Vendor and subprocessor monitoring built for privacy teams
DPAFlow watches the vendor and subprocessor pages that matter, detects when they change, and captures dated evidence — then connects those changes to your Transfer Impact Assessments, RoPA records, and audit-ready exports. Built for privacy, legal, and vendor-risk teams.
7-day trial · No credit card required
- source
- atlasmail.example/legal/subprocessors
- captured
- 2026-03-14 09:42 UTC
- content hash
- 3f9a8c2e…c21b
Why vendor monitoring breaks when it is done manually
Most teams track subprocessors in a spreadsheet and check pages by hand. It breaks in predictable ways.
Spreadsheet drift
A vendor list in a shared sheet is out of date the moment a subprocessor page changes — and no one is told.
Missed page changes
Subprocessor and DPA pages change quietly. Manual quarterly checks miss the change and the date it happened.
Stale subprocessors
Removed or added processors go unnoticed, so your records describe a vendor relationship that no longer exists.
Unclear evidence
A screenshot in a folder is not defensible. There is no source URL, no timestamp, and no content hash to rely on.
How DPAFlow monitors your sources
Monitoring is only credible if the sources are clear and their health is honest. DPAFlow makes both explicit.
Source discovery & URL
Point DPAFlow at the exact subprocessor, DPA, or trust-center URL you need to watch — the canonical source of truth.
Scheduled checks
Sources are re-checked on a controlled schedule, so you are not relying on someone remembering to look.
Source health
Each source carries an honest status — verified, changed, stale, or unreachable — so you know what to trust.
Change detection
When the page content changes, DPAFlow detects it and isolates the changed section, not just “something changed.”
Evidence capture
Every detected change is captured as a dated record with the source URL, timestamp, and a content hash.
Alerts & routing
Captured changes are routed to the right reviewer and the right people are alerted, so review starts without anyone refreshing a page.
From a source change to an audit-ready record
Every change moves through the same repeatable path — so nothing depends on someone remembering to look.
Source snapshot
A baseline snapshot of the monitored page is captured with its rendered text and metadata.
Detected change
On the next check, the changed section is identified and compared against the previous capture.
Evidence record
A dated record is created with source URL, timestamp, content hash, and before / after context.
Review queue
The record is routed to the right reviewer — privacy, legal, or vendor risk — with context attached.
Export packet
Approved records roll up into an audit-ready export you can hand to an auditor or keep on file.
What every evidence record contains
Each detected change becomes a structured, dated record — not a screenshot in a folder.
- Source URL — the exact page that was monitored
- Capture timestamp — when the evidence was taken (UTC)
- Content hash — an integrity check for the captured content
- Before / after context — the specific section that changed
- Reviewer status — who reviewed it and what they decided
- Export metadata — everything needed for an audit-ready packet
Subprocessor list updated
Honest source health and confidence
DPAFlow never pretends a source is fine when it is not. Every source carries a clear, current state.
Reachable & unchanged
The source was checked successfully and matches the last capture. Nothing to review.
Content changed
A difference was detected since the last check. A dated evidence record is created for review.
Awaiting a decision
A change has been routed and is waiting on a reviewer to approve, reject, or request follow-up.
Source unavailable
The page could not be reached. The gap is surfaced honestly rather than silently skipped.
Route the change, record the decision, export the proof
A detected change does not just sit in a feed. It is routed to the right reviewer, the decision is recorded, and the whole record rolls up into an audit-ready export.
- Route each change to privacy, legal, or vendor risk
- Record the reviewer’s decision on the record itself
- Export a self-contained, audit-ready evidence bundle
- Keep it on file for the day an auditor asks what changed
- Source URL & capture timestamp
- Content hash (integrity check)
- Full-page snapshot & rendered text
- Change summary (before / after)
- Reviewer decision & notes
- Chain of events
More than monitoring — assess your international transfers
DPAFlow is not only vendor monitoring. It helps you document international transfers, track destinations and safeguards, and connect monitoring changes to the transfer reviews they affect — on the same dated-evidence model. It supports your review; it does not make legal decisions for you.
