runbookify
← All plans
Compliance, Quality & Risk / Data Privacy & DSAR (Subject Rights)

DPA & Subprocessor Tracker: Stop Guessing Which Vendors Are Actually Contracted

Turn a scattered pile of vendor contracts into a live DPA register — who processes personal data for you, whether a signed DPA exists, the transfer mechanism and security terms, the disclosed subprocessors, and what's expiring — with your privacy owner approving each vendor before it's marked compliant.

BeginnerAn afternoonBuilds onNext.jsSupabaseResend
What you'll build

A web tool where you import your data processors, record each vendor's DPA status, transfer mechanism, security commitments, and disclosed subprocessors, store the signed DPA files, have your privacy/legal owner review and approve before a vendor is marked privacy-compliant, get Resend reminders for missing or expiring DPAs and new subprocessors, and export a clean DPA register and subprocessor register.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A Supabase account (free)
  • A Vercel account (free)
  • A Resend account (free)
  • A list of vendors that process personal data (CSV or Google Sheet)
  • Your signed DPA files (PDFs) and key terms
  • Claude Code or any AI coding agent

The problem this kills

Ask your privacy or legal-ops team a simple question — "which of our vendors that touch personal data actually have a signed DPA, and on what terms?" — and you'll usually get a long pause, a dig through a shared drive, and a half-finished spreadsheet someone started two reorgs ago. The Data Processing Agreement (the contract that says a vendor processes personal data only on your instructions) is either signed, expired, never executed, or buried in an email thread, and nobody is quite sure which.

Meanwhile the risk is real and growing: a processor with no DPA at all, a transfer mechanism that's gone stale (think old Privacy Shield language that should be Standard Contractual Clauses by now), a vendor that quietly added a new subprocessor you were supposed to be notified about, or a DPA that lapsed and nobody flagged it. When a regulator, a customer's security questionnaire, or a data subject access request lands, "we think it's fine" is not an answer. You don't need to be a developer to turn this into a register you can trust.

What you'll build

A simple internal web tool. You import your list of data processors (the vendors that handle personal data on your behalf) from a CSV or Google Sheet. For each one you record the DPA status (signed, pending, expired, none), the key terms — which subprocessors are allowed, the transfer mechanism (e.g. Standard Contractual Clauses, UK Addendum, adequacy decision), the security commitments — and the expiry / review date. You upload the signed DPA file itself to secure storage. You track each vendor's disclosed subprocessor list, and the tool flags processors with no DPA or an outdated transfer mechanism and alerts you when a new subprocessor appears that may need notice. Your privacy/legal owner reviews each vendor and clicks Approve before it's marked privacy-compliant. Resend sends reminders for missing and expiring DPAs. At the end you export a clean DPA register and subprocessor register as CSVs.

What's inside the Implementation Plan

The downloadable plan is a step-by-step file you paste into an AI coding agent. It opens by interviewing you about your business — how you track processors today, where your vendor list and contracts live, the exact fields and naming you use, which transfer mechanisms and DPA versions you deal with, your typical and peak vendor counts, your review-and-notice rules, and your messy edge cases — and then it tailors the data model, the flags, and every later step to your answers. This is not a generic template; the agent reflects a short spec back to you and waits for your thumbs-up before it builds anything. From there it walks the agent through importing your processors, recording DPA status and terms, tracking subprocessors, the owner review-and-approve screen, the expiry/missing-DPA reminders, and the register exports — each step with a ready-to-copy prompt. There's also a fallback so you can build the whole thing today even with no API to your contract or vendor system.

The governance it includes (this is the point)

This is privacy tooling, so it ships with the controls a legal/privacy team needs: login so only your team can use it, row-level security so you only ever see your own organization's vendors and contracts, a complete audit trail of who recorded, reviewed, and approved which DPA status and when, a hard human-approval gate so no vendor is marked privacy-compliant until your privacy/legal owner signs off, and duplicate guards keyed on vendor plus DPA version so the same agreement can't be recorded twice. Processors with no DPA or an outdated transfer mechanism are flagged instead of silently passing, and new subprocessors raise an alert so you never miss a notice obligation.

Who it's for

Privacy officers, legal-ops and DPO teams, and vendor-management leads who own processor contracts and are tired of answering "do we have a DPA with them?" with a shrug. If you can describe how your shop decides a vendor is properly contracted to handle personal data, you can build this.

You've got this — start with the plan, paste the first prompt, answer the interview, and you'll see your DPA register take shape the same afternoon.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.