApprovalDecision"/>
+  <bpmn:message id="Msg_ITProvisioned" name="ITProvisioningComplete"/>
+  <bpmn:message id="Msg_VendorNotification" name="VendorNotification"/>
+
+  <!-- ═══════════════════════════════════════════════════════
+       COLLABORATION
+  ═══════════════════════════════════════════════════════ -->
+  <bpmn:collaboration id="Collab_VendorOnboarding">
+    <bpmn:participant id="Pool_Helios" name="HeliosGroup — Vendor Onboarding &amp; Approval" processRef="Process_VendorOnboarding"/>
+    <bpmn:participant id="Pool_Vendor" name="Vendor / Supplier"/>
+    <bpmn:messageFlow id="MF_1" sourceRef="Pool_Vendor" targetRef="Start_VendorRequest"/>
+    <bpmn:messageFlow id="MF_2" sourceRef="Task_NotifyVendorApproved" targetRef="Pool_Vendor"/>
+    <bpmn:messageFlow id="MF_3" sourceRef="Task_NotifyVendorRejected" targetRef="Pool_Vendor"/>
+  </bpmn:collaboration>
+
+  <!-- ═══════════════════════════════════════════════════════
+       MAIN PROCESS
+  ═══════════════════════════════════════════════════════ -->
+  <bpmn:process id="Process_VendorOnboarding" name="Vendor Onboarding &amp; Approval" isExecutable="true">
+
+    <!-- ─── LANE DEFINITIONS ─── -->
+    <bpmn:laneSet id="LaneSet_1">
+      <bpmn:lane id="Lane_Procurement" name="Procurement Officer">
+        <bpmn:flowNodeRef>Start_VendorRequest</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_ValidateSubmission</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>GW_SubmissionComplete</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_RequestMissingDocs</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_RegisterVendor</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>GW_ForkCompliance</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>GW_JoinCompliance</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>GW_OverallDecision</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_FinalApproval</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_NotifyVendorApproved</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_NotifyVendorRejected</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_ArchiveRejection</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>End_Approved</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>End_Rejected</bpmn:flowNodeRef>
+      </bpmn:lane>
+      <bpmn:lane id="Lane_AI" name="AI Compliance Agent">
+        <bpmn:flowNodeRef>Task_SanctionsScreening</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_OwnershipCheck</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>GW_SanctionsHit</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_AutoReject_Sanctions</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_GenerateRiskProfile</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Evt_SanctionsTimeout</bpmn:flowNodeRef>
+      </bpmn:lane>
+      <bpmn:lane id="Lane_Legal" name="Legal &amp; Contracts">
+        <bpmn:flowNodeRef>Task_LegalReview</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_ContractDrafting</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>GW_LegalDecision</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_SanctionsEscalation</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>GW_EscalationDecision</bpmn:flowNodeRef>
+      </bpmn:lane>
+      <bpmn:lane id="Lane_Finance" name="Finance &amp; Tax">
+        <bpmn:flowNodeRef>Task_RiskScoring</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_FinancialDueDiligence</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>GW_RiskTier</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_EnhancedDueDiligence</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_TaxVerification</bpmn:flowNodeRef>
+      </bpmn:lane>
+      <bpmn:lane id="Lane_IT" name="IT &amp; Systems">
+        <bpmn:flowNodeRef>Task_CreateVendorProfile</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_ProvisionPortalAccess</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_SetupPaymentDetails</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>GW_ForkIT</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>GW_JoinIT</bpmn:flowNodeRef>
+        <bpmn:flowNodeRef>Task_IntegrateERP</bpmn:flowNodeRef>
+      </bpmn:lane>
+    </bpmn:laneSet>
+
+    <!-- ─── START ─── -->
+    <bpmn:startEvent id="Start_VendorRequest" name="Vendor Onboarding&#10;Request Received">
+      <bpmn:outgoing>Flow_1</bpmn:outgoing>
+      <bpmn:messageEventDefinition messageRef="Msg_VendorSubmission"/>
+    </bpmn:startEvent>
+
+    <!-- ─── PROCUREMENT LANE ─── -->
+    <bpmn:userTask id="Task_ValidateSubmission" name="Validate Submission&#10;Completeness">
+      <bpmn:incoming>Flow_1</bpmn:incoming>
+      <bpmn:outgoing>Flow_2</bpmn:outgoing>
+    </bpmn:userTask>
+
+    <bpmn:exclusiveGateway id="GW_SubmissionComplete" name="All Documents&#10;Submitted?">
+      <bpmn:incoming>Flow_2</bpmn:incoming>
+      <bpmn:outgoing>Flow_3_Yes</bpmn:outgoing>
+      <bpmn:outgoing>Flow_3_No</bpmn:outgoing>
+    </bpmn:exclusiveGateway>
+
+    <bpmn:userTask id="Task_RequestMissingDocs" name="Request Missing&#10;Documents">
+      <bpmn:incoming>Flow_3_No</bpmn:incoming>
+      <bpmn:outgoing>Flow_RetryValidation</bpmn:outgoing>
+    </bpmn:userTask>
+
+    <bpmn:serviceTask id="Task_RegisterVendor" name="Register Vendor&#10;in Master Data">
+      <bpmn:incoming>Flow_3_Yes</bpmn:incoming>
+      <bpmn:outgoing>Flow_4</bpmn:outgoing>
+    </bpmn:serviceTask>
+
+    <bpmn:parallelGateway id="GW_ForkCompliance" name="Start Parallel&#10;Compliance Checks">
+      <bpmn:incoming>Flow_4</bpmn:incoming>
+      <bpmn:outgoing>Flow_ToSanctions</bpmn:outgoing>
+      <bpmn:outgoing>Flow_ToRiskScoring</bpmn:outgoing>
+      <bpmn:outgoing>Flow_ToLegal</bpmn:outgoing>
+    </bpmn:parallelGateway>
+
+    <bpmn:parallelGateway id="GW_JoinCompliance" name="All Checks&#10;Complete">
+      <bpmn:incoming>Flow_SanctionsOK</bpmn:incoming>
+      <bpmn:incoming>Flow_RiskComplete</bpmn:incoming>
+      <bpmn:incoming>Flow_LegalComplete</bpmn:incoming>
+      <bpmn:outgoing>Flow_ToDecision</bpmn:outgoing>
+    </bpmn:parallelGateway>
+
+    <bpmn:exclusiveGateway id="GW_OverallDecision" name="Overall&#10;Approval?">
+      <bpmn:incoming>Flow_ToDecision</bpmn:incoming>
+      <bpmn:outgoing>Flow_Approved</bpmn:outgoing>
+      <bpmn:outgoing>Flow_Rejected</bpmn:outgoing>
+    </bpmn:exclusiveGateway>
+
