For DPOs

Vendor Monitoring for Data Protection Officers

A DPO's Article 28 oversight obligation doesn't pause between audits. Thorgate continuously tracks your processors' DPAs and subprocessor lists so you can evidence oversight, not reconstruct it.

Start a 14-day trial → See pricing

The DPO role carries a continuous obligation that most tooling treats as periodic. You're accountable for knowing that your organization's processors still provide adequate guarantees — not once a year at review time, but as an ongoing state. When a processor quietly adds a US subprocessor or shortens a breach-notification window, the accountability for noticing is yours, whether or not anyone told you.

Thorgate exists to make that noticing automatic, so your energy goes to the assessment rather than the surveillance.

The problem, in DPO terms

  • Processors change their terms silently. Article 28(2) says they should notify you of subprocessor changes. In practice, notification is inconsistent, and you have no independent record of when a change actually happened.
  • Your ROPA drifts out of date. Subprocessor lists change quarterly; your Article 30 records don't update themselves. Within weeks of your last refresh, the record no longer matches reality.
  • "Demonstrable accountability" needs evidence, not intentions. Article 5(2) and Article 24 ask you to show oversight. A note that says "reviewed vendors in Q1" isn't the same as a timestamped log of what you were watching and what changed.

What Thorgate does for you

  • Continuous processor monitoring. Every tracked DPA, privacy policy, and subprocessor list is fetched daily. You hold an independent, dated record of each vendor's stated guarantees over time.
  • Change alerts that respect your attention. Material changes — new subprocessor, jurisdictional shift, retention change, breach-SLA change — reach you by email, Slack, or webhook. Cosmetic edits are filtered out.
  • An oversight trail. Every change is timestamped; every review you record is attributed to you with a date. That's the evidence behind your accountability obligation.
  • ROPA-ready exports. A current processor list with last-fetched timestamps, exportable to CSV, to keep your Article 30 records honest.

For outsourced and fractional DPOs

If you act as DPO for several organizations, each client lives in its own workspace — separate vendor list, separate history, separate alerts and exports — under a single login. The per-client audit trail is exactly what you hand each client's auditor, without cross-contamination between them.

What it deliberately isn't

Thorgate doesn't render legal judgments, run your DPIAs, or make risk-acceptance decisions. It observes and reports — what changed, when, how significant on a factual severity scale. The interpretation, the advice, the decision: those stay with you, where they belong. The tool removes the manual watching so you can spend your time on the part that actually requires a DPO.

Frequently asked

How does Thorgate help a DPO with GDPR Article 28?
Article 28 requires you to use processors that provide sufficient guarantees and to stay aware of subprocessor changes. Thorgate continuously tracks each processor's DPA and subprocessor list and produces a timestamped record of what changed and when — the demonstrable-accountability evidence Article 5(2) expects. See the Article 28 page for detail.
Does it help maintain my Article 30 records of processing?
Yes. Subprocessor lists are the part of a ROPA that goes stale fastest. Thorgate's daily monitoring catches changes, and the CSV export gives you a current processor list to feed your ROPA maintenance.
I'm an outsourced / fractional DPO with many clients. Does that work?
Yes — each client is a separate workspace with its own vendor list, history, and alerts. You get one login across all of them and per-client audit exports.
Does Thorgate give legal advice on the changes it finds?
No, deliberately. Thorgate reports factual observations — what changed, when, classified by severity. The legal judgment stays with you. It's a monitoring tool, not a substitute for the DPO's assessment.
Try it on your vendor stack.

14-day free trial, no credit card required.

Start a trial