The DPO role carries a continuous obligation that most tooling treats as periodic. You're accountable for knowing that your organization's processors still provide adequate guarantees — not once a year at review time, but as an ongoing state. When a processor quietly adds a US subprocessor or shortens a breach-notification window, the accountability for noticing is yours, whether or not anyone told you.
Thorgate exists to make that noticing automatic, so your energy goes to the assessment rather than the surveillance.
The problem, in DPO terms
- Processors change their terms silently. Article 28(2) says they should notify you of subprocessor changes. In practice, notification is inconsistent, and you have no independent record of when a change actually happened.
- Your ROPA drifts out of date. Subprocessor lists change quarterly; your Article 30 records don't update themselves. Within weeks of your last refresh, the record no longer matches reality.
- "Demonstrable accountability" needs evidence, not intentions. Article 5(2) and Article 24 ask you to show oversight. A note that says "reviewed vendors in Q1" isn't the same as a timestamped log of what you were watching and what changed.
What Thorgate does for you
- Continuous processor monitoring. Every tracked DPA, privacy policy, and subprocessor list is fetched daily. You hold an independent, dated record of each vendor's stated guarantees over time.
- Change alerts that respect your attention. Material changes — new subprocessor, jurisdictional shift, retention change, breach-SLA change — reach you by email, Slack, or webhook. Cosmetic edits are filtered out.
- An oversight trail. Every change is timestamped; every review you record is attributed to you with a date. That's the evidence behind your accountability obligation.
- ROPA-ready exports. A current processor list with last-fetched timestamps, exportable to CSV, to keep your Article 30 records honest.
For outsourced and fractional DPOs
If you act as DPO for several organizations, each client lives in its own workspace — separate vendor list, separate history, separate alerts and exports — under a single login. The per-client audit trail is exactly what you hand each client's auditor, without cross-contamination between them.
What it deliberately isn't
Thorgate doesn't render legal judgments, run your DPIAs, or make risk-acceptance decisions. It observes and reports — what changed, when, how significant on a factual severity scale. The interpretation, the advice, the decision: those stay with you, where they belong. The tool removes the manual watching so you can spend your time on the part that actually requires a DPO.