+    <bpmn:userTask id="Task_FinalApproval" name="Final Procurement&#10;Sign-Off">
+      <bpmn:incoming>Flow_Approved</bpmn:incoming>
+      <bpmn:outgoing>Flow_ToIT</bpmn:outgoing>
+    </bpmn:userTask>
+
+    <bpmn:sendTask id="Task_NotifyVendorApproved" name="Notify Vendor:&#10;Approved">
+      <bpmn:incoming>Flow_FromIT</bpmn:incoming>
+      <bpmn:outgoing>Flow_ToEnd_Approved</bpmn:outgoing>
+    </bpmn:sendTask>
+
+    <bpmn:sendTask id="Task_NotifyVendorRejected" name="Notify Vendor:&#10;Rejected">
+      <bpmn:incoming>Flow_Rejected</bpmn:incoming>
+      <bpmn:incoming>Flow_AutoRejected</bpmn:incoming>
+      <bpmn:outgoing>Flow_ToArchive</bpmn:outgoing>
+    </bpmn:sendTask>
+
+    <bpmn:serviceTask id="Task_ArchiveRejection" name="Archive Rejection&#10;with Audit Log">
+      <bpmn:incoming>Flow_ToArchive</bpmn:incoming>
+      <bpmn:outgoing>Flow_ToEnd_Rejected</bpmn:outgoing>
+    </bpmn:serviceTask>
+
+    <bpmn:endEvent id="End_Approved" name="Vendor Approved&#10;&amp; Active">
+      <bpmn:incoming>Flow_ToEnd_Approved</bpmn:incoming>
+    </bpmn:endEvent>
+
+    <bpmn:endEvent id="End_Rejected" name="Vendor Rejected&#10;&amp; Archived">
+      <bpmn:incoming>Flow_ToEnd_Rejected</bpmn:incoming>
+    </bpmn:endEvent>
+
+    <!-- ─── AI COMPLIANCE LANE ─── -->
+    <bpmn:serviceTask id="Task_SanctionsScreening" name="AI: Sanctions &amp;&#10;Watchlist Screening&#10;(OFAC / EU / UN)">
+      <bpmn:incoming>Flow_ToSanctions</bpmn:incoming>
+      <bpmn:outgoing>Flow_CheckSanctionsResult</bpmn:outgoing>
+    </bpmn:serviceTask>
+
+    <bpmn:boundaryEvent id="Evt_SanctionsTimeout" name="48h Timeout" attachedToRef="Task_SanctionsScreening" cancelActivity="true">
+      <bpmn:outgoing>Flow_SanctionsTimedOut</bpmn:outgoing>
+      <bpmn:timerEventDefinition>
+        <bpmn:timeDuration>PT48H</bpmn:timeDuration>
+      </bpmn:timerEventDefinition>
+    </bpmn:boundaryEvent>
+
+    <bpmn:exclusiveGateway id="GW_SanctionsHit" name="Sanctions&#10;Match Found?">
+      <bpmn:incoming>Flow_CheckSanctionsResult</bpmn:incoming>
+      <bpmn:incoming>Flow_SanctionsTimedOut</bpmn:incoming>
+      <bpmn:outgoing>Flow_SanctionsHit_Yes</bpmn:outgoing>
+      <bpmn:outgoing>Flow_SanctionsHit_No</bpmn:outgoing>
+    </bpmn:exclusiveGateway>
+
+    <bpmn:serviceTask id="Task_OwnershipCheck" name="AI: Beneficial&#10;Ownership &amp; UBO&#10;Analysis">
+      <bpmn:incoming>Flow_SanctionsHit_No</bpmn:incoming>
+      <bpmn:outgoing>Flow_SanctionsOK</bpmn:outgoing>
+    </bpmn:serviceTask>
+
+    <bpmn:serviceTask id="Task_AutoReject_Sanctions" name="AI: Auto-Flag&#10;Sanctions Match&#10;→ Escalate">
+      <bpmn:incoming>Flow_SanctionsHit_Yes</bpmn:incoming>
+      <bpmn:outgoing>Flow_ToSanctionsEscalation</bpmn:outgoing>
+    </bpmn:serviceTask>
+
+    <bpmn:serviceTask id="Task_GenerateRiskProfile" name="AI: Generate&#10;Vendor Risk Profile&#10;Report">
+      <bpmn:incoming>Flow_EscalationApproved</bpmn:incoming>
+      <bpmn:outgoing>Flow_SanctionsOK_Escalated</bpmn:outgoing>
+    </bpmn:serviceTask>
+
+    <!-- ─── LEGAL LANE ─── -->
+    <bpmn:userTask id="Task_LegalReview" name="Legal: Review&#10;Vendor Documents&#10;&amp; Certificates">
+      <bpmn:incoming>Flow_ToLegal</bpmn:incoming>
+      <bpmn:outgoing>Flow_LegalReviewDone</bpmn:outgoing>
+    </bpmn:userTask>
+
+    <bpmn:exclusiveGateway id="GW_LegalDecision" name="Legal&#10;Clearance?">
+      <bpmn:incoming>Flow_LegalReviewDone</bpmn:incoming>
+      <bpmn:outgoing>Flow_LegalOK</bpmn:outgoing>
+      <bpmn:outgoing>Flow_LegalFail</bpmn:outgoing>
+    </bpmn:exclusiveGateway>
+
+    <bpmn:userTask id="Task_ContractDrafting" name="Legal: Draft&#10;Vendor Agreement&#10;&amp; NDA">
+      <bpmn:incoming>Flow_LegalOK</bpmn:incoming>
+      <bpmn:outgoing>Flow_LegalComplete</bpmn:outgoing>
+    </bpmn:userTask>
+
+    <bpmn:userTask id="Task_SanctionsEscalation" name="Legal: Sanctions&#10;Escalation Review&#10;(Manual Override?)">
+      <bpmn:incoming>Flow_ToSanctionsEscalation</bpmn:incoming>
+      <bpmn:outgoing>Flow_EscalationDecision</bpmn:outgoing>
+    </bpmn:userTask>
+
+    <bpmn:exclusiveGateway id="GW_EscalationDecision" name="Override&#10;Granted?">
+      <bpmn:incoming>Flow_EscalationDecision</bpmn:incoming>
+      <bpmn:outgoing>Flow_EscalationApproved</bpmn:outgoing>
+      <bpmn:outgoing>Flow_EscalationDenied</bpmn:outgoing>
+    </bpmn:exclusiveGateway>
+
+    <!-- ─── FINANCE LANE ─── -->
+    <bpmn:businessRuleTask id="Task_RiskScoring" name="DMN: Vendor Risk&#10;Tier Calculation&#10;(Country + Financial)">
+      <bpmn:incoming>Flow_ToRiskScoring</bpmn:incoming>
+      <bpmn:outgoing>Flow_RiskTierResult</bpmn:outgoing>
+    </bpmn:businessRuleTask>
+
+    <bpmn:exclusiveGateway id="GW_RiskTier" name="Risk Tier?">
+      <bpmn:incoming>Flow_RiskTierResult</bpmn:incoming>
+      <bpmn:outgoing>Flow_HighRisk</bpmn:outgoing>
+      <bpmn:outgoing>Flow_MediumLowRisk</bpmn:outgoing>
+    </bpmn:exclusiveGateway>
+
+    <bpmn:userTask id="Task_EnhancedDueDiligence" name="Finance: Enhanced&#10;Due Diligence&#10;(Tier 1 Vendors)">
+      <bpmn:incoming>Flow_HighRisk</bpmn:incoming>
+      <bpmn:outgoing>Flow_EDD_Done</bpmn:outgoing>
+    </bpmn:userTask>
+
+    <bpmn:userTask id="Task_FinancialDueDiligence" name="Finance: Standard&#10;Financial Due&#10;Diligence">
+      <bpmn:incoming>Flow_MediumLowRisk</bpmn:incoming>
+      <bpmn:outgoing>Flow_FDD_Done</bpmn:outgoing>
+    </bpmn:userTask>
+
+    <bpmn:serviceTask id="Task_TaxVerification" name="Finance: VAT &amp;&#10;Tax ID Verification&#10;(VIES / local)">
+      <bpmn:incoming>Flow_EDD_Done</bpmn:incoming>
+      <bpmn:incoming>Flow_FDD_Done</bpmn:incoming>
+      <bpmn:outgoing>Flow_RiskComplete</bpmn:outgoing>
+    </bpmn:serviceTask>
+
+    <!-- ─── IT LANE ─── -->
+    <bpmn:parallelGateway id="GW_ForkIT" name="Provision in&#10;Parallel">
+      <bpmn:incoming>Flow_ToIT</bpmn:incoming>
+      <bpmn:outgoing>Flow_IT_Profile</bpmn:outgoing>
+      <bpmn:outgoing>Flow_IT_Portal</bpmn:outgoing>
+      <bpmn:outgoing>Flow_IT_Payment</bpmn:outgoing>
+    </bpmn:parallelGateway>
+
+    <bpmn:serviceTask id="Task_CreateVendorProfile" name="IT: Create Vendor&#10;Profile in ERP">
+      <bpmn:incoming>Flow_IT_Profile</bpmn:incoming>
+      <bpmn:outgoing>Flow_IT_Profile_Done</bpmn:outgoing>
+    </bpmn:serviceTask>
+
+    <bpmn:serviceTask id="Task_ProvisionPortalAccess" name="IT: Provision&#10;Vendor Portal&#10;Access">
