Vendor risk monitoring without spreadsheet drift
DPAFlow tracks the source health of the vendors that matter, flags policy and subprocessor changes, and routes each one to an owner — so your portfolio stays current without a shared sheet going stale.
7-day trial · DPA available before purchase
Honest source health across your portfolio
Instead of a list that silently goes stale, every monitored vendor carries a clear, current status — verified, changed, under review, or unreachable — so you know exactly what to trust and what to look at.
- One monitored list of the vendors that actually matter to you
- A verified, changed, under-review, or unreachable status per source
- Unreachable sources surfaced as a gap, never assumed healthy
- A review queue that shows how many changes are waiting on a decision
Every vendor source carries a current state
DPAFlow never pretends a source is fine when it is not. Each state maps to a clear action for your team.
Verified
The source was reached and its content matches the last capture. Nothing to review on this vendor.
Changed
A difference was detected since the last check. A dated evidence record is created for review.
Under review
A flagged change has been routed and is waiting on an owner to approve, reject, or follow up.
Unreachable
The page could not be reached. The gap is surfaced honestly instead of being silently skipped.
The change signals a procurement team actually watches
Not every page edit matters, but four signals reliably do. DPAFlow isolates them and turns each into a dated record — using amber for change and pending, emerald for healthy, and red only for a removed or unavailable source.
- New subprocessor added to a published vendor list
- Removed processor that disappears from the list
- Policy or DPA wording change on a trust page
- A monitored source that becomes unreachable
- New subprocessorCobalt Analytics
Added Larksite Data Services to the published subprocessor list.
- Removed processorMeridian Pay
Dropped a sub-processor line item present in the prior capture.
- Policy / DPA changeNorthwind Cloud
Edited the data-processing addendum wording on the trust page.
Risk signals, isolated and dated
Each signal below becomes an evidence record with its source URL, timestamp, and the exact section that changed — ready to route to an owner.
New subprocessor
A vendor adds a downstream processor to its published list — a fourth party you did not have on file.
Removed processor
A previously listed sub-processor disappears, so your records may describe a relationship that no longer exists.
Policy / DPA change
The wording of a trust page, subprocessor list, or DPA shifts and may affect your contracted terms.
Source unreachable
A monitored page stops responding, which is itself a signal worth a look rather than an assumed all-clear.
From a flagged change to a recorded decision
A flagged signal does not sit in a feed. It moves through one repeatable path to the right owner — so a change is seen, reviewed, and decided, with the handoff recorded.
Signal detected
A monitored vendor source changes and DPAFlow isolates the changed section against the last capture.
Evidence record
A dated record is created with the source URL, capture timestamp, content hash, and before / after context.
Routed to owner
The flagged change is routed to the assigned reviewer or vendor owner, with context attached.
Decision recorded
The owner approves, rejects, or requests follow-up, and the decision is recorded on the record itself.
Dated evidence for every vendor, ready to export
Each vendor carries its own dated evidence — not a screenshot in a folder. When procurement, an owner, or an auditor asks what changed and when, you export a complete, self-contained packet per vendor.
- A dated evidence record per vendor, tied to its source URL and capture date
- Source URL, timestamp, and content hash on every captured change
- Before / after context, so the change is legible — not a bare screenshot
- Reviewer decision and notes recorded directly on the vendor's record
- Audit-ready export packets you can hand to an auditor or keep on file
Subprocessor list updated
Audit-ready export packets on demand
When the question is “what did this vendor change, and when did we see it?”, the answer is a packet — source, capture, hash, change context, reviewer decision, and chain of events — assembled per vendor.
- A self-contained, audit-ready bundle for any monitored vendor
- The full chain of events from first capture to final decision
- Reviewer notes and the recorded decision attached to the record
- Kept on file for the day someone asks what changed
- Source URL & capture timestamp
- Content hash (integrity check)
- Full-page snapshot & rendered text
- Change summary (before / after)
- Reviewer decision & notes
- Chain of events
Monitoring, not a whole GRC suite
DPAFlow is honest about its scope. It does one job for vendor-risk and procurement teams, and links cleanly to the rest of your privacy workflow — without the sprawling control libraries you do not need.
- Vendor risk owns the portfolio: one monitored list and the changes that matter
- Compliance ops keeps it moving: the schedule, queue, and exports as a process
- A shared evidence model that also serves privacy and legal review
- New subprocessorCobalt Analytics
Added Larksite Data Services to the published subprocessor list.
- Removed processorMeridian Pay
Dropped a sub-processor line item present in the prior capture.
- Policy / DPA changeNorthwind Cloud
Edited the data-processing addendum wording on the trust page.
Vendor risk monitoring FAQ
Common questions about source health, risk signals, review routing, and exports.
How is a vendor's “source health” determined?
Each monitored source carries an honest, current status. After a scheduled check it is verified (reached and unchanged), changed (a difference was detected), under review (a change is routed and awaiting a decision), or unreachable (the page could not be reached). The status is surfaced as-is rather than assumed healthy.
Which risk signals does DPAFlow watch for?
DPAFlow flags new subprocessors added to a published list, removed processors that disappear from the list, policy or DPA wording changes on trust pages, and sources that become unreachable. Each flagged signal becomes a dated evidence record for review.
Does DPAFlow replace a full GRC suite?
No. DPAFlow is focused vendor and subprocessor change monitoring with dated evidence and review queues. It is for vendor-risk and procurement teams that need that oversight without adopting a full enterprise GRC platform.
How does a flagged change reach a reviewer?
A detected change is captured as an evidence record and routed to the assigned owner or reviewer with the changed section attached. The owner approves, rejects, or requests follow-up, and that decision is recorded on the record. Routing is described on the roles page.
Can I export the evidence per vendor?
Yes. Each reviewed record rolls up into an audit-ready export packet containing the source URL, capture timestamp, content hash, change context, reviewer decision, and chain of events — so you can hand it to an auditor or keep it on file.
Does DPAFlow make vendor-risk decisions for us?
No. DPAFlow surfaces dated evidence and routes flagged changes; your team interprets them and decides. It does not provide legal advice or guarantee compliance — decisions stay customer-controlled.
Track your vendor portfolio without the spreadsheet drift
Point DPAFlow at the vendors that matter, watch their source health, and route every flagged change to an owner with dated evidence behind it.
7-day trial · DPA available before purchase