Back to Blog
Data

Entity resolution is the cross-module substrate

James Reed|May 11, 2026|9 min read

Key Takeaways

  • -A sanctioned supplier, a CVE-exposed processor, and a counterparty in a DPA are often the same legal entity wearing three different names across three systems.
  • -Entity resolution merges those records into one canonical entity with provenance per claim. Without it, cross-module routing breaks down because each module sees a different version of the same actor.
  • -WYRM Data's entity-resolution agent unifies suppliers (OpenCorporates), counterparties (OpenSanctions), regulator-named entities, breach actors, and contract parties across every WYRM feed.
  • -The shared graph is what lets a hit in Procure trigger the right action in Cyber and Legal automatically — and what makes the cross-module audit trail reconstructable.

Most enterprise data problems are not modelling problems. They are identity problems. The supplier in the procurement system, the processor in the DPA register, the counterparty on the sanctions screening report, and the breach actor in the threat intelligence feed are routinely the same legal entity recorded under four different names — sometimes with subsidiaries collapsed, sometimes with parent-company traces missing, sometimes with the registered office in a different jurisdiction than the trading address. Each individual record is defensible. Together they do not converge.

WYRM Data treats entity resolution as the substrate that makes the rest of the platform usable. The reasoning is straightforward: if Procure flags a sanctions hit against Counterparty A, that hit only matters in Cyber and Legal if those modules can recognise that Counterparty A is the same legal entity they have records for. Without resolution, the cross-module event routing collapses to text-matching, which works some of the time and fails silently the rest of it.

The resolution layer pulls from several authoritative sources. OpenCorporates contributes 200M+ legal entities across 140+ jurisdictions, with parent-ownership chains and historical filings. OpenSanctions contributes the consolidated sanctions and PEP universe with multi-list cross-references. The WYRM internal stream contributes regulator-named entities (FCA, ICO, CMA), breach actors from cyber feeds, and contract parties from the customer's own Legal document library. Each source has its own naming conventions and identifier scheme; the resolver harmonises them into a single canonical record per entity, with provenance retained for every claim.

Provenance is non-negotiable. A canonical entity record looks like this in practice: the entity's preferred trading name, all known legal names across jurisdictions, registered offices, beneficial-ownership chain, the sanctions and threat-intel hits tagged to it, the contracts in which it appears as a party, and — critically — a source citation per field. If a parent-ownership claim comes from OpenCorporates' UK filings as of last Tuesday, the record says so. If a sanctions designation comes from the EU consolidated list updated this morning, the record says that too. A claim with no provenance is not a claim; it is a guess.

The cross-module routing is what the substrate enables. A sanctions hit in Procure does not just write to the Procure audit log — it propagates to Cyber (flag any supplier attestation against the same entity for re-check), Legal (flag any active contract with the same entity for DPA and incident-clause review), and back to the Data orchestrator (update the entity's risk score in the canonical record). All four side-effects share the same event identifier, so the audit trail is reconstructable end-to-end.

A worked scenario. The Cyber threat-intel feed reports a credential breach affecting a vendor that several operators in WYRM's customer base use as a data processor. The breach actor is named in the threat-intel record. The entity-resolution agent identifies the actor as the same legal entity that appears in the operator's Legal contract library as a Sub-processor B under a DPA — the names matched because the resolver's parent-ownership trace had already linked the breach actor's marketing name to the legal entity that signed the DPA. Procure also held a record of the same entity as a Tier-2 supplier to the operator's primary cloud vendor. The orchestrator issues a single composite alert: 'Credential breach at Vendor X impacts 1 active DPA (operator response: notify data subjects under GDPR Article 33), 1 Tier-2 supplier in the Procure graph (operator response: request remediation evidence within 72 hours), and lowers Vendor X's risk score in the canonical entity record.'

The alternative is the operator getting three separate notifications — Cyber says credentials are leaked, Legal says a DPA might be affected, Procure says a supplier might be involved — without anyone connecting the dots. That is the failure mode that loses 48 hours in an active incident, and it is what entity resolution eliminates structurally.

Data is one of WYRM's two flagship engineering products, and it exposes this layer as a product. Data Lite at £20/seat includes the unified entity graph at flat-tier API pricing — covering ~10k entity lookups per month and the cross-module event stream for the operator's own modules — and lets a team spec racks and gauge usage. WYRM Data at £150/seat adds 2D + 3D layout planning, Revit / AutoCAD round-trip, and metered usage for automatic drawing elements, suited to operators integrating Data into their own downstream systems beyond the WYRM UIs. Bundled with WYRM MEP as WYRM Engineering at £250/seat, Data becomes the substrate underneath the add-on modules — the configuration that makes cross-module routing automatic rather than a custom integration.

All Posts