Skip to content
DPAFlow
01 /For privacy / DPO teams

Vendor-change visibility for DPOs and privacy teams

DPAFlow watches the subprocessor and DPA pages a DPO is responsible for, detects when they change, and captures dated evidence you can review and keep on file — supporting Article 28 aligned vendor oversight without manual screenshotting.

article-28-aligneddated-evidencesubprocessor-changes

7-day trial · DPA available before purchase

Evidence recordChange detected

Subprocessor list updated

Source URL
trust.microsoft.com/subprocessors
Captured
May 12, 2025 · 14:23 UTC
Content hash
a7e4…c3b9
Reviewer
Routed · pending
Nuance Communications, Inc.
+Microsoft Azure OpenAI Service (East US 2)
ID EV-2F8D-D5B7Export packet
02 /What privacy teams need to know

Four questions a DPO has to answer about every vendor change

When a subprocessor list moves, oversight comes down to four practical questions. DPAFlow is built to answer each one with a dated record instead of a recollection.

Which subprocessors changed

See exactly which vendors and subprocessors moved on the pages you monitor — new entries added, old ones removed — without re-reading every list by hand.

When the change happened

Each change carries a capture timestamp in UTC, so you can answer “when did this list change?” with a date — not a guess about the last time someone looked.

What exactly changed

The specific changed section is isolated with before / after context, so you review the real wording of the change instead of a vague “something updated” alert.

Can you prove you saw it

A dated record with source URL, timestamp, and content hash gives you a defensible trail you can show — instead of relying on memory or a screenshot in a folder.

03 /Article 28 oversight workflow

From a monitored source to an Article 28 aligned record

Every subprocessor change moves through the same repeatable, Article 28 aligned path — so oversight does not depend on someone remembering to re-check a page.

Step 1

Monitor sources

Point DPAFlow at the subprocessor, DPA, and trust-center pages you are responsible for, and let them be re-checked on a controlled schedule.

Step 2

Change detected

When a monitored page changes, the changed section is identified and compared against the previous capture — not just flagged as different.

Step 3

Dated evidence record

The change becomes a dated record with the source URL, capture timestamp, content hash, and before / after context attached.

Step 4

DPO review

The DPO or privacy reviewer reads the captured change and records a decision — approve, reject, or follow up — on the record itself.

Step 5

Audit-ready export

Reviewed records roll up into an audit-ready export packet you can keep on file as part of your Article 28 aligned oversight.

04 /Evidence review

Review the exact captured change — not a vague alert

A record arrives with the captured before / after of the subprocessor list, so a DPO reviews the real wording of the change and decides what it means for oversight.

  • Read the exact captured before / after of the subprocessor list
  • Confirm whether a new processor or sub-location was added
  • Spot a removed vendor that your records still describe as active
  • Record your decision and notes directly on the dated record
How monitoring works
Changed sectionMay 5 → May 12
Before · May 5
  • Amazon Web Services
  • Nuance Communications, Inc.
  • Twilio Inc.
After · May 12
  • + Microsoft Azure OpenAI Service
  • + Databricks, Inc.
  • Nuance Communications, Inc.
05 /Review-ready exports

Keep audit-ready documentation, ready on demand

When an auditor or your own leadership asks what changed and when, you export a complete, self-contained packet — instead of reconstructing the history from memory.

  • An audit-ready packet for the day someone asks what changed and when
  • Source URL, capture timestamp, and content hash bundled together
  • The before / after change context and your reviewer decision
  • A chain of events from first capture to final export, kept on file
Compare plans & exports
Audit-ready exportPDF · JSON
  • Source URL & capture timestamp
  • Content hash (integrity check)
  • Full-page snapshot & rendered text
  • Change summary (before / after)
  • Reviewer decision & notes
  • Chain of events
Generate evidence bundle
06 /Works with the rest of your privacy program

Connect oversight to the records you already keep

Vendor-change evidence does not sit alone. It feeds the records and transfer reviews a privacy team maintains across DPAFlow.

Module

RoPA builder

Maintain records of processing activity that link to the vendors and subprocessors you already monitor.

Module

Transfer Impact Assessment

Document EU → US and other transfers with SCCs and supplementary measures, tied to the same evidence model — Schrems II workflow support.

Use case

Legal handoff

Route a captured change to legal to decide whether contract or DPA terms must move — the decision is recorded on the record.

07 /FAQ

DPO & privacy team FAQ

Common questions about how DPAFlow supports DPO and privacy-team vendor oversight.

How does DPAFlow help a DPO?

It monitors the subprocessor, DPA, and trust-center pages you are responsible for, detects when they change, and captures a dated evidence record. That gives a DPO a defensible, dated oversight trail instead of relying on manual quarterly checks and screenshots.

Does this replace legal or DPA review?

No. DPAFlow helps you detect changes and collect dated evidence to support your own review. It does not provide legal advice, interpret your obligations, or guarantee compliance — interpretation and decisions stay with your privacy and legal teams.

How does this support Article 28 oversight?

Article 28 expects controllers to keep oversight of their processors and subprocessors. DPAFlow supports that with an Article 28 aligned workflow: dated evidence of each detected change, a recorded reviewer decision, and an export you can keep on file. The compliance judgment remains yours.

What evidence is captured for each change?

Each record includes the source URL, a capture timestamp in UTC, a content hash as an integrity check, and the before / after of the section that changed — plus the reviewer’s recorded decision and notes.

How do exports work?

Reviewed records roll up into a self-contained, audit-ready export packet — source, capture, hash, change context, reviewer decision, and the chain of events — that you can hand over or keep on file. See the evidence page for what each record contains.

Can legal review the same change?

Yes. The same dated record can be routed to a legal reviewer to decide whether contract, DPA, or transfer terms need to move. See the legal use case for how that handoff works.

Give your vendor oversight a dated, defensible trail

Monitor the subprocessor pages you are responsible for and keep review-ready evidence for the day someone asks what changed.

7-day trial · DPA available before purchase