Skip to content
DPAFlow
01 /Vendor monitoring & GDPR evidence workflow

Vendor and subprocessor monitoring built for privacy teams

DPAFlow watches the vendor and subprocessor pages that matter, detects when they change, and captures dated evidence — then connects those changes to your Transfer Impact Assessments, RoPA records, and audit-ready exports. Built for privacy, legal, and vendor-risk teams.

source-urltimestampcontent-hashreview-trail

7-day trial · No credit card required

02 /The problem

Why vendor monitoring breaks when it is done manually

Most teams track subprocessors in a spreadsheet and check pages by hand. It breaks in predictable ways.

Spreadsheet drift

A vendor list in a shared sheet is out of date the moment a subprocessor page changes — and no one is told.

Missed page changes

Subprocessor and DPA pages change quietly. Manual quarterly checks miss the change and the date it happened.

Stale subprocessors

Removed or added processors go unnoticed, so your records describe a vendor relationship that no longer exists.

Unclear evidence

A screenshot in a folder is not defensible. There is no source URL, no timestamp, and no content hash to rely on.

03 /How it works

How DPAFlow monitors your sources

Monitoring is only credible if the sources are clear and their health is honest. DPAFlow makes both explicit.

Source discovery & URL

Point DPAFlow at the exact subprocessor, DPA, or trust-center URL you need to watch — the canonical source of truth.

Scheduled checks

Sources are re-checked on a controlled schedule, so you are not relying on someone remembering to look.

Source health

Each source carries an honest status — verified, changed, stale, or unreachable — so you know what to trust.

Change detection

When the page content changes, DPAFlow detects it and isolates the changed section, not just “something changed.”

Evidence capture

Every detected change is captured as a dated record with the source URL, timestamp, and a content hash.

Alerts & routing

Captured changes are routed to the right reviewer and the right people are alerted, so review starts without anyone refreshing a page.

04 /Change detection workflow

From a source change to an audit-ready record

Every change moves through the same repeatable path — so nothing depends on someone remembering to look.

Step 1

Source snapshot

A baseline snapshot of the monitored page is captured with its rendered text and metadata.

Step 2

Detected change

On the next check, the changed section is identified and compared against the previous capture.

Step 3

Evidence record

A dated record is created with source URL, timestamp, content hash, and before / after context.

Step 4

Review queue

The record is routed to the right reviewer — privacy, legal, or vendor risk — with context attached.

Step 5

Export packet

Approved records roll up into an audit-ready export you can hand to an auditor or keep on file.

05 /The record

What every evidence record contains

Each detected change becomes a structured, dated record — not a screenshot in a folder.

  • Source URL — the exact page that was monitored
  • Capture timestamp — when the evidence was taken (UTC)
  • Content hash — an integrity check for the captured content
  • Before / after context — the specific section that changed
  • Reviewer status — who reviewed it and what they decided
  • Export metadata — everything needed for an audit-ready packet
Explore evidence records
Evidence recordChange detected

Subprocessor list updated

Source URL
trust.microsoft.com/subprocessors
Captured
May 12, 2025 · 14:23 UTC
Content hash
a7e4…c3b9
Reviewer
Routed · pending
Nuance Communications, Inc.
+Microsoft Azure OpenAI Service (East US 2)
ID EV-2F8D-D5B7Export packet
06 /Source health

Honest source health and confidence

DPAFlow never pretends a source is fine when it is not. Every source carries a clear, current state.

Verified

Reachable & unchanged

The source was checked successfully and matches the last capture. Nothing to review.

Changed

Content changed

A difference was detected since the last check. A dated evidence record is created for review.

Under review

Awaiting a decision

A change has been routed and is waiting on a reviewer to approve, reject, or request follow-up.

Unreachable

Source unavailable

The page could not be reached. The gap is surfaced honestly rather than silently skipped.

07 /Review & export

Route the change, record the decision, export the proof

A detected change does not just sit in a feed. It is routed to the right reviewer, the decision is recorded, and the whole record rolls up into an audit-ready export.

  • Route each change to privacy, legal, or vendor risk
  • Record the reviewer’s decision on the record itself
  • Export a self-contained, audit-ready evidence bundle
  • Keep it on file for the day an auditor asks what changed
See evidence & exports
Audit-ready exportPDF · JSON
  • Source URL & capture timestamp
  • Content hash (integrity check)
  • Full-page snapshot & rendered text
  • Change summary (before / after)
  • Reviewer decision & notes
  • Chain of events
Generate evidence bundle
08 /Transfer Impact Assessments

More than monitoring — assess your international transfers

DPAFlow is not only vendor monitoring. It helps you document international transfers, track destinations and safeguards, and connect monitoring changes to the transfer reviews they affect — on the same dated-evidence model. It supports your review; it does not make legal decisions for you.

