Product features
A monitoring workflow built around GDPR vendor accountability
DPAFlow watches vendor and subprocessor sources, classifies the changes, and preserves the evidence — so your compliance team can review work instead of doing surveillance.
The DPAFlow workflow
From the first scan to the audit-ready export, every capability sits in one of five workflow stages.
01
Discover
Find every vendor handling customer data.
02
Monitor
Watch subprocessor pages on a recurring cadence.
03
Detect
Diff, classify, and score each change.
04
Review
Triage alerts, assign owners, close decisions.
05
Evidence
Export a date-stamped record on demand.
Jump to a workflow
What's inside DPAFlow
Each capability is mapped to who uses it, why it matters under GDPR, and what evidence or output it produces.
Vendor discovery
Procurement, security, DPOIdentify the SaaS vendors and subprocessors that handle your customer data — including the ones that were never reviewed.
- Why it matters:
- Most GDPR vendor gaps come from tools introduced outside procurement. Discovery surfaces them.
- Output:
- A consolidated, taggable vendor inventory.
Subprocessor monitoring
DPO, privacy counselTrack each vendor's published subprocessor list and detect additions, removals, and region changes.
- Why it matters:
- Article 28(2) requires controllers to be informed of subprocessor changes. Monitoring makes that record continuous.
- Output:
- A vendor-by-vendor change history with snapshots.
Change detection
Privacy operationsDiff vendor pages, DPAs, and trust portals on a recurring cadence and classify what changed.
- Why it matters:
- Manual review of public pages does not scale past a handful of vendors.
- Output:
- A structured diff per change, attached to the vendor.
Evidence timeline
Compliance, audit prepEvery detected change becomes a date-stamped evidence record with the source URL, snapshot, and classification.
- Why it matters:
- Auditors and customers ask 'how do you know?' — the timeline answers it.
- Output:
- Export-ready CSV / PDF evidence bundles.
Risk classification
Risk & complianceEach vendor and change carries a severity reflecting change type, geography, and trust signals.
- Why it matters:
- Compliance teams need to know what to look at first, not just what changed.
- Output:
- Risk-ranked review queue.
Alerts & review workflow
Privacy ops, securityRoute alerts to the right reviewer, assign owners, and close out with a decision.
- Why it matters:
- Notifications without a workflow turn into noise. Decisions need a place to live.
- Output:
- Assigned, status-tracked alerts.
Reports & exports
DPO, legal, auditGenerate evidence reports filtered by vendor, severity, time window, or change type.
- Why it matters:
- Vendor review cycles and external audits both need point-in-time exports.
- Output:
- CSV / PDF reports with source links.
Team & admin controls
Workspace adminsInvite teammates, scope access, manage workspace settings, and rotate API keys.
- Why it matters:
- Privacy work is collaborative. Access needs to follow the org chart.
- Output:
- Workspace with role-scoped access.
GDPR Article 28 support
DPO, counselWorkflows and evidence records aligned with controller / processor accountability obligations.
- Why it matters:
- Article 28 is the legal frame the product is built around — not a checkbox.
- Output:
- Article 28-aligned evidence trail.
Free scan
Anyone evaluatingRun a one-shot scan against your top vendors before committing to a plan.
- Why it matters:
- You should see real findings before you pay for monitoring.
- Output:
- A report you keep regardless of plan choice.
See it on your vendors
A free scan walks the workflow on your real vendors. The output stays with you whether you continue or not.