Skip to content
DPAFlow
01 /Security & trust

Security and trust for privacy operations

DPAFlow is built for privacy and legal teams, so we are deliberate and honest about how it handles your data, what it automates, and — just as important — what it does not claim.

eu-first hostingrole-based accesscustomer-controlleddpa available

DPA available before purchase · No certification claims

Workspace safeguardsHonest by design
Hosting
EU-first
Access
Role-based
Evidence
Customer-controlled
Automation
Customer-set schedule

DPAFlow surfaces dated evidence — your team makes and records every decision.

02 /What DPAFlow protects

The data DPAFlow holds for you

DPAFlow's job is narrow and clear: monitor the sources you choose, capture dated evidence, and keep your review decisions with it.

Your evidence records

Dated captures with the source URL, timestamp, content hash, and the changed section — the core of what DPAFlow holds for you.

Your monitored sources

The list of vendor and subprocessor pages you choose to watch, and the schedule you set for re-checking them.

Your review decisions

Who reviewed each change and what they decided — recorded on the evidence record and kept with it.

03 /Workspace access

Access stays with your team

You control who can see and act on your workspace — and DPAFlow never decides on your behalf.

Role-based access

Give each teammate only the access their role needs — privacy, legal, or vendor-risk — within your workspace.

Customer-controlled review

DPAFlow never approves or signs off on your behalf. Every decision is made and recorded by your team.

EU-first hosting

Your workspace data is hosted in the EU by default — built for European privacy teams from the start.

04 /Evidence handling

How evidence is captured and kept

Every detected change becomes a structured, dated record — your customer-controlled data, exportable whenever you need it.

  • Evidence records are your customer-controlled data, exportable on demand
  • Each record keeps its source URL, capture timestamp, and content hash
  • A content hash provides an integrity check — it is not a tamper-proof guarantee
  • Exports are self-contained, audit-ready packets you keep on file
Explore evidence records
Evidence recordChange detected

Subprocessor list updated

Source URL
trust.microsoft.com/subprocessors
Captured
May 12, 2025 · 14:23 UTC
Content hash
a7e4…c3b9
Reviewer
Routed · pending
Nuance Communications, Inc.
+Microsoft Azure OpenAI Service (East US 2)
ID EV-2F8D-D5B7Export packet
05 /Data minimization

We keep only what monitoring needs

DPAFlow watches the public pages you point it at and keeps the context a reviewer needs — nothing speculative.

Only what you point us at

DPAFlow monitors the public pages you choose to watch. It does not crawl your internal systems or roam beyond your sources.

Only what evidence needs

Records keep the source, capture, hash, and changed section — the context a reviewer needs, not more than that.

Yours to export and remove

Your evidence is yours. Export it as audit-ready packets, and it leaves with you when you no longer need DPAFlow.

06 /Operational safeguards

Monitoring you stay in control of

Automation runs on your terms, source health is reported honestly, and your evidence exports cleanly.

Controlled automation

You decide what is monitored, how often each source is re-checked, and who reviews each detected change.

Honest source health

Every source carries a current state — verified, changed, under review, or unreachable. Gaps are surfaced, not hidden.

Audit-ready exports

Roll reviewed records up into a clean, dated evidence bundle whenever an auditor or customer asks.

07 /Honest by design

What DPAFlow does not claim

Being trusted by teams who answer to auditors means being clear about the things we deliberately do not assert.

Not claimed

SOC 2 or ISO certification

We do not claim any certification. If we ever pursue one, we will say so plainly and specifically.

Not claimed

Guaranteed compliance

DPAFlow supports your compliance work. It does not guarantee compliance or make you compliant on its own.

Not claimed

Legal advice

DPAFlow organizes evidence and records your team's decisions. It is not a substitute for legal advice.

Not claimed

Tamper-proof or immutable evidence

Records carry a content hash as an integrity check. That is not the same as a tamper-proof or immutable claim.

Not claimed

Penetration tests or encryption specifics

We do not publish security claims we have not actually implemented and verified for your account.

Not claimed

Customer logos or endorsements

Names like Microsoft, Google, or AWS may appear only as example monitored sources — never as customers or partners.

DPAFlow supports your compliance work — it does not provide legal advice or guarantee compliance, and it is not a certification. Evidence records are designed to be clear and defensible, not a claim of tamper-proofing.

08 /FAQ

Security & trust FAQ

Straight answers about hosting, certification, evidence handling, and responsible disclosure.

Is DPAFlow SOC 2 or ISO certified?

We do not claim SOC 2 or ISO certification. We are deliberately honest about what we have implemented and verified, and we will state any certification plainly and specifically if and when we hold one.

Does DPAFlow guarantee compliance?

No. DPAFlow helps you monitor vendor changes, capture dated evidence, and document reviews. It supports your compliance work, but it does not guarantee compliance and is not legal advice.

Where is my data hosted?

Your workspace data is hosted in the EU by default. A Data Processing Agreement is available to review before purchase.

Are evidence records tamper-proof?

We do not claim that. Each record carries a content hash as an integrity check so you can detect whether captured content has been altered, but it remains your customer-controlled data.

Who can see and decide on our evidence?

Access is role-based within your workspace, and every review decision is made and recorded by your team. DPAFlow never approves or signs off on your behalf.

How should we report a security concern?

Reach out through our contact page and flag it as a security inquiry. We take responsible disclosure seriously and will route it to the right people.

Security you can read in plain language

Review our approach, read the DPA before you buy, and start monitoring with evidence your team controls.

DPA available before purchase · EU-first hosting