+      <bpmn:incoming>Flow_IT_Portal</bpmn:incoming>
+      <bpmn:outgoing>Flow_IT_Portal_Done</bpmn:outgoing>
+    </bpmn:serviceTask>
+
+    <bpmn:serviceTask id="Task_SetupPaymentDetails" name="IT: Setup Payment&#10;Method &amp; Banking&#10;Details">
+      <bpmn:incoming>Flow_IT_Payment</bpmn:incoming>
+      <bpmn:outgoing>Flow_IT_Payment_Done</bpmn:outgoing>
+    </bpmn:serviceTask>
+
+    <bpmn:parallelGateway id="GW_JoinIT" name="IT Setup&#10;Complete">
+      <bpmn:incoming>Flow_IT_Profile_Done</bpmn:incoming>
+      <bpmn:incoming>Flow_IT_Portal_Done</bpmn:incoming>
+      <bpmn:incoming>Flow_IT_Payment_Done</bpmn:incoming>
+      <bpmn:outgoing>Flow_IT_Integrate</bpmn:outgoing>
+    </bpmn:parallelGateway>
+
+    <bpmn:serviceTask id="Task_IntegrateERP" name="IT: Integrate with&#10;SAP / ERP Systems&#10;&amp; Activate Vendor">
+      <bpmn:incoming>Flow_IT_Integrate</bpmn:incoming>
+      <bpmn:outgoing>Flow_FromIT</bpmn:outgoing>
+    </bpmn:serviceTask>
+
+    <!-- ─── SEQUENCE FLOWS ─── -->
+    <bpmn:sequenceFlow id="Flow_1" sourceRef="Start_VendorRequest" targetRef="Task_ValidateSubmission"/>
+    <bpmn:sequenceFlow id="Flow_2" sourceRef="Task_ValidateSubmission" targetRef="GW_SubmissionComplete"/>
+    <bpmn:sequenceFlow id="Flow_3_Yes" name="Yes" sourceRef="GW_SubmissionComplete" targetRef="Task_RegisterVendor"/>
+    <bpmn:sequenceFlow id="Flow_3_No" name="No" sourceRef="GW_SubmissionComplete" targetRef="Task_RequestMissingDocs"/>
+    <bpmn:sequenceFlow id="Flow_RetryValidation" sourceRef="Task_RequestMissingDocs" targetRef="Task_ValidateSubmission"/>
+    <bpmn:sequenceFlow id="Flow_4" sourceRef="Task_RegisterVendor" targetRef="GW_ForkCompliance"/>
+
+    <bpmn:sequenceFlow id="Flow_ToSanctions" sourceRef="GW_ForkCompliance" targetRef="Task_SanctionsScreening"/>
+    <bpmn:sequenceFlow id="Flow_ToRiskScoring" sourceRef="GW_ForkCompliance" targetRef="Task_RiskScoring"/>
+    <bpmn:sequenceFlow id="Flow_ToLegal" sourceRef="GW_ForkCompliance" targetRef="Task_LegalReview"/>
+
+    <bpmn:sequenceFlow id="Flow_CheckSanctionsResult" sourceRef="Task_SanctionsScreening" targetRef="GW_SanctionsHit"/>
+    <bpmn:sequenceFlow id="Flow_SanctionsTimedOut" name="Timeout" sourceRef="Evt_SanctionsTimeout" targetRef="GW_SanctionsHit"/>
+    <bpmn:sequenceFlow id="Flow_SanctionsHit_Yes" name="Match" sourceRef="GW_SanctionsHit" targetRef="Task_AutoReject_Sanctions"/>
+    <bpmn:sequenceFlow id="Flow_SanctionsHit_No" name="Clear" sourceRef="GW_SanctionsHit" targetRef="Task_OwnershipCheck"/>
+    <bpmn:sequenceFlow id="Flow_SanctionsOK" sourceRef="Task_OwnershipCheck" targetRef="GW_JoinCompliance"/>
+    <bpmn:sequenceFlow id="Flow_ToSanctionsEscalation" sourceRef="Task_AutoReject_Sanctions" targetRef="Task_SanctionsEscalation"/>
+    <bpmn:sequenceFlow id="Flow_EscalationDecision" sourceRef="Task_SanctionsEscalation" targetRef="GW_EscalationDecision"/>
+    <bpmn:sequenceFlow id="Flow_EscalationApproved" name="Override Granted" sourceRef="GW_EscalationDecision" targetRef="Task_GenerateRiskProfile"/>
+    <bpmn:sequenceFlow id="Flow_EscalationDenied" name="Denied" sourceRef="GW_EscalationDecision" targetRef="Task_NotifyVendorRejected"/>
+    <bpmn:sequenceFlow id="Flow_SanctionsOK_Escalated" sourceRef="Task_GenerateRiskProfile" targetRef="GW_JoinCompliance"/>
+
+    <bpmn:sequenceFlow id="Flow_RiskTierResult" sourceRef="Task_RiskScoring" targetRef="GW_RiskTier"/>
+    <bpmn:sequenceFlow id="Flow_HighRisk" name="Tier 1 High Risk" sourceRef="GW_RiskTier" targetRef="Task_EnhancedDueDiligence"/>
+    <bpmn:sequenceFlow id="Flow_MediumLowRisk" name="Tier 2/3" sourceRef="GW_RiskTier" targetRef="Task_FinancialDueDiligence"/>
+    <bpmn:sequenceFlow id="Flow_EDD_Done" sourceRef="Task_EnhancedDueDiligence" targetRef="Task_TaxVerification"/>
+    <bpmn:sequenceFlow id="Flow_FDD_Done" sourceRef="Task_FinancialDueDiligence" targetRef="Task_TaxVerification"/>
+    <bpmn:sequenceFlow id="Flow_RiskComplete" sourceRef="Task_TaxVerification" targetRef="GW_JoinCompliance"/>
+
+    <bpmn:sequenceFlow id="Flow_LegalReviewDone" sourceRef="Task_LegalReview" targetRef="GW_LegalDecision"/>
+    <bpmn:sequenceFlow id="Flow_LegalOK" name="Cleared" sourceRef="GW_LegalDecision" targetRef="Task_ContractDrafting"/>
+    <bpmn:sequenceFlow id="Flow_LegalFail" name="Issues Found" sourceRef="GW_LegalDecision" targetRef="Task_NotifyVendorRejected"/>
+    <bpmn:sequenceFlow id="Flow_LegalComplete" sourceRef="Task_ContractDrafting" targetRef="GW_JoinCompliance"/>
+
+    <bpmn:sequenceFlow id="Flow_ToDecision" sourceRef="GW_JoinCompliance" targetRef="GW_OverallDecision"/>
+    <bpmn:sequenceFlow id="Flow_Approved" name="All Clear" sourceRef="GW_OverallDecision" targetRef="Task_FinalApproval"/>
+    <bpmn:sequenceFlow id="Flow_Rejected" name="Rejected" sourceRef="GW_OverallDecision" targetRef="Task_NotifyVendorRejected"/>
+    <bpmn:sequenceFlow id="Flow_AutoRejected" sourceRef="Task_AutoReject_Sanctions" targetRef="Task_NotifyVendorRejected"/>
+
+    <bpmn:sequenceFlow id="Flow_ToIT" sourceRef="Task_FinalApproval" targetRef="GW_ForkIT"/>
+    <bpmn:sequenceFlow id="Flow_IT_Profile" sourceRef="GW_ForkIT" targetRef="Task_CreateVendorProfile"/>
+    <bpmn:sequenceFlow id="Flow_IT_Portal" sourceRef="GW_ForkIT" targetRef="Task_ProvisionPortalAccess"/>
+    <bpmn:sequenceFlow id="Flow_IT_Payment" sourceRef="GW_ForkIT" targetRef="Task_SetupPaymentDetails"/>
+    <bpmn:sequenceFlow id="Flow_IT_Profile_Done" sourceRef="Task_CreateVendorProfile" targetRef="GW_JoinIT"/>
+    <bpmn:sequenceFlow id="Flow_IT_Portal_Done" sourceRef="Task_ProvisionPortalAccess" targetRef="GW_JoinIT"/>
+    <bpmn:sequenceFlow id="Flow_IT_Payment_Done" sourceRef="Task_SetupPaymentDetails" targetRef="GW_JoinIT"/>
+    <bpmn:sequenceFlow id="Flow_IT_Integrate" sourceRef="GW_JoinIT" targetRef="Task_IntegrateERP"/>
+    <bpmn:sequenceFlow id="Flow_FromIT" sourceRef="Task_IntegrateERP" targetRef="Task_NotifyVendorApproved"/>
+
+    <bpmn:sequenceFlow id="Flow_ToEnd_Approved" sourceRef="Task_NotifyVendorApproved" targetRef="End_Approved"/>
+    <bpmn:sequenceFlow id="Flow_ToArchive" sourceRef="Task_NotifyVendorRejected" targetRef="Task_ArchiveRejection"/>
+    <bpmn:sequenceFlow id="Flow_ToEnd_Rejected" sourceRef="Task_ArchiveRejection" targetRef="End_Rejected"/>
+
+  </bpmn:process>
+
+  <!-- ═══════════════════════════════════════════════════════
