Skip to content
DPAFlow
01 /For vendor risk / procurement

Vendor risk monitoring without spreadsheet drift

DPAFlow tracks the source health of the vendors that matter, flags policy and subprocessor changes, and routes each one to an owner — so your portfolio stays current without a shared sheet going stale.

source-healthpolicy-changesreview-queue

7-day trial · DPA available before purchase

Source health6 sources
Northwind CloudVerified
Checked Jun 21, 2025
Cobalt AnalyticsChanged
Checked Jun 20, 2025
Meridian PayUnder review
Checked Jun 20, 2025
Larksong CRMVerified
Checked Jun 19, 2025
Atlas MessagingUnreachable
Checked Jun 18, 2025
Verdant HostingVerified
Checked Jun 18, 2025
QUEUE 2 changes awaiting reviewLast sweep · 06:00 UTC
02 /Vendor source health

Honest source health across your portfolio

Instead of a list that silently goes stale, every monitored vendor carries a clear, current status — verified, changed, under review, or unreachable — so you know exactly what to trust and what to look at.

  • One monitored list of the vendors that actually matter to you
  • A verified, changed, under-review, or unreachable status per source
  • Unreachable sources surfaced as a gap, never assumed healthy
  • A review queue that shows how many changes are waiting on a decision
How monitoring works
Source health6 sources
Northwind CloudVerified
Checked Jun 21, 2025
Cobalt AnalyticsChanged
Checked Jun 20, 2025
Meridian PayUnder review
Checked Jun 20, 2025
Larksong CRMVerified
Checked Jun 19, 2025
Atlas MessagingUnreachable
Checked Jun 18, 2025
Verdant HostingVerified
Checked Jun 18, 2025
QUEUE 2 changes awaiting reviewLast sweep · 06:00 UTC
03 /Source health states

Every vendor source carries a current state

DPAFlow never pretends a source is fine when it is not. Each state maps to a clear action for your team.

Healthy

Verified

The source was reached and its content matches the last capture. Nothing to review on this vendor.

Change

Changed

A difference was detected since the last check. A dated evidence record is created for review.

Pending

Under review

A flagged change has been routed and is waiting on an owner to approve, reject, or follow up.

Gap

Unreachable

The page could not be reached. The gap is surfaced honestly instead of being silently skipped.

04 /Risk signals

The change signals a procurement team actually watches

Not every page edit matters, but four signals reliably do. DPAFlow isolates them and turns each into a dated record — using amber for change and pending, emerald for healthy, and red only for a removed or unavailable source.

  • New subprocessor added to a published vendor list
  • Removed processor that disappears from the list
  • Policy or DPA wording change on a trust page
  • A monitored source that becomes unreachable
See it by review team
Risk signals3 flagged
  • New subprocessorCobalt Analytics

    Added Larksite Data Services to the published subprocessor list.

  • Removed processorMeridian Pay

    Dropped a sub-processor line item present in the prior capture.

  • Policy / DPA changeNorthwind Cloud

    Edited the data-processing addendum wording on the trust page.

ROUTING Flagged signals route to the assigned owner
05 /What you watch

Risk signals, isolated and dated

Each signal below becomes an evidence record with its source URL, timestamp, and the exact section that changed — ready to route to an owner.

New subprocessor

A vendor adds a downstream processor to its published list — a fourth party you did not have on file.

Removed processor

A previously listed sub-processor disappears, so your records may describe a relationship that no longer exists.

Policy / DPA change

The wording of a trust page, subprocessor list, or DPA shifts and may affect your contracted terms.

Source unreachable

A monitored page stops responding, which is itself a signal worth a look rather than an assumed all-clear.

06 /Review queue handoff

From a flagged change to a recorded decision

A flagged signal does not sit in a feed. It moves through one repeatable path to the right owner — so a change is seen, reviewed, and decided, with the handoff recorded.

Step 1

Signal detected

A monitored vendor source changes and DPAFlow isolates the changed section against the last capture.

Step 2

Evidence record

A dated record is created with the source URL, capture timestamp, content hash, and before / after context.

Step 3

Routed to owner

The flagged change is routed to the assigned reviewer or vendor owner, with context attached.

Step 4

Decision recorded

The owner approves, rejects, or requests follow-up, and the decision is recorded on the record itself.

