Skip to content
DPAFlow
01 /Roles & use cases

One vendor-change workflow for every review team

DPAFlow gives privacy, legal, vendor-risk, and compliance teams a single monitored source and a shared evidence record — each reviewed from the point of view that team needs.

Evidence recordChange detected

Subprocessor list updated

Source URL
trust.microsoft.com/subprocessors
Captured
May 12, 2025 · 14:23 UTC
Content hash
a7e4…c3b9
Reviewer
Routed · pending
Nuance Communications, Inc.
+Microsoft Azure OpenAI Service (East US 2)
ID EV-2F8D-D5B7Export packet
02 /By role

Built for the people who own vendor risk

One monitored source, four points of view. DPAFlow gives each team the evidence it needs, in the form it needs it.

Prove ongoing Article 28 oversight — with evidence, not memory

Monitor vendor and subprocessor changes as they happen, keep dated evidence, and walk into a review with a defensible trail instead of a folder of screenshots.

  • Dated evidence for every detected subprocessor change
  • New and removed subprocessors surfaced automatically
  • A reconstructable oversight trail ready for an auditor
03 /Cross-team workflow

From a source change to a recorded decision

One path connects every team — so a change is seen, reviewed, decided, and exportable, with the handoffs recorded.

Step 1

Source change

A monitored vendor or subprocessor page changes and DPAFlow detects it.

Step 2

Evidence record

A dated record is created with the source, timestamp, hash, and change context.

Step 3

Privacy review

The DPO / privacy team reviews the change and confirms what it means for oversight.

Step 4

Legal / vendor-risk decision

Legal or vendor risk decides whether terms, risk ratings, or contracts move.

Step 5

Export

The decision is recorded and the record is ready for an audit-ready export.

04 /Where each team plugs in

Clear ownership at every step

Each team owns a distinct part of the workflow, with the evidence record as the shared source of truth.

Privacy / DPO owns oversight

Maintains the monitored list and the evidence trail that proves changes were seen and handled.

Legal owns interpretation

Decides whether a captured change affects contracts, DPAs, or transfer mechanisms.

Vendor risk owns the portfolio

Tracks source health and change signals across suppliers and routes what matters.

Compliance ops keeps it moving

Runs the schedule, the review queue, and the exports as a repeatable process.

05 /Positioning

Focused by design — not a full GRC suite

DPAFlow is honest about its scope. It does one job well: vendor and subprocessor change monitoring with defensible evidence.

What DPAFlow does

Focused vendor and subprocessor change monitoring with dated evidence and review-ready records.

What it leaves out

It is not a full enterprise GRC platform — no sprawling control libraries or framework matrices you do not need.

Who it is for

Privacy, legal, and vendor-risk teams that need vendor-change oversight without buying a whole GRC suite.

06 /FAQ

Roles & use cases FAQ

Common questions about how different teams use DPAFlow.

Which team is DPAFlow for?

DPAFlow serves privacy / DPO, legal, vendor-risk / procurement, and compliance-operations roles. The same monitored source and evidence record can be reviewed from each point of view.

Do we need a full GRC platform to use this?

No. DPAFlow is deliberately focused on vendor and subprocessor change monitoring and evidence. It is for teams that need that oversight without adopting a full enterprise GRC suite.

How do teams hand off a change?

A change becomes an evidence record that can be routed between privacy, legal, and vendor risk. Each reviewer’s decision and notes are recorded on the record.

Does DPAFlow make legal or compliance decisions?

No. DPAFlow surfaces dated evidence and routes it. Interpretation and decisions stay with your legal and privacy teams — it does not provide legal advice or guarantee compliance.

Can it support Schrems II / transfer reviews?

Monitoring and evidence support those workflows, and the Transfer Impact Assessment expansion module documents transfers with SCCs and supplementary measures. See the product page for module details.

Give every review team the same source of truth

Monitor once, review from any angle, and keep the dated evidence each team needs.

7-day trial · DPA available before purchase