+       DIAGRAM
+  ═══════════════════════════════════════════════════════ -->
+  <bpmndi:BPMNDiagram id="BPMNDiagram_1">
+    <bpmndi:BPMNPlane id="BPMNPlane_1" bpmnElement="Collab_VendorOnboarding">
+
+      <!-- VENDOR POOL -->
+      <bpmndi:BPMNShape id="Pool_Vendor_di" bpmnElement="Pool_Vendor" isHorizontal="true">
+        <dc:Bounds x="120" y="940" width="1780" height="80"/>
+      </bpmndi:BPMNShape>
+
+      <!-- HELIOS POOL -->
+      <bpmndi:BPMNShape id="Pool_Helios_di" bpmnElement="Pool_Helios" isHorizontal="true">
+        <dc:Bounds x="120" y="60" width="1780" height="860"/>
+      </bpmndi:BPMNShape>
+
+      <!-- LANES -->
+      <bpmndi:BPMNShape id="Lane_Procurement_di" bpmnElement="Lane_Procurement" isHorizontal="true">
+        <dc:Bounds x="150" y="60" width="1750" height="170"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Lane_AI_di" bpmnElement="Lane_AI" isHorizontal="true">
+        <dc:Bounds x="150" y="230" width="1750" height="160"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Lane_Legal_di" bpmnElement="Lane_Legal" isHorizontal="true">
+        <dc:Bounds x="150" y="390" width="1750" height="160"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Lane_Finance_di" bpmnElement="Lane_Finance" isHorizontal="true">
+        <dc:Bounds x="150" y="550" width="1750" height="160"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Lane_IT_di" bpmnElement="Lane_IT" isHorizontal="true">
+        <dc:Bounds x="150" y="710" width="1750" height="210"/>
+      </bpmndi:BPMNShape>
+
+      <!-- START EVENT -->
+      <bpmndi:BPMNShape id="Start_VendorRequest_di" bpmnElement="Start_VendorRequest">
+        <dc:Bounds x="212" y="127" width="36" height="36"/>
+        <bpmndi:BPMNLabel><dc:Bounds x="192" y="170" width="77" height="27"/></bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+
+      <!-- PROCUREMENT LANE SHAPES -->
+      <bpmndi:BPMNShape id="Task_ValidateSubmission_di" bpmnElement="Task_ValidateSubmission">
+        <dc:Bounds x="300" y="105" width="120" height="80"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="GW_SubmissionComplete_di" bpmnElement="GW_SubmissionComplete" isMarkerVisible="true">
+        <dc:Bounds x="475" y="120" width="50" height="50"/>
+        <bpmndi:BPMNLabel><dc:Bounds x="460" y="96" width="80" height="27"/></bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_RequestMissingDocs_di" bpmnElement="Task_RequestMissingDocs">
+        <dc:Bounds x="455" y="60" width="120" height="60"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_RegisterVendor_di" bpmnElement="Task_RegisterVendor">
+        <dc:Bounds x="580" y="105" width="120" height="80"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="GW_ForkCompliance_di" bpmnElement="GW_ForkCompliance">
+        <dc:Bounds x="755" y="120" width="50" height="50"/>
+        <bpmndi:BPMNLabel><dc:Bounds x="740" y="96" width="80" height="27"/></bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="GW_JoinCompliance_di" bpmnElement="GW_JoinCompliance">
+        <dc:Bounds x="1155" y="120" width="50" height="50"/>
+        <bpmndi:BPMNLabel><dc:Bounds x="1140" y="96" width="80" height="27"/></bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="GW_OverallDecision_di" bpmnElement="GW_OverallDecision" isMarkerVisible="true">
+        <dc:Bounds x="1265" y="120" width="50" height="50"/>
+        <bpmndi:BPMNLabel><dc:Bounds x="1253" y="96" width="74" height="27"/></bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_FinalApproval_di" bpmnElement="Task_FinalApproval">
+        <dc:Bounds x="1370" y="105" width="120" height="80"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_NotifyVendorApproved_di" bpmnElement="Task_NotifyVendorApproved">
+        <dc:Bounds x="1730" y="105" width="100" height="80"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_NotifyVendorRejected_di" bpmnElement="Task_NotifyVendorRejected">
+        <dc:Bounds x="1370" y="185" width="100" height="60"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_ArchiveRejection_di" bpmnElement="Task_ArchiveRejection">
+        <dc:Bounds x="1510" y="185" width="100" height="60"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="End_Approved_di" bpmnElement="End_Approved">
+        <dc:Bounds x="1862" y="127" width="36" height="36"/>
+        <bpmndi:BPMNLabel><dc:Bounds x="1846" y="170" width="68" height="27"/></bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="End_Rejected_di" bpmnElement="End_Rejected">
+        <dc:Bounds x="1650" y="200" width="36" height="36"/>
+        <bpmndi:BPMNLabel><dc:Bounds x="1635" y="243" width="66" height="27"/></bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+
+      <!-- AI LANE SHAPES -->
+      <bpmndi:BPMNShape id="Task_SanctionsScreening_di" bpmnElement="Task_SanctionsScreening">
+        <dc:Bounds x="800" y="270" width="130" height="80"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Evt_SanctionsTimeout_di" bpmnElement="Evt_SanctionsTimeout">
+        <dc:Bounds x="847" y="332" width="36" height="36"/>
+        <bpmndi:BPMNLabel><dc:Bounds x="840" y="375" width="50" height="14"/></bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="GW_SanctionsHit_di" bpmnElement="GW_SanctionsHit" isMarkerVisible="true">
+        <dc:Bounds x="985" y="285" width="50" height="50"/>
+        <bpmndi:BPMNLabel><dc:Bounds x="970" y="261" width="80" height="27"/></bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_OwnershipCheck_di" bpmnElement="Task_OwnershipCheck">
+        <dc:Bounds x="1085" y="270" width="120" height="80"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_AutoReject_Sanctions_di" bpmnElement="Task_AutoReject_Sanctions">
+        <dc:Bounds x="985" y="370" width="120" height="80"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_GenerateRiskProfile_di" bpmnElement="Task_GenerateRiskProfile">
+        <dc:Bounds x="1085" y="250" width="110" height="70"/>
+      </bpmndi:BPMNShape>
+
+      <!-- LEGAL LANE SHAPES -->
+      <bpmndi:BPMNShape id="Task_LegalReview_di" bpmnElement="Task_LegalReview">
+        <dc:Bounds x="800" y="425" width="120" height="80"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="GW_LegalDecision_di" bpmnElement="GW_LegalDecision" isMarkerVisible="true">
+        <dc:Bounds x="975" y="440" width="50" height="50"/>
