Skip to content
DPAFlow
01 /Vendor & subprocessor monitoring

Vendor and subprocessor monitoring built for privacy teams

DPAFlow watches the vendor and subprocessor pages that matter, detects when they change, and captures dated evidence your privacy, legal, and vendor-risk teams can actually review.

source-urltimestampcontent-hashreview-trail

7-day trial · No credit card required

02 /The problem

Why vendor monitoring breaks when it is done manually

Most teams track subprocessors in a spreadsheet and check pages by hand. It breaks in predictable ways.

Spreadsheet drift

A vendor list in a shared sheet is out of date the moment a subprocessor page changes — and no one is told.

Missed page changes

Subprocessor and DPA pages change quietly. Manual quarterly checks miss the change and the date it happened.

Stale subprocessors

Removed or added processors go unnoticed, so your records describe a vendor relationship that no longer exists.

Unclear evidence

A screenshot in a folder is not defensible. There is no source URL, no timestamp, and no content hash to rely on.

03 /How it works

How DPAFlow monitors your sources

Monitoring is only credible if the sources are clear and their health is honest. DPAFlow makes both explicit.

Source discovery & URL

Point DPAFlow at the exact subprocessor, DPA, or trust-center URL you need to watch — the canonical source of truth.

Scheduled checks

Sources are re-checked on a controlled schedule, so you are not relying on someone remembering to look.

Source health

Each source carries an honest status — verified, changed, stale, or unreachable — so you know what to trust.

Change detection

When the page content changes, DPAFlow detects it and isolates the changed section, not just “something changed.”

Evidence capture

Every detected change is captured as a dated record with the source URL, timestamp, and a content hash.

Alerts & routing

Captured changes are routed to the right reviewer and the right people are alerted, so review starts without anyone refreshing a page.

04 /Change detection workflow

From a source change to an audit-ready record

Every change moves through the same repeatable path — so nothing depends on someone remembering to look.

Step 1

Source snapshot

A baseline snapshot of the monitored page is captured with its rendered text and metadata.

Step 2

Detected change

On the next check, the changed section is identified and compared against the previous capture.

Step 3

Evidence record

A dated record is created with source URL, timestamp, content hash, and before / after context.

Step 4

Review queue

The record is routed to the right reviewer — privacy, legal, or vendor risk — with context attached.

Step 5

Export packet

Approved records roll up into an audit-ready export you can hand to an auditor or keep on file.

05 /The record

What every evidence record contains

Each detected change becomes a structured, dated record — not a screenshot in a folder.

  • Source URL — the exact page that was monitored
  • Capture timestamp — when the evidence was taken (UTC)
  • Content hash — an integrity check for the captured content
  • Before / after context — the specific section that changed
  • Reviewer status — who reviewed it and what they decided
  • Export metadata — everything needed for an audit-ready packet
Explore evidence records
Evidence recordChange detected

Subprocessor list updated

Source URL
trust.microsoft.com/subprocessors
Captured
May 12, 2025 · 14:23 UTC
Content hash
a7e4…c3b9
Reviewer
Routed · pending
Nuance Communications, Inc.
+Microsoft Azure OpenAI Service (East US 2)
ID EV-2F8D-D5B7Export packet
06 /Source health

Honest source health and confidence

DPAFlow never pretends a source is fine when it is not. Every source carries a clear, current state.

Verified

Reachable & unchanged

The source was checked successfully and matches the last capture. Nothing to review.

Changed

Content changed

A difference was detected since the last check. A dated evidence record is created for review.

Under review

Awaiting a decision

A change has been routed and is waiting on a reviewer to approve, reject, or request follow-up.

Unreachable

Source unavailable

The page could not be reached. The gap is surfaced honestly rather than silently skipped.

07 /Review & export

Route the change, record the decision, export the proof

A detected change does not just sit in a feed. It is routed to the right reviewer, the decision is recorded, and the whole record rolls up into an audit-ready export.

  • Route each change to privacy, legal, or vendor risk
  • Record the reviewer’s decision on the record itself
  • Export a self-contained, audit-ready evidence bundle
  • Keep it on file for the day an auditor asks what changed
See evidence & exports
Audit-ready exportPDF · JSON
  • Source URL & capture timestamp
  • Content hash (integrity check)
  • Full-page snapshot & rendered text
  • Change summary (before / after)
  • Reviewer decision & notes
  • Chain of events
Generate evidence bundle
08 /Team workflow

One monitored source, four review teams

The same evidence record serves every reviewer — in the form each team needs it.

Privacy / DPO

Maintain a defensible, dated oversight trail for every subprocessor change — without manual screenshotting.

Legal

Review the exact captured wording of a change and decide whether contract or DPA terms need to move.

Vendor risk

Watch source health and change signals across the vendors that actually matter to your portfolio.

Compliance operator

Run monitoring as a repeatable process — set sources and reviewers once, keep the evidence flowing.

09 /Expansion modules

Adjacent privacy work, on the same evidence model

DPAFlow stays focused on monitoring. When you are ready, these expansion modules build on the same dated-evidence foundation — they are not a full enterprise GRC suite.

Expansion

Transfer Impact Assessment

Document EU → US and other transfers with SCCs and supplementary measures, tied to the same evidence model.

Expansion

RoPA builder

Maintain records of processing activity that link to the vendors and subprocessors you already monitor.

Expansion

External-processor & ESG evidence

Collect dated supplier disclosure and external-processor evidence alongside your monitoring records.

10 /FAQ

Vendor monitoring FAQ

Common questions about how DPAFlow monitors sources and captures evidence.

What exactly does DPAFlow monitor?

DPAFlow monitors the public pages you point it at — typically vendor subprocessor lists, DPA pages, and trust centers — on a controlled schedule, and detects when their content changes.

How is a change turned into evidence?

When a change is detected, DPAFlow captures a dated record containing the source URL, a capture timestamp, a content hash, and the before / after context, then routes it to a reviewer.

Does this replace my DPA or legal review?

No. DPAFlow helps you detect changes and collect dated evidence to support your own review. Decisions stay customer-controlled — it does not provide legal advice or guarantee compliance.

What is the content hash for?

The content hash is an integrity check: it lets you confirm that the captured content has not been altered since it was recorded.

Can different teams review the same change?

Yes. A single monitored source can be reviewed from a privacy, legal, or vendor-risk point of view, with the decision recorded on the evidence record.

Start monitoring your first vendor in minutes

Point DPAFlow at a subprocessor page and keep the dated evidence for the day someone asks what changed.

7-day trial · DPA available before purchase