Skip to content
DPAFlow
01 /RoPA builder

Build processing activity records without losing vendor context

DPAFlow's RoPA builder keeps each processing activity — its purpose, legal basis, data categories, retention, and the vendors behind it — in one review-ready record, instead of a spreadsheet that drifts away from your monitoring.

purposelegal-basisretentionlinked-vendors

7-day trial · DPA available before purchase

Processing activityApproved

Customer support ticketing

Activity
Customer support ticketing
Purpose
Resolve customer support requests
Legal basis
Legitimate interest
Data subjects
Customers
Retention
24 months
Linked vendors
ZendeskAWSTwilio
REF RPA-0142Art. 30 record
02 /The record

What a processing activity record contains

Each record is built from the same defensible parts — so a reviewer can read it once and understand the whole activity.

Activity name & purpose

Name each processing activity and state why the data is processed — the question every record starts with.

Legal basis

Record the legal basis you have chosen for the activity. You select it; DPAFlow organizes it — it does not decide it for you.

Data categories

Capture the categories of personal data involved, and note whether any special-category data is in scope.

Data subjects

Identify whose data is processed — customers, employees, or other groups — so the scope of the activity is clear.

Retention

Document how long the data is kept and the retention logic behind it, kept on the record rather than in a side note.

Linked vendors / subprocessors

Attach the vendors and subprocessors that touch the activity, so the record never loses the vendor context behind it.

03 /Linked vendors

How vendors connect to RoPA records

The vendors and subprocessors DPAFlow already monitors link directly into each processing activity. When a linked vendor's source changes, the record keeps pointing at the right vendor — so vendor context is never lost between your monitoring and your records.

  • Link monitored vendors and subprocessors to the activities they touch
  • Carry each vendor's monitoring health onto the record
  • Keep the activity and its vendors in sync, not in separate tools
  • See at a glance which activities a changed vendor affects
See how monitoring works
Vendor link map3 linked
Activity
Customer support ticketing
Zendesk
Support platform
Verified
AWS
Hosting
Verified
Twilio
Notifications
Changed
Vendor context stays attached to the record
04 /Categories & basis

Data categories and the legal basis you choose

Capture the categories of personal data an activity processes, and record the legal basis you rely on. DPAFlow structures the record around Article 28 and Article 30 documentation — the legal basis is your choice, not an automated decision.

  • Select the data categories an activity processes, from contact and usage data to support content
  • Flag whether any special-category data is in scope, or record that none is
  • Choose the legal basis you rely on — the choice stays customer-controlled, never auto-decided
  • Keep wording aligned with Article 28 and Article 30 documentation, not legal advice
Privacy & DPO workflows
Data categories4 selected
  • Contact dataIncluded
  • Usage dataIncluded
  • Support contentIncluded
  • Billing dataIncluded
  • Special category dataNone
Legal basisLegitimate interest
05 /Ownership & review

From draft record to approved, exportable RoPA

Every record moves through the same repeatable path, so accountability and review dates stay on the record instead of in someone's memory.

Step 1

Draft record

Create the processing activity with its purpose, legal basis, data categories, subjects, and retention.

Step 2

Assign owner

Give the record an accountable owner, so it is clear who maintains it and answers questions about it.

Step 3

Review

Route the record for review. The owner and reviewers check the details against how the activity actually runs.

Step 4

Approve

Record an approval with the reviewer and date, marking the version as current for the activity.

Step 5

Export

Roll approved records into a review-ready, Article 30-style export you can hand over or keep on file.

06 /Review state

Owned records that don't quietly go stale

A record carries its own review state — owner, status, and the last and next review dates — so you always know whether it reflects how the activity actually runs today.

  • Give every record an accountable owner who maintains it
  • Track review state — draft, in review, or approved — on the record itself
  • Keep last-reviewed and next-review dates so records don't quietly go stale
  • Version each record so you can see what the activity looked like at approval
Transfer Impact Assessment module
Review statusIn review

Customer support ticketing

Owner
Assigned · Privacy team
Last reviewed
Mar 4, 2025
Next review
Sep 4, 2025
Version
v3 · current
REF RPA-0142Owner-controlled review
07 /Export

Review-ready, Article 30-style exports

When someone asks for your records of processing activities, generate a review-ready export — with the activity, legal basis, data, retention, linked vendor evidence, and review date all in one packet.

  • A review-ready, Article 30-style export for each processing activity
  • Activity, purpose, legal basis, data categories, subjects, and retention in one place
  • Linked vendor evidence travels with the record, so reviewers keep the full context
  • Owner and review date attached, ready to hand to a reviewer or keep on file
See plans & exports
RoPA exportPDF · CSV
  • Activity & purpose
  • Legal basis
  • Data categories & subjects
  • Retention period
  • Linked vendor evidence
  • Owner & review date
Generate RoPA export
08 /FAQ

RoPA builder FAQ

Common questions about building and reviewing records of processing activities in DPAFlow.

What is a RoPA, or record of processing activity?

A record of processing activity (RoPA) documents a processing activity: its purpose, the legal basis you rely on, the categories of data and data subjects involved, retention, and the vendors that touch it. DPAFlow's RoPA builder helps you organize those records — it does not make legal determinations.

How do vendors and subprocessors link into a record?

Each processing activity can link to the vendors and subprocessors that touch it. Those links carry the vendor context — including monitoring health — so a record never loses sight of which vendors are behind the activity.

Does the RoPA builder give legal advice?

No. DPAFlow organizes processing activity records and supports your documentation workflow. You choose the legal basis and approve each record; humans on your team make the legal and compliance decisions.

Is this aligned with Article 30?

The fields and exports are structured around Article 30-style records of processing activities and Article 28 vendor documentation. Alignment supports your own documentation — it does not, on its own, make you compliant.

Can records be reviewed and owned?

Yes. Each record can be assigned an accountable owner and moved through draft, review, and approval, with last-reviewed and next-review dates kept on the record so it doesn't go stale.

What export formats are available?

Approved records can be generated into a review-ready, Article 30-style export — for example PDF or CSV — with linked vendor evidence, owner, and review date included.

Build records of processing activities that keep their vendor context

Draft, own, review, and export processing activity records that stay linked to the vendors you already monitor.

7-day trial · DPA available before purchase