One vendor-change workflow for every review team
DPAFlow gives privacy, legal, vendor-risk, and compliance teams a single monitored source and a shared evidence record — each reviewed from the point of view that team needs.
Subprocessor list updated
Built for the people who own vendor risk
One monitored source, four points of view. DPAFlow gives each team the evidence it needs, in the form it needs it.
Prove ongoing Article 28 oversight — with evidence, not memory
Monitor vendor and subprocessor changes as they happen, keep dated evidence, and walk into a review with a defensible trail instead of a folder of screenshots.
- Dated evidence for every detected subprocessor change
- New and removed subprocessors surfaced automatically
- A reconstructable oversight trail ready for an auditor
From a source change to a recorded decision
One path connects every team — so a change is seen, reviewed, decided, and exportable, with the handoffs recorded.
Source change
A monitored vendor or subprocessor page changes and DPAFlow detects it.
Evidence record
A dated record is created with the source, timestamp, hash, and change context.
Privacy review
The DPO / privacy team reviews the change and confirms what it means for oversight.
Legal / vendor-risk decision
Legal or vendor risk decides whether terms, risk ratings, or contracts move.
Export
The decision is recorded and the record is ready for an audit-ready export.
Clear ownership at every step
Each team owns a distinct part of the workflow, with the evidence record as the shared source of truth.
Privacy / DPO owns oversight
Maintains the monitored list and the evidence trail that proves changes were seen and handled.
Legal owns interpretation
Decides whether a captured change affects contracts, DPAs, or transfer mechanisms.
Vendor risk owns the portfolio
Tracks source health and change signals across suppliers and routes what matters.
Compliance ops keeps it moving
Runs the schedule, the review queue, and the exports as a repeatable process.
Focused by design — not a full GRC suite
DPAFlow is honest about its scope. It does one job well: vendor and subprocessor change monitoring with defensible evidence.
What DPAFlow does
Focused vendor and subprocessor change monitoring with dated evidence and review-ready records.
What it leaves out
It is not a full enterprise GRC platform — no sprawling control libraries or framework matrices you do not need.
Who it is for
Privacy, legal, and vendor-risk teams that need vendor-change oversight without buying a whole GRC suite.
Roles & use cases FAQ
Common questions about how different teams use DPAFlow.
Which team is DPAFlow for?
DPAFlow serves privacy / DPO, legal, vendor-risk / procurement, and compliance-operations roles. The same monitored source and evidence record can be reviewed from each point of view.
Do we need a full GRC platform to use this?
No. DPAFlow is deliberately focused on vendor and subprocessor change monitoring and evidence. It is for teams that need that oversight without adopting a full enterprise GRC suite.
How do teams hand off a change?
A change becomes an evidence record that can be routed between privacy, legal, and vendor risk. Each reviewer’s decision and notes are recorded on the record.
Does DPAFlow make legal or compliance decisions?
No. DPAFlow surfaces dated evidence and routes it. Interpretation and decisions stay with your legal and privacy teams — it does not provide legal advice or guarantee compliance.
Can it support Schrems II / transfer reviews?
Monitoring and evidence support those workflows, and the Transfer Impact Assessment expansion module documents transfers with SCCs and supplementary measures. See the product page for module details.
Give every review team the same source of truth
Monitor once, review from any angle, and keep the dated evidence each team needs.
7-day trial · DPA available before purchase