+        <bpmndi:BPMNLabel><dc:Bounds x="963" y="416" width="74" height="27"/></bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_ContractDrafting_di" bpmnElement="Task_ContractDrafting">
+        <dc:Bounds x="1075" y="425" width="120" height="80"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_SanctionsEscalation_di" bpmnElement="Task_SanctionsEscalation">
+        <dc:Bounds x="1150" y="425" width="120" height="80"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="GW_EscalationDecision_di" bpmnElement="GW_EscalationDecision" isMarkerVisible="true">
+        <dc:Bounds x="1315" y="440" width="50" height="50"/>
+        <bpmndi:BPMNLabel><dc:Bounds x="1302" y="416" width="76" height="27"/></bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+
+      <!-- FINANCE LANE SHAPES -->
+      <bpmndi:BPMNShape id="Task_RiskScoring_di" bpmnElement="Task_RiskScoring">
+        <dc:Bounds x="800" y="590" width="130" height="80"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="GW_RiskTier_di" bpmnElement="GW_RiskTier" isMarkerVisible="true">
+        <dc:Bounds x="985" y="605" width="50" height="50"/>
+        <bpmndi:BPMNLabel><dc:Bounds x="988" y="581" width="44" height="27"/></bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_EnhancedDueDiligence_di" bpmnElement="Task_EnhancedDueDiligence">
+        <dc:Bounds x="1075" y="575" width="120" height="80"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_FinancialDueDiligence_di" bpmnElement="Task_FinancialDueDiligence">
+        <dc:Bounds x="1075" y="660" width="120" height="60"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_TaxVerification_di" bpmnElement="Task_TaxVerification">
+        <dc:Bounds x="1245" y="590" width="120" height="80"/>
+      </bpmndi:BPMNShape>
+
+      <!-- IT LANE SHAPES -->
+      <bpmndi:BPMNShape id="GW_ForkIT_di" bpmnElement="GW_ForkIT">
+        <dc:Bounds x="1455" y="755" width="50" height="50"/>
+        <bpmndi:BPMNLabel><dc:Bounds x="1440" y="731" width="80" height="27"/></bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_CreateVendorProfile_di" bpmnElement="Task_CreateVendorProfile">
+        <dc:Bounds x="1555" y="720" width="120" height="80"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_ProvisionPortalAccess_di" bpmnElement="Task_ProvisionPortalAccess">
+        <dc:Bounds x="1555" y="815" width="120" height="70"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_SetupPaymentDetails_di" bpmnElement="Task_SetupPaymentDetails">
+        <dc:Bounds x="1555" y="890" width="120" height="70"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="GW_JoinIT_di" bpmnElement="GW_JoinIT">
+        <dc:Bounds x="1720" y="755" width="50" height="50"/>
+        <bpmndi:BPMNLabel><dc:Bounds x="1705" y="731" width="80" height="27"/></bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Task_IntegrateERP_di" bpmnElement="Task_IntegrateERP">
+        <dc:Bounds x="1820" y="740" width="110" height="80"/>
+      </bpmndi:BPMNShape>
+
+      <!-- SEQUENCE FLOW EDGES -->
+      <bpmndi:BPMNEdge id="Flow_1_di" bpmnElement="Flow_1"><di:waypoint x="248" y="145"/><di:waypoint x="300" y="145"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_2_di" bpmnElement="Flow_2"><di:waypoint x="420" y="145"/><di:waypoint x="475" y="145"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_3_Yes_di" bpmnElement="Flow_3_Yes"><di:waypoint x="525" y="145"/><di:waypoint x="580" y="145"/><bpmndi:BPMNLabel><dc:Bounds x="543" y="127" width="18" height="14"/></bpmndi:BPMNLabel></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_3_No_di" bpmnElement="Flow_3_No"><di:waypoint x="500" y="120"/><di:waypoint x="500" y="90"/><di:waypoint x="455" y="90"/><bpmndi:BPMNLabel><dc:Bounds x="504" y="100" width="15" height="14"/></bpmndi:BPMNLabel></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_RetryValidation_di" bpmnElement="Flow_RetryValidation"><di:waypoint x="455" y="90"/><di:waypoint x="360" y="90"/><di:waypoint x="360" y="105"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_4_di" bpmnElement="Flow_4"><di:waypoint x="700" y="145"/><di:waypoint x="755" y="145"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_ToSanctions_di" bpmnElement="Flow_ToSanctions"><di:waypoint x="780" y="170"/><di:waypoint x="780" y="310"/><di:waypoint x="800" y="310"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_ToRiskScoring_di" bpmnElement="Flow_ToRiskScoring"><di:waypoint x="780" y="170"/><di:waypoint x="780" y="630"/><di:waypoint x="800" y="630"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_ToLegal_di" bpmnElement="Flow_ToLegal"><di:waypoint x="780" y="170"/><di:waypoint x="780" y="465"/><di:waypoint x="800" y="465"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_CheckSanctionsResult_di" bpmnElement="Flow_CheckSanctionsResult"><di:waypoint x="930" y="310"/><di:waypoint x="985" y="310"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_SanctionsTimedOut_di" bpmnElement="Flow_SanctionsTimedOut"><di:waypoint x="865" y="368"/><di:waypoint x="865" y="395"/><di:waypoint x="1010" y="395"/><di:waypoint x="1010" y="335"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_SanctionsHit_No_di" bpmnElement="Flow_SanctionsHit_No"><di:waypoint x="1035" y="310"/><di:waypoint x="1085" y="310"/><bpmndi:BPMNLabel><dc:Bounds x="1043" y="292" width="30" height="14"/></bpmndi:BPMNLabel></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_SanctionsHit_Yes_di" bpmnElement="Flow_SanctionsHit_Yes"><di:waypoint x="1010" y="335"/><di:waypoint x="1010" y="370"/><bpmndi:BPMNLabel><dc:Bounds x="1015" y="348" width="34" height="14"/></bpmndi:BPMNLabel></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_SanctionsOK_di" bpmnElement="Flow_SanctionsOK"><di:waypoint x="1205" y="310"/><di:waypoint x="1180" y="310"/><di:waypoint x="1180" y="145"/><di:waypoint x="1155" y="145"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_ToSanctionsEscalation_di" bpmnElement="Flow_ToSanctionsEscalation"><di:waypoint x="1045" y="410"/><di:waypoint x="1150" y="410"/><di:waypoint x="1150" y="465"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_AutoRejected_di" bpmnElement="Flow_AutoRejected"><di:waypoint x="985" y="410"/><di:waypoint x="960" y="410"/><di:waypoint x="960" y="215"/><di:waypoint x="1370" y="215"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_EscalationDecision_di" bpmnElement="Flow_EscalationDecision"><di:waypoint x="1270" y="465"/><di:waypoint