Build processing activity records without losing vendor context
DPAFlow's RoPA builder keeps each processing activity — its purpose, legal basis, data categories, retention, and the vendors behind it — in one review-ready record, instead of a spreadsheet that drifts away from your monitoring.
7-day trial · DPA available before purchase
Customer support ticketing
What a processing activity record contains
Each record is built from the same defensible parts — so a reviewer can read it once and understand the whole activity.
Activity name & purpose
Name each processing activity and state why the data is processed — the question every record starts with.
Legal basis
Record the legal basis you have chosen for the activity. You select it; DPAFlow organizes it — it does not decide it for you.
Data categories
Capture the categories of personal data involved, and note whether any special-category data is in scope.
Data subjects
Identify whose data is processed — customers, employees, or other groups — so the scope of the activity is clear.
Retention
Document how long the data is kept and the retention logic behind it, kept on the record rather than in a side note.
Linked vendors / subprocessors
Attach the vendors and subprocessors that touch the activity, so the record never loses the vendor context behind it.
How vendors connect to RoPA records
The vendors and subprocessors DPAFlow already monitors link directly into each processing activity. When a linked vendor's source changes, the record keeps pointing at the right vendor — so vendor context is never lost between your monitoring and your records.
- Link monitored vendors and subprocessors to the activities they touch
- Carry each vendor's monitoring health onto the record
- Keep the activity and its vendors in sync, not in separate tools
- See at a glance which activities a changed vendor affects
Data categories and the legal basis you choose
Capture the categories of personal data an activity processes, and record the legal basis you rely on. DPAFlow structures the record around Article 28 and Article 30 documentation — the legal basis is your choice, not an automated decision.
- Select the data categories an activity processes, from contact and usage data to support content
- Flag whether any special-category data is in scope, or record that none is
- Choose the legal basis you rely on — the choice stays customer-controlled, never auto-decided
- Keep wording aligned with Article 28 and Article 30 documentation, not legal advice
- Contact dataIncluded
- Usage dataIncluded
- Support contentIncluded
- Billing dataIncluded
- Special category dataNone
From draft record to approved, exportable RoPA
Every record moves through the same repeatable path, so accountability and review dates stay on the record instead of in someone's memory.
Draft record
Create the processing activity with its purpose, legal basis, data categories, subjects, and retention.
Assign owner
Give the record an accountable owner, so it is clear who maintains it and answers questions about it.
Review
Route the record for review. The owner and reviewers check the details against how the activity actually runs.
Approve
Record an approval with the reviewer and date, marking the version as current for the activity.
Export
Roll approved records into a review-ready, Article 30-style export you can hand over or keep on file.
Owned records that don't quietly go stale
A record carries its own review state — owner, status, and the last and next review dates — so you always know whether it reflects how the activity actually runs today.
- Give every record an accountable owner who maintains it
- Track review state — draft, in review, or approved — on the record itself
- Keep last-reviewed and next-review dates so records don't quietly go stale
- Version each record so you can see what the activity looked like at approval
Customer support ticketing
Review-ready, Article 30-style exports
When someone asks for your records of processing activities, generate a review-ready export — with the activity, legal basis, data, retention, linked vendor evidence, and review date all in one packet.
- A review-ready, Article 30-style export for each processing activity
- Activity, purpose, legal basis, data categories, subjects, and retention in one place
- Linked vendor evidence travels with the record, so reviewers keep the full context
- Owner and review date attached, ready to hand to a reviewer or keep on file
- Activity & purpose
- Legal basis
- Data categories & subjects
- Retention period
- Linked vendor evidence
- Owner & review date
RoPA builder FAQ
Common questions about building and reviewing records of processing activities in DPAFlow.
What is a RoPA, or record of processing activity?
A record of processing activity (RoPA) documents a processing activity: its purpose, the legal basis you rely on, the categories of data and data subjects involved, retention, and the vendors that touch it. DPAFlow's RoPA builder helps you organize those records — it does not make legal determinations.
How do vendors and subprocessors link into a record?
Each processing activity can link to the vendors and subprocessors that touch it. Those links carry the vendor context — including monitoring health — so a record never loses sight of which vendors are behind the activity.
Does the RoPA builder give legal advice?
No. DPAFlow organizes processing activity records and supports your documentation workflow. You choose the legal basis and approve each record; humans on your team make the legal and compliance decisions.
Is this aligned with Article 30?
The fields and exports are structured around Article 30-style records of processing activities and Article 28 vendor documentation. Alignment supports your own documentation — it does not, on its own, make you compliant.
Can records be reviewed and owned?
Yes. Each record can be assigned an accountable owner and moved through draft, review, and approval, with last-reviewed and next-review dates kept on the record so it doesn't go stale.
What export formats are available?
Approved records can be generated into a review-ready, Article 30-style export — for example PDF or CSV — with linked vendor evidence, owner, and review date included.
Build records of processing activities that keep their vendor context
Draft, own, review, and export processing activity records that stay linked to the vendors you already monitor.
7-day trial · DPA available before purchase