RiskXchange
For data protection teams

Know where vendor data goes — and who shouldn't have it.

Data protection lives or dies on whether you can map vendor data flows, sub-processor chains, and breach exposure. The Agency does that in hours, not weeks — and stays current after.

The reality

The numbers your team already knows.

Personal data leaves your organisation every day, with vendors and their vendors. DPIAs are point-in-time. Breach windows are statutory. Manual mapping never catches up.

30 days
Statutory window for GDPR vendor breach reporting
GDPR Article 33
200+
Vendors handling personal data per organisation
Industry estimate
~78%
Of breaches involving a third party
Industry estimate
The shift

Sub-processor sprawl, mapped and monitored.

Article 28 evidence shouldn't be a one-off pre-contract exercise that decays. The Agency keeps the DPA, sub-processor chain and breach-notification routes live for the life of the relationship.

Before The Agency
Data protection as a paper exercise
  • Article 28 DPAs chased once at onboarding, then left to rot
  • Sub-processors named in contracts; never independently verified
  • Breach notification routes documented but never tested
  • Cross-border transfers (SCC, IDTA) reviewed manually, infrequently
  • Data destruction at offboarding handled on email, no evidence
With The Agency
Data protection as a continuous control
  • DPA re-validated on renewal; clause drift flagged automatically
  • Sub-processor chain mapped by REX, monitored outside-in
  • Breach signal correlated to your data-flow inventory
  • Transfer mechanism extracted, expiry tracked, regulator changes flagged
  • Data destruction verified at offboarding and logged to audit trail
The agents that matter most for you

REX, ARIA, TARA — your DPIA, continuously updated.

Three of The Agency's leads keep your data-flow map current and your breach-detection ahead of the news cycle. The DPIA stops being a one-shot document.

REX avatar
REX
Risk & Breach Intelligence

Vendor breach signal, before the news cycle. REX correlates dark-web dumps and external attack-surface changes against your vendor list — you find out from us, not from the front page.

What you get
  • Dark-web correlation against vendor identifiers
  • Continuous attack-surface monitoring
  • Fourth-party discovery — your vendor's vendor breach is your vendor breach
ARIA avatar
ARIA
Document & Contract Intelligence

Sub-processor chains and data-residency clauses, extracted. ARIA reads vendor contracts, DPAs and trust pages — surfaces sub-processor lists, data residency commitments and notification timelines automatically.

What you get
  • Sub-processor chains mapped from live contracts
  • Data residency clauses extracted and tracked
  • Breach notification SLAs flagged per vendor
TARA avatar
TARA
Compliance & Regulatory

GDPR, DPDPA, CCPA — coverage, not gaps. TARA continuously checks your vendor posture against data-protection frameworks and surfaces drift before the regulator does.

What you get
  • Continuous coverage against GDPR, DPDPA, CCPA
  • Data-flow mapping kept live, not point-in-time
  • Tiered breach-response readiness per vendor
How it runs

From DPIA to destruction in five steps.

The Agency runs the data protection lifecycle end-to-end — from classifying a vendor as a processor, to verifying data destruction when they offboard.

  1. 01
    NOVA
    Processor classified

    DPIA scope captured at intake; Article 28 evidence requested; data categories flagged.

  2. 02
    ARIA
    DPA + Annex II parsed

    Contract Analyser extracts sub-processors, retention periods, TOMs, transfer mechanisms and audit rights.

  3. 03
    REX
    Sub-processor chain mapped

    Fourth-Party Discovery builds the full sub-processor graph; jurisdictions and external posture continuously scanned.

  4. 04
    TARA
    GDPR gap analysis

    Article 28-32 controls scored; missing clauses, stale transfer mechanisms and TOM gaps flagged with SLA-bound remediation.

  5. 05
    VANCE
    RoPA + audit trail

    Record of Processing Activities, sub-processor list and breach-notification routes — composed live, auditor-ready on request.

Sits alongside your stack

Feeds the privacy tools your DPO already runs.

The Agency enriches your privacy platform with continuous vendor-side evidence — sub-processor changes, DPA renewals, breach signal, data destruction proof.

Privacy management
  • OneTrust
  • TrustArc
  • Privitar
  • Securiti
  • WireWheel
DLP & data discovery
  • Microsoft Purview
  • BigID
  • Forcepoint DLP
  • Symantec DLP
  • Varonis
Records & CMDB
  • ServiceNow CMDB
  • SharePoint
  • Confluence
  • Box
Identity & access
  • Okta
  • Microsoft Entra ID
  • Sailpoint
  • CyberArk
What changes for your team

Four shifts you'll feel on day one.

The DPIA becomes a living document. Sub-processor chains are visible, not theoretical. Breach windows stop being a panic.

Sub-processor map built in a day

ARIA extracts the sub-processor list from every vendor contract and trust page. The chain you sketched on a whiteboard becomes a live picture.

Breach signal arrives before the news

REX surfaces vendor breach correlations from dark-web and attack-surface signal — you have time to respond, not just react.

DPIAs stop being point-in-time

The data-flow picture stays current. When a vendor adds a sub-processor or moves a region, you see it the same week.

Statutory windows stop being a panic

Breach-response readiness is tiered per vendor. When the 30-day clock starts, your team already has the evidence trail.

We finally have a continuous view of where personal data goes after it leaves us. The Agency built our sub-processor map in a day — and it has stayed live since.

EM
Data Protection Officer
European Insurer
Common questions

What DPOs ask us first.

The questions that come up in every conversation with a data protection officer or head of privacy.

How does The Agency handle Article 28 DPA evidence?
NOVA collects the DPA; ARIA's Contract Analyser extracts the sub-processor list, retention periods, technical and organisational measures, and audit rights. The clauses are re-validated on renewal — and any drift from the original is surfaced to your team.
What about cross-border transfers (SCCs, IDTA, UK extension)?
REX maps the jurisdictions where each sub-processor operates. ARIA extracts the transfer mechanism from the contract (SCC module, IDTA, BCR). TARA flags missing or stale clauses against your jurisdiction's current requirements.
How are sub-processors monitored after onboarding?
REX's Fourth-Party Discovery maps vendors-of-vendors and runs continuous outside-in scans on each. Material changes — new sub-processor, jurisdiction shift, breach signal — trigger alerts back to your team.
Can you verify data destruction at offboarding?
Yes. NOVA's Data Destruction Verification sub-agent collects evidence at offboarding (certificates, attestations, asset-disposal records), checks completeness against contractual provisions, and logs the evidence to the audit trail.
How do RTBF and subject-access requests fit in?
RTBF and SAR routing typically live in your privacy management platform (OneTrust, TrustArc). The Agency tracks vendor-side compliance with the SAR/RTBF SLAs you've set — flagging vendors who don't respond inside the regulatory window.

See it on your vendors.

Book a 30-minute call and we'll have NOVA, ARIA and REX produce a complete posture report on one of your live vendors inside 24 hours.