Article 28 vendor oversight, evidenced.

What Article 28 requires (and where it breaks down in practice)

GDPR Article 28(1) requires controllers to use only processors that provide "sufficient guarantees" of GDPR-compliant processing. Article 28(2) requires processor consent — and prior notification — before subprocessor changes. Article 28(3) sets minimum required terms for the controller-processor contract (your DPA).

Most controllers have the controller-processor DPA signed at procurement time and then never look at it again. Meanwhile processors update their templates quarterly, change subprocessors, change retention, change jurisdictions — and the controller has no continuous oversight evidence for the demonstrable accountability that Article 5(2) and Article 24 actually demand.

What Thorgate evidences, per Article

Article 28(1) — Processor diligence. Track each processor's DPA, privacy policy, and security commitments. The version history is the contemporaneous evidence that the processor's stated guarantees existed when you relied on them.

Article 28(2) — Subprocessor changes. Daily monitoring of the processor's published subprocessor list catches changes whether or not the processor proactively notifies you. You have an independent dated record of when each subprocessor was added or removed.

Article 28(3) — DPA terms. Per-processor DPA version stack with AI-summarized change events when terms shift — security measures, breach notification SLA, retention period, data location, sub-processing rules.

Article 30 — Records of Processing. CSV export of current processor list plus processed-data categories where disclosed. Pair with your internal processing-purpose register to produce maintainable ROPA.

Common scenarios

• Vendor adds a US-based subprocessor for an EU service. Thorgate flags it as a jurisdictional change, severity Major, with a timestamped change event you can route to your DPO.
• Processor updates its DPA template silently. Daily crawl catches it; AI summary highlights what changed (breach SLA reduced from 72h to 48h, new subprocessor category added, etc.).
• EU regulator asks for ROPA update. CSV export gives current processor list with last-fetched timestamps as primary-source evidence.
• Schrems II concerns. Jurisdictional changes and SCC module references in DPAs surface in the change feed.

What's out of scope

Thorgate doesn't replace your DPO, your DPIA process, or your ROPA register — it feeds them with the document-monitoring evidence those processes need. It also doesn't draft your DPAs, run lawful-basis assessments, or handle data-subject requests.

FAQ

Does Thorgate cover Article 28(2) subprocessor notification?

Yes. Daily monitoring catches subprocessor list changes whether or not the processor proactively notifies — and you have an independent dated record. Per-vendor severity thresholds let you alert immediately on any change.

Does Thorgate help maintain my Article 30 ROPA?

The CSV export gives current processor list, processed-data categories where the processor discloses them, and timestamped change history — directly usable for ROPA maintenance. You still maintain the controller-side fields (purpose, lawful basis, etc.).

Can Thorgate produce evidence for a DPIA?

Indirectly — it captures the processor's stated technical and organisational measures at version-level granularity, useful as input to a DPIA's processor-assessment section.

What about Schrems II and international transfers?

Jurisdictional additions and SCC-module references appear in the change feed; surface them via severity thresholds. Thorgate doesn't perform the transfer impact assessment itself.

Try it

14-day free trial, no credit card. Start a trial or read the full FAQ.