07 /Evidence status by vendor

Dated evidence for every vendor, ready to export

Each vendor carries its own dated evidence — not a screenshot in a folder. When procurement, an owner, or an auditor asks what changed and when, you export a complete, self-contained packet per vendor.

  • A dated evidence record per vendor, tied to its source URL and capture date
  • Source URL, timestamp, and content hash on every captured change
  • Before / after context, so the change is legible — not a bare screenshot
  • Reviewer decision and notes recorded directly on the vendor's record
  • Audit-ready export packets you can hand to an auditor or keep on file
Explore evidence records
Evidence recordChange detected

Subprocessor list updated

Source URL
trust.microsoft.com/subprocessors
Captured
May 12, 2025 · 14:23 UTC
Content hash
a7e4…c3b9
Reviewer
Routed · pending
Nuance Communications, Inc.
+Microsoft Azure OpenAI Service (East US 2)
ID EV-2F8D-D5B7Export packet
08 /Audit & export

Audit-ready export packets on demand

When the question is “what did this vendor change, and when did we see it?”, the answer is a packet — source, capture, hash, change context, reviewer decision, and chain of events — assembled per vendor.

  • A self-contained, audit-ready bundle for any monitored vendor
  • The full chain of events from first capture to final decision
  • Reviewer notes and the recorded decision attached to the record
  • Kept on file for the day someone asks what changed
See plans & exports
Audit-ready exportPDF · JSON
  • Source URL & capture timestamp
  • Content hash (integrity check)
  • Full-page snapshot & rendered text
  • Change summary (before / after)
  • Reviewer decision & notes
  • Chain of events
Generate evidence bundle
09 /Focused by design

Monitoring, not a whole GRC suite

DPAFlow is honest about its scope. It does one job for vendor-risk and procurement teams, and links cleanly to the rest of your privacy workflow — without the sprawling control libraries you do not need.

  • Vendor risk owns the portfolio: one monitored list and the changes that matter
  • Compliance ops keeps it moving: the schedule, queue, and exports as a process
  • A shared evidence model that also serves privacy and legal review
See the compliance-operator workflow
Risk signals3 flagged
  • New subprocessorCobalt Analytics

    Added Larksite Data Services to the published subprocessor list.

  • Removed processorMeridian Pay

    Dropped a sub-processor line item present in the prior capture.

  • Policy / DPA changeNorthwind Cloud

    Edited the data-processing addendum wording on the trust page.

ROUTING Flagged signals route to the assigned owner
10 /FAQ

Vendor risk monitoring FAQ

Common questions about source health, risk signals, review routing, and exports.

How is a vendor's “source health” determined?

Each monitored source carries an honest, current status. After a scheduled check it is verified (reached and unchanged), changed (a difference was detected), under review (a change is routed and awaiting a decision), or unreachable (the page could not be reached). The status is surfaced as-is rather than assumed healthy.

Which risk signals does DPAFlow watch for?

DPAFlow flags new subprocessors added to a published list, removed processors that disappear from the list, policy or DPA wording changes on trust pages, and sources that become unreachable. Each flagged signal becomes a dated evidence record for review.

Does DPAFlow replace a full GRC suite?

No. DPAFlow is focused vendor and subprocessor change monitoring with dated evidence and review queues. It is for vendor-risk and procurement teams that need that oversight without adopting a full enterprise GRC platform.

How does a flagged change reach a reviewer?

A detected change is captured as an evidence record and routed to the assigned owner or reviewer with the changed section attached. The owner approves, rejects, or requests follow-up, and that decision is recorded on the record. Routing is described on the roles page.

Can I export the evidence per vendor?

Yes. Each reviewed record rolls up into an audit-ready export packet containing the source URL, capture timestamp, content hash, change context, reviewer decision, and chain of events — so you can hand it to an auditor or keep it on file.

Does DPAFlow make vendor-risk decisions for us?

No. DPAFlow surfaces dated evidence and routes flagged changes; your team interprets them and decides. It does not provide legal advice or guarantee compliance — decisions stay customer-controlled.

Track your vendor portfolio without the spreadsheet drift

Point DPAFlow at the vendors that matter, watch their source health, and route every flagged change to an owner with dated evidence behind it.

7-day trial · DPA available before purchase