Vendor and subprocessor monitoring built for privacy teams
DPAFlow watches the vendor and subprocessor pages that matter, detects when they change, and captures dated evidence your privacy, legal, and vendor-risk teams can actually review.
7-day trial · No credit card required
- source
- atlasmail.example/legal/subprocessors
- captured
- 2026-03-14 09:42 UTC
- content hash
- 3f9a8c2e…c21b
Why vendor monitoring breaks when it is done manually
Most teams track subprocessors in a spreadsheet and check pages by hand. It breaks in predictable ways.
Spreadsheet drift
A vendor list in a shared sheet is out of date the moment a subprocessor page changes — and no one is told.
Missed page changes
Subprocessor and DPA pages change quietly. Manual quarterly checks miss the change and the date it happened.
Stale subprocessors
Removed or added processors go unnoticed, so your records describe a vendor relationship that no longer exists.
Unclear evidence
A screenshot in a folder is not defensible. There is no source URL, no timestamp, and no content hash to rely on.
How DPAFlow monitors your sources
Monitoring is only credible if the sources are clear and their health is honest. DPAFlow makes both explicit.
Source discovery & URL
Point DPAFlow at the exact subprocessor, DPA, or trust-center URL you need to watch — the canonical source of truth.
Scheduled checks
Sources are re-checked on a controlled schedule, so you are not relying on someone remembering to look.
Source health
Each source carries an honest status — verified, changed, stale, or unreachable — so you know what to trust.
Change detection
When the page content changes, DPAFlow detects it and isolates the changed section, not just “something changed.”
Evidence capture
Every detected change is captured as a dated record with the source URL, timestamp, and a content hash.
Alerts & routing
Captured changes are routed to the right reviewer and the right people are alerted, so review starts without anyone refreshing a page.
From a source change to an audit-ready record
Every change moves through the same repeatable path — so nothing depends on someone remembering to look.
Source snapshot
A baseline snapshot of the monitored page is captured with its rendered text and metadata.
Detected change
On the next check, the changed section is identified and compared against the previous capture.
Evidence record
A dated record is created with source URL, timestamp, content hash, and before / after context.
Review queue
The record is routed to the right reviewer — privacy, legal, or vendor risk — with context attached.
Export packet
Approved records roll up into an audit-ready export you can hand to an auditor or keep on file.
What every evidence record contains
Each detected change becomes a structured, dated record — not a screenshot in a folder.
- Source URL — the exact page that was monitored
- Capture timestamp — when the evidence was taken (UTC)
- Content hash — an integrity check for the captured content
- Before / after context — the specific section that changed
- Reviewer status — who reviewed it and what they decided
- Export metadata — everything needed for an audit-ready packet
Subprocessor list updated
Honest source health and confidence
DPAFlow never pretends a source is fine when it is not. Every source carries a clear, current state.
Reachable & unchanged
The source was checked successfully and matches the last capture. Nothing to review.
Content changed
A difference was detected since the last check. A dated evidence record is created for review.
Awaiting a decision
A change has been routed and is waiting on a reviewer to approve, reject, or request follow-up.
Source unavailable
The page could not be reached. The gap is surfaced honestly rather than silently skipped.
Route the change, record the decision, export the proof
A detected change does not just sit in a feed. It is routed to the right reviewer, the decision is recorded, and the whole record rolls up into an audit-ready export.
- Route each change to privacy, legal, or vendor risk
- Record the reviewer’s decision on the record itself
- Export a self-contained, audit-ready evidence bundle
- Keep it on file for the day an auditor asks what changed
- Source URL & capture timestamp
- Content hash (integrity check)
- Full-page snapshot & rendered text
- Change summary (before / after)
- Reviewer decision & notes
- Chain of events
One monitored source, four review teams
The same evidence record serves every reviewer — in the form each team needs it.
Privacy / DPO
Maintain a defensible, dated oversight trail for every subprocessor change — without manual screenshotting.
Legal
Review the exact captured wording of a change and decide whether contract or DPA terms need to move.
Vendor risk
Watch source health and change signals across the vendors that actually matter to your portfolio.
Compliance operator
Run monitoring as a repeatable process — set sources and reviewers once, keep the evidence flowing.
Adjacent privacy work, on the same evidence model
DPAFlow stays focused on monitoring. When you are ready, these expansion modules build on the same dated-evidence foundation — they are not a full enterprise GRC suite.
Transfer Impact Assessment
Document EU → US and other transfers with SCCs and supplementary measures, tied to the same evidence model.
RoPA builder
Maintain records of processing activity that link to the vendors and subprocessors you already monitor.
External-processor & ESG evidence
Collect dated supplier disclosure and external-processor evidence alongside your monitoring records.
Vendor monitoring FAQ
Common questions about how DPAFlow monitors sources and captures evidence.
What exactly does DPAFlow monitor?
DPAFlow monitors the public pages you point it at — typically vendor subprocessor lists, DPA pages, and trust centers — on a controlled schedule, and detects when their content changes.
How is a change turned into evidence?
When a change is detected, DPAFlow captures a dated record containing the source URL, a capture timestamp, a content hash, and the before / after context, then routes it to a reviewer.
Does this replace my DPA or legal review?
No. DPAFlow helps you detect changes and collect dated evidence to support your own review. Decisions stay customer-controlled — it does not provide legal advice or guarantee compliance.
What is the content hash for?
The content hash is an integrity check: it lets you confirm that the captured content has not been altered since it was recorded.
Can different teams review the same change?
Yes. A single monitored source can be reviewed from a privacy, legal, or vendor-risk point of view, with the decision recorded on the evidence record.
Start monitoring your first vendor in minutes
Point DPAFlow at a subprocessor page and keep the dated evidence for the day someone asks what changed.
7-day trial · DPA available before purchase