Document international transfers
Record EU → US and other cross-border transfers with the transfer mechanism (SCCs) and supplementary measures — captured against the same dated-evidence model as your monitoring.
Destinations & safeguards
Track where data goes and the safeguards that apply — destinations, recipients, and the mechanisms relied on — in structured, reviewable records.
Monitoring-linked review triggers
When a monitored vendor or subprocessor page changes, DPAFlow flags the transfer assessments that may need another look — connecting change signals to review.
Export & review readiness
Track how complete each assessment is and export a review-ready packet — so the record is ready when your DPO or an auditor asks.
Keep your Article 30 records current — and connected
RoPA is first-class in DPAFlow, not a side note. Maintain processing records with legal basis, purposes, data categories, recipients and transfers — and let vendor monitoring flag the records whose completeness or review status may have changed. It helps you document and track readiness; the decisions stay with your team.
Article 30 records
Maintain records of processing activities — purposes, legal basis, and data categories — in structured, reviewable records.
Recipients & third-country transfers
Document recipients and processors and any third-country transfers, linked to the vendors and subprocessors you already monitor.
Missing-field tracking
See which fields a record still needs before it is review- and export-ready — no guesswork about completeness.
Monitoring-linked completeness
When a monitored vendor changes, DPAFlow flags the RoPA records whose completeness or review status may be affected.
One monitored source, four review teams
The same evidence record serves every reviewer — in the form each team needs it.
Privacy / DPO
Maintain a defensible, dated oversight trail for every subprocessor change — without manual screenshotting.
Legal
Review the exact captured wording of a change and decide whether contract or DPA terms need to move.
Vendor risk
Watch source health and change signals across the vendors that actually matter to your portfolio.
Compliance operator
Run monitoring as a repeatable process — set sources and reviewers once, keep the evidence flowing.
One platform — monitoring, evidence, TIA, RoPA, and review
The modules share one dated-evidence model and connect end to end: monitor vendors → detect source and subprocessor changes → capture evidence → route review → connect changes to TIA and RoPA → export audit-ready records.
Vendor & Subprocessor Monitoring
Track vendors and their official source pages, and detect subprocessor and DPA changes on a controlled schedule.
Source Health
Every source carries an honest status — verified, changed, stale, or unreachable — so you know what to trust.
Evidence & Reports
Dated evidence records, a change timeline, and audit-ready exports your team can hand to an auditor.
Alerts & Review Queue
Detected changes route to the right reviewer; decisions waiting and TIA/RoPA review triggers surface in one queue.
Transfer Impact Assessments
Connect monitored vendor changes to international-transfer reviews — destinations, safeguards, evidence and review readiness — without claiming automated legal approval.
RoPA Builder
Maintain Article 30 processing records with legal basis, data categories, recipients, transfers, missing fields and export readiness.
Team & Module Access
Roles, module access, billing controls, export preferences and security settings — run monitoring as an operational process, not a demo.
Vendor monitoring FAQ
Common questions about how DPAFlow monitors sources and captures evidence.
What exactly does DPAFlow monitor?
DPAFlow monitors the public pages you point it at — typically vendor subprocessor lists, DPA pages, and trust centers — on a controlled schedule, and detects when their content changes.
How is a change turned into evidence?
When a change is detected, DPAFlow captures a dated record containing the source URL, a capture timestamp, a content hash, and the before / after context, then routes it to a reviewer.
Does this replace my DPA or legal review?
No. DPAFlow helps you detect changes and collect dated evidence to support your own review. Decisions stay customer-controlled — it does not provide legal advice or guarantee compliance.
What is the content hash for?
The content hash is an integrity check: it lets you confirm that the captured content has not been altered since it was recorded.
Can different teams review the same change?
Yes. A single monitored source can be reviewed from a privacy, legal, or vendor-risk point of view, with the decision recorded on the evidence record.
Start monitoring your first vendor in minutes
Point DPAFlow at a subprocessor page and keep the dated evidence for the day someone asks what changed.
7-day trial · DPA available before purchase