x="1315" y="465"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_EscalationApproved_di" bpmnElement="Flow_EscalationApproved"><di:waypoint x="1340" y="440"/><di:waypoint x="1340" y="310"/><di:waypoint x="1195" y="310"/><bpmndi:BPMNLabel><dc:Bounds x="1248" y="372" width="84" height="27"/></bpmndi:BPMNLabel></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_EscalationDenied_di" bpmnElement="Flow_EscalationDenied"><di:waypoint x="1365" y="465"/><di:waypoint x="1420" y="465"/><di:waypoint x="1420" y="215"/><bpmndi:BPMNLabel><dc:Bounds x="1378" y="448" width="39" height="14"/></bpmndi:BPMNLabel></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_SanctionsOK_Escalated_di" bpmnElement="Flow_SanctionsOK_Escalated"><di:waypoint x="1195" y="285"/><di:waypoint x="1195" y="145"/><di:waypoint x="1155" y="145"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_LegalReviewDone_di" bpmnElement="Flow_LegalReviewDone"><di:waypoint x="920" y="465"/><di:waypoint x="975" y="465"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_LegalOK_di" bpmnElement="Flow_LegalOK"><di:waypoint x="1025" y="465"/><di:waypoint x="1075" y="465"/><bpmndi:BPMNLabel><dc:Bounds x="1033" y="447" width="40" height="14"/></bpmndi:BPMNLabel></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_LegalFail_di" bpmnElement="Flow_LegalFail"><di:waypoint x="1000" y="440"/><di:waypoint x="1000" y="215"/><di:waypoint x="1370" y="215"/><bpmndi:BPMNLabel><dc:Bounds x="1006" y="325" width="65" height="27"/></bpmndi:BPMNLabel></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_LegalComplete_di" bpmnElement="Flow_LegalComplete"><di:waypoint x="1195" y="465"/><di:waypoint x="1195" y="170"/><di:waypoint x="1155" y="170"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_RiskTierResult_di" bpmnElement="Flow_RiskTierResult"><di:waypoint x="930" y="630"/><di:waypoint x="985" y="630"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_HighRisk_di" bpmnElement="Flow_HighRisk"><di:waypoint x="1010" y="605"/><di:waypoint x="1010" y="615"/><di:waypoint x="1075" y="615"/><bpmndi:BPMNLabel><dc:Bounds x="1016" y="585" width="75" height="27"/></bpmndi:BPMNLabel></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_MediumLowRisk_di" bpmnElement="Flow_MediumLowRisk"><di:waypoint x="1010" y="655"/><di:waypoint x="1010" y="690"/><di:waypoint x="1075" y="690"/><bpmndi:BPMNLabel><dc:Bounds x="1016" y="660" width="40" height="27"/></bpmndi:BPMNLabel></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_EDD_Done_di" bpmnElement="Flow_EDD_Done"><di:waypoint x="1195" y="615"/><di:waypoint x="1245" y="630"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_FDD_Done_di" bpmnElement="Flow_FDD_Done"><di:waypoint x="1195" y="690"/><di:waypoint x="1220" y="690"/><di:waypoint x="1220" y="650"/><di:waypoint x="1245" y="650"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_RiskComplete_di" bpmnElement="Flow_RiskComplete"><di:waypoint x="1365" y="630"/><di:waypoint x="1400" y="630"/><di:waypoint x="1400" y="145"/><di:waypoint x="1205" y="145"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_ToDecision_di" bpmnElement="Flow_ToDecision"><di:waypoint x="1205" y="145"/><di:waypoint x="1265" y="145"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_Approved_di" bpmnElement="Flow_Approved"><di:waypoint x="1315" y="145"/><di:waypoint x="1370" y="145"/><bpmndi:BPMNLabel><dc:Bounds x="1323" y="127" width="44" height="14"/></bpmndi:BPMNLabel></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_Rejected_di" bpmnElement="Flow_Rejected"><di:waypoint x="1290" y="170"/><di:waypoint x="1290" y="215"/><di:waypoint x="1370" y="215"/><bpmndi:BPMNLabel><dc:Bounds x="1296" y="188" width="45" height="14"/></bpmndi:BPMNLabel></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_ToIT_di" bpmnElement="Flow_ToIT"><di:waypoint x="1430" y="145"/><di:waypoint x="1480" y="145"/><di:waypoint x="1480" y="755"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_IT_Profile_di" bpmnElement="Flow_IT_Profile"><di:waypoint x="1505" y="780"/><di:waypoint x="1555" y="760"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_IT_Portal_di" bpmnElement="Flow_IT_Portal"><di:waypoint x="1505" y="780"/><di:waypoint x="1555" y="850"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_IT_Payment_di" bpmnElement="Flow_IT_Payment"><di:waypoint x="1480" y="805"/><di:waypoint x="1480" y="925"/><di:waypoint x="1555" y="925"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_IT_Profile_Done_di" bpmnElement="Flow_IT_Profile_Done"><di:waypoint x="1675" y="760"/><di:waypoint x="1720" y="780"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_IT_Portal_Done_di" bpmnElement="Flow_IT_Portal_Done"><di:waypoint x="1675" y="850"/><di:waypoint x="1745" y="850"/><di:waypoint x="1745" y="805"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_IT_Payment_Done_di" bpmnElement="Flow_IT_Payment_Done"><di:waypoint x="1675" y="925"/><di:waypoint x="1745" y="925"/><di:waypoint x="1745" y="805"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_IT_Integrate_di" bpmnElement="Flow_IT_Integrate"><di:waypoint x="1770" y="780"/><di:waypoint x="1820" y="780"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_FromIT_di" bpmnElement="Flow_FromIT"><di:waypoint x="1875" y="740"/><di:waypoint x="1875" y="145"/><di:waypoint x="1830" y="145"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_ToEnd_Approved_di" bpmnElement="Flow_ToEnd_Approved"><di:waypoint x="1830" y="145"/><di:waypoint x="1862" y="145"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_ToArchive_di" bpmnElement="Flow_ToArchive"><di:waypoint x="1470" y="215"/><di:waypoint x="1510" y="215"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_ToEnd_Rejected_di" bpmnElement="Flow_ToEnd_Rejected"><di:waypoint x="1610" y="215"/><di:waypoint x="1650" y="215"/></bpmndi:BPMNEdge>
+
+      <!-- MESSAGE FLOWS -->
+      <bpmndi:BPMNEdge id="MF_1_di" bpmnElement="MF_1"><di:waypoint x="230" y="940"/><di:waypoint x="230" y="163"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="MF_2_di" bpmnElement="MF_2"><di:waypoint x="1780" y="185"/><di:waypoint x="1780" y="940"/></bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="MF_3_di" bpmnElement="MF_3"><di:waypoint x="1420" y="245"/><di:waypoint x="1420" y="940"/></bpmndi:BPMNEdge>
+
+    </bpmndi:BPMNPlane>
+  </bpmndi:BPMNDiagram>
+</bpmn:definitions>
diff --git a/vendor-risk-scoring.dmn.xml b/vendor-risk-scoring.dmn.xml
new file mode 100644