Document international transfers

Record EU → US and other cross-border transfers with the transfer mechanism (SCCs) and supplementary measures — captured against the same dated-evidence model as your monitoring.

Destinations & safeguards

Track where data goes and the safeguards that apply — destinations, recipients, and the mechanisms relied on — in structured, reviewable records.

Monitoring-linked review triggers

When a monitored vendor or subprocessor page changes, DPAFlow flags the transfer assessments that may need another look — connecting change signals to review.

Export & review readiness

Track how complete each assessment is and export a review-ready packet — so the record is ready when your DPO or an auditor asks.

09 /Records of Processing Activities

Keep your Article 30 records current — and connected

RoPA is first-class in DPAFlow, not a side note. Maintain processing records with legal basis, purposes, data categories, recipients and transfers — and let vendor monitoring flag the records whose completeness or review status may have changed. It helps you document and track readiness; the decisions stay with your team.

Article 30 records

Maintain records of processing activities — purposes, legal basis, and data categories — in structured, reviewable records.

Recipients & third-country transfers

Document recipients and processors and any third-country transfers, linked to the vendors and subprocessors you already monitor.

Missing-field tracking

See which fields a record still needs before it is review- and export-ready — no guesswork about completeness.

Monitoring-linked completeness

When a monitored vendor changes, DPAFlow flags the RoPA records whose completeness or review status may be affected.

10 /Team workflow

One monitored source, four review teams

The same evidence record serves every reviewer — in the form each team needs it.

Privacy / DPO

Maintain a defensible, dated oversight trail for every subprocessor change — without manual screenshotting.

Legal

Review the exact captured wording of a change and decide whether contract or DPA terms need to move.

Vendor risk

Watch source health and change signals across the vendors that actually matter to your portfolio.

Compliance operator

Run monitoring as a repeatable process — set sources and reviewers once, keep the evidence flowing.

11 /What DPAFlow includes

One platform — monitoring, evidence, TIA, RoPA, and review

The modules share one dated-evidence model and connect end to end: monitor vendors → detect source and subprocessor changes → capture evidence → route review → connect changes to TIA and RoPA → export audit-ready records.

Vendor & Subprocessor Monitoring

Track vendors and their official source pages, and detect subprocessor and DPA changes on a controlled schedule.

Source Health

Every source carries an honest status — verified, changed, stale, or unreachable — so you know what to trust.

Evidence & Reports

Dated evidence records, a change timeline, and audit-ready exports your team can hand to an auditor.

Alerts & Review Queue

Detected changes route to the right reviewer; decisions waiting and TIA/RoPA review triggers surface in one queue.

Transfer Impact Assessments

Connect monitored vendor changes to international-transfer reviews — destinations, safeguards, evidence and review readiness — without claiming automated legal approval.

RoPA Builder

Maintain Article 30 processing records with legal basis, data categories, recipients, transfers, missing fields and export readiness.

Team & Module Access

Roles, module access, billing controls, export preferences and security settings — run monitoring as an operational process, not a demo.

12 /FAQ

Vendor monitoring FAQ

Common questions about how DPAFlow monitors sources and captures evidence.

What exactly does DPAFlow monitor?

DPAFlow monitors the public pages you point it at — typically vendor subprocessor lists, DPA pages, and trust centers — on a controlled schedule, and detects when their content changes.

How is a change turned into evidence?

When a change is detected, DPAFlow captures a dated record containing the source URL, a capture timestamp, a content hash, and the before / after context, then routes it to a reviewer.

Does this replace my DPA or legal review?

No. DPAFlow helps you detect changes and collect dated evidence to support your own review. Decisions stay customer-controlled — it does not provide legal advice or guarantee compliance.

What is the content hash for?

The content hash is an integrity check: it lets you confirm that the captured content has not been altered since it was recorded.

Can different teams review the same change?

Yes. A single monitored source can be reviewed from a privacy, legal, or vendor-risk point of view, with the decision recorded on the evidence record.

Start monitoring your first vendor in minutes

Point DPAFlow at a subprocessor page and keep the dated evidence for the day someone asks what changed.

7-day trial · DPA available before purchase