Vendor records often exist outside the processing record. A supplier list in a spreadsheet does not show which processing activities a vendor supports, which DPA is in place, or whether processor obligations are being met.
EAB structures vendor governance as governed accountability records — linked to processing activities, DPA requirements, and TOM profiles, within the same audit trail.
“Art. 28 GDPR makes controllers responsible for their processors. But in most organisations, the vendor list, the DPA status, and the processing register exist in three different places — and nobody owns the connection between them.”
The GDPR Vendor Governance module addresses the accountability gap between vendor relationships and GDPR processor obligations. Article 28 requires a Data Processing Agreement with every processor — and requires that controllers verify processors implement appropriate safeguards. Both requirements need a governance record, not just a signed document in a folder.
EAB structures vendor records as governance objects — each linked to the processing activities they support, with DPA version tracking, processor obligation documentation, and TOM requirements. Sub-processor chains are documented where Article 28(2) requires sub-processor approval.
For vendors that provide AI systems or AI-powered services, the vendor governance record is also linked to the AI system governance record — so the processor relationship, the DPA, and the AI Act obligation appear in one coherent governance record.
Each capability is connected to the shared system inventory, evidence layer, and audit trail.
Each vendor is a governance object — linked to the processing activities it supports. The connection between vendor and processing is explicit: which activities, which personal data categories, which processing purposes.
DPA version, acceptance date, and current status are tracked per vendor. Expired or unsigned DPAs surface as compliance gaps. DPA documents are uploaded and linked to the vendor record — not filed separately.
AI system vendors and processors appear in both the GDPR vendor governance record and the AI system governance record. One vendor record serves both compliance frameworks — with shared evidence and a unified audit trail.
Sub-processors authorised under Article 28(2) are documented in the vendor chain. The controller can show not just that a DPA is in place with the primary processor — but that the sub-processor chain is also governed and approved.
Security requirements for each processor are documented in the vendor record — linked to the TOM profiles in the GDPR module. Processor TOM compliance is tracked as a governance state, not assumed from a contractual clause.
Each vendor has a risk assessment record — documented risk factors, mitigation measures, and assessment outcome. Risk assessment evidence is linked to the vendor record and available in audit exports.
The GDPR Vendor Governance module uses the same system inventory as the EU AI Act module. Vendors that provide AI systems or AI-powered services are linked to both the AI system governance record and the GDPR vendor record — no duplication.
Evidence uploaded for vendor governance — DPA documents, risk assessments, TOM compliance records — is in the same evidence layer. It is available for both GDPR and AI Act audit purposes without re-upload or cross-referencing.
At audit time, the complete picture of a vendor relationship is visible in one record: the processing activities supported, the DPA status, the security requirements, the risk assessment, and the AI system linkage where applicable.
Available as part of the GDPR Module for Professional and Enterprise. Shares one system inventory, one evidence layer, and one audit trail with the EU AI Act module.
EU-hosted · Anchored to CELEX 32024R1689
Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.