index 0000000..b095778
--- /dev/null
+++ b/vendor-risk-scoring.dmn.xml
@@ -0,0 +1,226 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<definitions xmlns="https://www.omg.org/spec/DMN/20191111/MODEL/"
+             xmlns:dmndi="https://www.omg.org/spec/DMN/20191111/DMNDI/"
+             xmlns:dc="http://www.omg.org/spec/DD/20100524/DC"
+             id="VendorRiskScoring"
+             name="Vendor Risk Scoring"
+             namespace="https://processgit.org/heliosgroup/vendor-risk-scoring">
+
+  <!-- ── VENDOR RISK TIER (composite decision) ── -->
+  <decision id="Decision_VendorRiskTier" name="Vendor Risk Tier">
+    <informationRequirement id="IR_Country"><requiredDecision href="#Decision_CountryRisk"/></informationRequirement>
+    <informationRequirement id="IR_Financial"><requiredDecision href="#Decision_FinancialRisk"/></informationRequirement>
+    <informationRequirement id="IR_Ownership"><requiredInput href="#Input_OwnershipStructure"/></informationRequirement>
+    <decisionTable id="DT_VendorRiskTier" hitPolicy="FIRST">
+      <input id="In_CountryRisk" label="Country Risk Score">
+        <inputExpression typeRef="string"><text>countryRiskLevel</text></inputExpression>
+        <inputValues><text>"HIGH","MEDIUM","LOW"</text></inputValues>
+      </input>
+      <input id="In_FinancialRisk" label="Financial Risk Score">
+        <inputExpression typeRef="string"><text>financialRiskLevel</text></inputExpression>
+        <inputValues><text>"HIGH","MEDIUM","LOW"</text></inputValues>
+      </input>
+      <input id="In_Ownership" label="Ownership Structure">
+        <inputExpression typeRef="string"><text>ownershipStructure</text></inputExpression>
+        <inputValues><text>"COMPLEX","SIMPLE","PUBLIC"</text></inputValues>
+      </input>
+      <output id="Out_Tier" name="riskTier" typeRef="string" label="Risk Tier"/>
+      <output id="Out_DDLevel" name="dueDiligenceLevel" typeRef="string" label="Due Diligence Level"/>
+      <output id="Out_ApprovalAuthority" name="approvalAuthority" typeRef="string" label="Approval Authority"/>
+      <output id="Out_ReviewDays" name="reviewDays" typeRef="number" label="Max Review Days"/>
+      <!-- Tier 1: Any HIGH + Complex -->
+      <rule id="R1">
+        <inputEntry><text>"HIGH"</text></inputEntry>
+        <inputEntry><text>-</text></inputEntry>
+        <inputEntry><text>-</text></inputEntry>
+        <outputEntry><text>"TIER_1_HIGH_RISK"</text></outputEntry>
+        <outputEntry><text>"ENHANCED"</text></outputEntry>
+        <outputEntry><text>"Chief Procurement Officer + Legal Counsel"</text></outputEntry>
+        <outputEntry><text>30</text></outputEntry>
+      </rule>
+      <!-- Tier 1: Complex ownership + Medium financial -->
+      <rule id="R2">
+        <inputEntry><text>-</text></inputEntry>
+        <inputEntry><text>"HIGH"</text></inputEntry>
+        <inputEntry><text>-</text></inputEntry>
+        <outputEntry><text>"TIER_1_HIGH_RISK"</text></outputEntry>
+        <outputEntry><text>"ENHANCED"</text></outputEntry>
+        <outputEntry><text>"Chief Procurement Officer + CFO"</text></outputEntry>
+        <outputEntry><text>30</text></outputEntry>
+      </rule>
+      <!-- Tier 1: Complex ownership regardless -->
+      <rule id="R3">
+        <inputEntry><text>-</text></inputEntry>
+        <inputEntry><text>-</text></inputEntry>
+        <inputEntry><text>"COMPLEX"</text></inputEntry>
+        <outputEntry><text>"TIER_1_HIGH_RISK"</text></outputEntry>
+        <outputEntry><text>"ENHANCED"</text></outputEntry>
+        <outputEntry><text>"Chief Procurement Officer + Legal Counsel"</text></outputEntry>
+        <outputEntry><text>30</text></outputEntry>
+      </rule>
+      <!-- Tier 2: Medium country + Medium financial -->
+      <rule id="R4">
+        <inputEntry><text>"MEDIUM"</text></inputEntry>
+        <inputEntry><text>"MEDIUM"</text></inputEntry>
+        <inputEntry><text>-</text></inputEntry>
+        <outputEntry><text>"TIER_2_MEDIUM_RISK"</text></outputEntry>
+        <outputEntry><text>"STANDARD"</text></outputEntry>
+        <outputEntry><text>"Procurement Director"</text></outputEntry>
+        <outputEntry><text>14</text></outputEntry>
+      </rule>
+      <!-- Tier 2: Medium country + Low financial -->
+      <rule id="R5">
+        <inputEntry><text>"MEDIUM"</text></inputEntry>
+        <inputEntry><text>"LOW"</text></inputEntry>
+        <inputEntry><text>-</text></inputEntry>
+        <outputEntry><text>"TIER_2_MEDIUM_RISK"</text></outputEntry>
+        <outputEntry><text>"STANDARD"</text></outputEntry>
+        <outputEntry><text>"Procurement Manager"</text></outputEntry>
+        <outputEntry><text>10</text></outputEntry>
+      </rule>
+      <!-- Tier 3: All LOW, Public company -->
+      <rule id="R6">
+        <inputEntry><text>"LOW"</text></inputEntry>
+        <inputEntry><text>"LOW"</text></inputEntry>
+        <inputEntry><text>"PUBLIC"</text></inputEntry>
+        <outputEntry><text>"TIER_3_LOW_RISK"</text></outputEntry>
+        <outputEntry><text>"SIMPLIFIED"</text></outputEntry>
+        <outputEntry><text>"Procurement Officer"</text></outputEntry>
+        <outputEntry><text>5</text></outputEntry>
+      </rule>
+      <!-- Tier 3: Default LOW -->
+      <rule id="R7">
+        <inputEntry><text>"LOW"</text></inputEntry>
+        <inputEntry><text>"LOW"</text></inputEntry>
+        <inputEntry><text>-</text></inputEntry>
+        <outputEntry><text>"TIER_3_LOW_RISK"</text></outputEntry>
+        <outputEntry><text>"SIMPLIFIED"</text></outputEntry>
+        <outputEntry><text>"Procurement Officer"</text></outputEntry>
+        <outputEntry><text>7</text></outputEntry>
+      </rule>
+    </decisionTable>
+  </decision>
+
+  <!-- ── COUNTRY RISK CLASSIFICATION ── -->
+  <decision id="Decision_CountryRisk" name="Country Risk Level">
+    <informationRequirement id="IR_Country2"><requiredInput href="#Input_CountryCode"/></informationRequirement>
+    <decisionTable id="DT_CountryRisk" hitPolicy="FIRST">
+      <input id="In_CountryCode" label="Country Code (ISO 3166)">
+        <inputExpression typeRef="string"><text>countryCode</text></inputExpression>
+      </input>
+      <input id="In_FATFList" label="FATF Grey/Black List">
+        <inputExpression typeRef="boolean"><text>onFATFList</text></inputExpression>
+      </input>
