DPAflow

Get Started

Security & compliance

Operational security built for GDPR teams

DPAFlow is the product compliance teams use to keep up with vendor change. Holding the security bar high for our own platform is the floor, not the ceiling.

Request security packView DPA

Security principles

Minimal data collection

We process the public vendor URLs you choose to watch, the snapshots we capture, and the metadata needed for alerts. No customer end-user data is required to run monitoring.

Encryption everywhere

All traffic between your browser, the dashboard, and the monitoring engine is TLS-encrypted. Evidence snapshots and database records are encrypted at rest.

EU-first infrastructure

Hosting, storage, and processing stay within the EU region. Region is part of the product, not a configuration option.

Scoped access control

Workspace access is role-scoped. API keys are per-workspace and revocable. Administrative actions are logged.

Auditable change history

Every detected vendor change is preserved with a timestamp, source URL, and snapshot — designed to support internal audit prep and customer questionnaires.

Operational hardening

Production systems run with least-privilege service accounts, isolated environments, dependency scanning, and continuous monitoring.

Data handling at a glance

Hosting region
EU (Frankfurt / Amsterdam classes)
Data residency
EU only
Transport encryption
TLS 1.2+
At-rest encryption
AES-256
Retention
Tied to workspace lifecycle; evidence retained for the contract term
Subprocessors
Listed in the customer DPA; updates surfaced via DPAFlow itself

Customer questionnaires & DPAs

Security questionnaires

We respond to standard security questionnaires (SIG, CAIQ, custom). Reach out via the contact page and we'll route the request.

Data Processing Agreement

Our DPA is available before purchase. Standard Contractual Clauses are incorporated where applicable.

Legal note

Draft — pending attorney review

This page describes operational practices, not legal guarantees. DPAFlow does not provide legal advice. Engagement of the product does not create a controller-processor relationship beyond what is set out in the executed DPA. Qualified counsel should review the DPA against your specific obligations.

Need to share this with your security team?

We can provide our latest security pack, DPA, and subprocessor list on request.

View evidence workflow