Security and trust for privacy operations
DPAFlow is built for privacy and legal teams, so we are deliberate and honest about how it handles your data, what it automates, and — just as important — what it does not claim.
DPA available before purchase · No certification claims
DPAFlow surfaces dated evidence — your team makes and records every decision.
The data DPAFlow holds for you
DPAFlow's job is narrow and clear: monitor the sources you choose, capture dated evidence, and keep your review decisions with it.
Your evidence records
Dated captures with the source URL, timestamp, content hash, and the changed section — the core of what DPAFlow holds for you.
Your monitored sources
The list of vendor and subprocessor pages you choose to watch, and the schedule you set for re-checking them.
Your review decisions
Who reviewed each change and what they decided — recorded on the evidence record and kept with it.
Access stays with your team
You control who can see and act on your workspace — and DPAFlow never decides on your behalf.
Role-based access
Give each teammate only the access their role needs — privacy, legal, or vendor-risk — within your workspace.
Customer-controlled review
DPAFlow never approves or signs off on your behalf. Every decision is made and recorded by your team.
EU-first hosting
Your workspace data is hosted in the EU by default — built for European privacy teams from the start.
How evidence is captured and kept
Every detected change becomes a structured, dated record — your customer-controlled data, exportable whenever you need it.
- Evidence records are your customer-controlled data, exportable on demand
- Each record keeps its source URL, capture timestamp, and content hash
- A content hash provides an integrity check — it is not a tamper-proof guarantee
- Exports are self-contained, audit-ready packets you keep on file
Subprocessor list updated
We keep only what monitoring needs
DPAFlow watches the public pages you point it at and keeps the context a reviewer needs — nothing speculative.
Only what you point us at
DPAFlow monitors the public pages you choose to watch. It does not crawl your internal systems or roam beyond your sources.
Only what evidence needs
Records keep the source, capture, hash, and changed section — the context a reviewer needs, not more than that.
Yours to export and remove
Your evidence is yours. Export it as audit-ready packets, and it leaves with you when you no longer need DPAFlow.
Monitoring you stay in control of
Automation runs on your terms, source health is reported honestly, and your evidence exports cleanly.
Controlled automation
You decide what is monitored, how often each source is re-checked, and who reviews each detected change.
Honest source health
Every source carries a current state — verified, changed, under review, or unreachable. Gaps are surfaced, not hidden.
Audit-ready exports
Roll reviewed records up into a clean, dated evidence bundle whenever an auditor or customer asks.
What DPAFlow does not claim
Being trusted by teams who answer to auditors means being clear about the things we deliberately do not assert.
SOC 2 or ISO certification
We do not claim any certification. If we ever pursue one, we will say so plainly and specifically.
Guaranteed compliance
DPAFlow supports your compliance work. It does not guarantee compliance or make you compliant on its own.
Legal advice
DPAFlow organizes evidence and records your team's decisions. It is not a substitute for legal advice.
Tamper-proof or immutable evidence
Records carry a content hash as an integrity check. That is not the same as a tamper-proof or immutable claim.
Penetration tests or encryption specifics
We do not publish security claims we have not actually implemented and verified for your account.
Customer logos or endorsements
Names like Microsoft, Google, or AWS may appear only as example monitored sources — never as customers or partners.
DPAFlow supports your compliance work — it does not provide legal advice or guarantee compliance, and it is not a certification. Evidence records are designed to be clear and defensible, not a claim of tamper-proofing.
Security & trust FAQ
Straight answers about hosting, certification, evidence handling, and responsible disclosure.
Is DPAFlow SOC 2 or ISO certified?
We do not claim SOC 2 or ISO certification. We are deliberately honest about what we have implemented and verified, and we will state any certification plainly and specifically if and when we hold one.
Does DPAFlow guarantee compliance?
No. DPAFlow helps you monitor vendor changes, capture dated evidence, and document reviews. It supports your compliance work, but it does not guarantee compliance and is not legal advice.
Where is my data hosted?
Your workspace data is hosted in the EU by default. A Data Processing Agreement is available to review before purchase.
Are evidence records tamper-proof?
We do not claim that. Each record carries a content hash as an integrity check so you can detect whether captured content has been altered, but it remains your customer-controlled data.
Who can see and decide on our evidence?
Access is role-based within your workspace, and every review decision is made and recorded by your team. DPAFlow never approves or signs off on your behalf.
How should we report a security concern?
Reach out through our contact page and flag it as a security inquiry. We take responsible disclosure seriously and will route it to the right people.
Security you can read in plain language
Review our approach, read the DPA before you buy, and start monitoring with evidence your team controls.
DPA available before purchase · EU-first hosting