+      <output id="Out_CountryRisk" name="countryRiskLevel" typeRef="string" label="Country Risk Level"/>
+      <output id="Out_CountryReason" name="countryRiskReason" typeRef="string" label="Reason"/>
+      <!-- FATF blacklist -->
+      <rule id="CR1">
+        <inputEntry><text>-</text></inputEntry>
+        <inputEntry><text>true</text></inputEntry>
+        <outputEntry><text>"HIGH"</text></outputEntry>
+        <outputEntry><text>"Country on FATF grey or black list"</text></outputEntry>
+      </rule>
+      <!-- Sanctioned jurisdictions -->
+      <rule id="CR2">
+        <inputEntry><text>"RU","BY","IR","KP","CU","SY","VE"</text></inputEntry>
+        <inputEntry><text>-</text></inputEntry>
+        <outputEntry><text>"HIGH"</text></outputEntry>
+        <outputEntry><text>"Sanctioned jurisdiction — EU/OFAC restrictions apply"</text></outputEntry>
+      </rule>
+      <!-- Medium risk — emerging markets with AML concerns -->
+      <rule id="CR3">
+        <inputEntry><text>"CN","AE","TR","PK","NG","KZ"</text></inputEntry>
+        <inputEntry><text>false</text></inputEntry>
+        <outputEntry><text>"MEDIUM"</text></outputEntry>
+        <outputEntry><text>"Elevated AML/corruption risk jurisdiction"</text></outputEntry>
+      </rule>
+      <!-- EU + trusted jurisdictions -->
+      <rule id="CR4">
+        <inputEntry><text>"DE","FR","US","GB","JP","AU","CA","NL","SE","DK","NO","FI","CH"</text></inputEntry>
+        <inputEntry><text>false</text></inputEntry>
+        <outputEntry><text>"LOW"</text></outputEntry>
+        <outputEntry><text>"Low-risk jurisdiction with strong AML framework"</text></outputEntry>
+      </rule>
+      <!-- Default -->
+      <rule id="CR5">
+        <inputEntry><text>-</text></inputEntry>
+        <inputEntry><text>false</text></inputEntry>
+        <outputEntry><text>"MEDIUM"</text></outputEntry>
+        <outputEntry><text>"Standard risk — insufficient data for low classification"</text></outputEntry>
+      </rule>
+    </decisionTable>
+  </decision>
+
+  <!-- ── FINANCIAL RISK CLASSIFICATION ── -->
+  <decision id="Decision_FinancialRisk" name="Financial Risk Level">
+    <informationRequirement id="IR_Financial2"><requiredInput href="#Input_CreditScore"/></informationRequirement>
+    <decisionTable id="DT_FinancialRisk" hitPolicy="FIRST">
+      <input id="In_CreditScore" label="Credit Score (0–100)">
+        <inputExpression typeRef="number"><text>creditScore</text></inputExpression>
+      </input>
+      <input id="In_YearsTrading" label="Years in Business">
+        <inputExpression typeRef="number"><text>yearsTrading</text></inputExpression>
+      </input>
+      <input id="In_ContractValue" label="Annual Contract Value (EUR)">
+        <inputExpression typeRef="number"><text>annualContractValue</text></inputExpression>
+      </input>
+      <output id="Out_FinancialRisk" name="financialRiskLevel" typeRef="string" label="Financial Risk Level"/>
+      <!-- High: Low credit + Large contract -->
+      <rule id="FR1">
+        <inputEntry><text>&lt; 40</text></inputEntry>
+        <inputEntry><text>-</text></inputEntry>
+        <inputEntry><text>-</text></inputEntry>
+        <outputEntry><text>"HIGH"</text></outputEntry>
+      </rule>
+      <!-- High: New company + Large contract -->
+      <rule id="FR2">
+        <inputEntry><text>-</text></inputEntry>
+        <inputEntry><text>&lt; 2</text></inputEntry>
+        <inputEntry><text>&gt;= 500000</text></inputEntry>
+        <outputEntry><text>"HIGH"</text></outputEntry>
+      </rule>
+      <!-- Medium: Moderate credit -->
+      <rule id="FR3">
+        <inputEntry><text>[40..70)</text></inputEntry>
+        <inputEntry><text>-</text></inputEntry>
+        <inputEntry><text>-</text></inputEntry>
+        <outputEntry><text>"MEDIUM"</text></outputEntry>
+      </rule>
+      <!-- Medium: Large contract regardless of credit -->
+      <rule id="FR4">
+        <inputEntry><text>-</text></inputEntry>
+        <inputEntry><text>-</text></inputEntry>
+        <inputEntry><text>&gt;= 1000000</text></inputEntry>
+        <outputEntry><text>"MEDIUM"</text></outputEntry>
+      </rule>
+      <!-- Low: Strong credit, established company -->
+      <rule id="FR5">
+        <inputEntry><text>&gt;= 70</text></inputEntry>
+        <inputEntry><text>&gt;= 3</text></inputEntry>
+        <inputEntry><text>&lt; 1000000</text></inputEntry>
+        <outputEntry><text>"LOW"</text></outputEntry>
+      </rule>
+    </decisionTable>
+  </decision>
+
+  <!-- INPUT DATA DEFINITIONS -->
+  <inputData id="Input_CountryCode" name="Country Code"/>
+  <inputData id="Input_OwnershipStructure" name="Ownership Structure"/>
+  <inputData id="Input_CreditScore" name="Credit Score"/>
+
+  <dmndi:DMNDI>
+    <dmndi:DMNDiagram id="DMNDiagram_1">
+      <dmndi:DMNShape id="S_VendorRiskTier" dmnElementRef="Decision_VendorRiskTier"><dc:Bounds x="350" y="80" width="200" height="80"/></dmndi:DMNShape>
+      <dmndi:DMNShape id="S_CountryRisk" dmnElementRef="Decision_CountryRisk"><dc:Bounds x="150" y="240" width="180" height="80"/></dmndi:DMNShape>
+      <dmndi:DMNShape id="S_FinancialRisk" dmnElementRef="Decision_FinancialRisk"><dc:Bounds x="380" y="240" width="180" height="80"/></dmndi:DMNShape>
+      <dmndi:DMNShape id="S_CountryCode" dmnElementRef="Input_CountryCode"><dc:Bounds x="150" y="390" width="125" height="45"/></dmndi:DMNShape>
+      <dmndi:DMNShape id="S_Ownership" dmnElementRef="Input_OwnershipStructure"><dc:Bounds x="610" y="150" width="125" height="45"/></dmndi:DMNShape>
+      <dmndi:DMNShape id="S_CreditScore" dmnElementRef="Input_CreditScore"><dc:Bounds x="380" y="390" width="125" height="45"/></dmndi:DMNShape>
+      <dmndi:DMNEdge id="E_CR" dmnElementRef="IR_Country"><di:waypoint x="240" y="240"/><di:waypoint x="400" y="160"/></dmndi:DMNEdge>
+      <dmndi:DMNEdge id="E_FR" dmnElementRef="IR_Financial"><di:waypoint x="470" y="240"/><di:waypoint x="450" y="160"/></dmndi:DMNEdge>
+      <dmndi:DMNEdge id="E_OW" dmnElementRef="IR_Ownership"><di:waypoint x="610" y="172"/><di:waypoint x="550" y="120"/></dmndi:DMNEdge>
+      <dmndi:DMNEdge id="E_CC" dmnElementRef="IR_Country2"><di:waypoint x="212" y="390"/><di:waypoint x="240" y="320"/></dmndi:DMNEdge>
+      <dmndi:DMNEdge id="E_CS" dmnElementRef="IR_Financial2"><di:waypoint x="442" y="390"/><di:waypoint x="470" y="320"/></dmndi:DMNEdge>
+    </dmndi:DMNDiagram>
+  </dmndi:DMNDI>
+</definitions>