Ops & Governance · vendor data flows

Know where your data goes —and which flow isn't governed.

A register of every vendor, AI tool, and sub-processor that touches your data — and a verdict on whether each flow is governed. The required controls adapt to what the flow carries, and one ungoverned regulated-data relationship is enough to hold the whole register.

Get the Register — $89one-time · instant download · yours to keep

Not legal advice. This is a working aid for a vendor / sub-processor data-flow register (the kind GDPR Art. 30 and Art. 28 contemplate). It records what you enter and flags what's missing; it does not create DPAs or transfer mechanisms and is not a certification. References to GDPR are current as of June 2026 and may change; EU AI Act Article 50 transparency and the deferred high-risk (Annex III, 2 December 2027) regime are out of scope here. Confirm your obligations with counsel.

Five deliverables · runnable
Data-flow register engine
py
Register workbook
xlsx
Register-Building Playbook
docx
Gap Closure Runbook
docx
Worked 6-flow sample
csv
Works alongside
EU AI Act Kit · NIST RMF Kit · Governance Starter
01.The Problem

You can name your vendors. Can you name your data flows?

1 flow

An ungoverned regulated flow — a shadow LLM API seeing customer PII — holds the register.

Art. 30

The records GDPR contemplates: who processes what, where it flows, on what basis.

0

AI, network, or uploads — deterministic, offline, the flows you record.

Most teams can list their vendors. Far fewer can say, for each one, exactly what data it receives, whether that data crosses a border, and whether a DPA and the rest of the required controls are in place — and fewer still have caught the AI tool quietly receiving customer PII in a prompt. This register makes those flows explicit and tells you which one isn't governed.

02.See It Work

Set a sensitivity, tick the controls, watch the gate.

Live demo · set a flow's sensitivity and tick the controls in place

StripeF1
DOCUMENTED
HubSpotF2
GAP

missing: Sub-processors

OpenAI APIF3
UNVETTED

missing: DPA, Retention, Sub-processors, Transfer

DatadogF4
DOCUMENTED
NotionF5
DOCUMENTED
Acme AnalyticsF6
DOCUMENTED

Register verdict

NOT DEFENSIBLE

regulated-unvetted gate FIRED on F3

Flows

4 documented · 1 gap · 1 unvetted (67% documented)

Fix first: F3

The required controls (*) adapt to what the flow carries. A GAP is a governed relationship with a paperwork hole; UNVETTED means no DPA at all. One regulated flow left UNVETTED trips the gate and holds the whole register — 67% documented notwithstanding.

03.The Engine, Run

Verbatim output on the shipped 6-flow sample.

Four of six flows are DOCUMENTED and the register is 67% documented — and still NOT DEFENSIBLE, because the OpenAI flow processes customer PII across a border with no DPA at all. HubSpot is only a GAP (a DPA is in place, sub-processors aren't disclosed yet) — but the ungoverned regulated flow is the one that's dispositive.

VENDOR & SUB-PROCESSOR DATA-FLOW REGISTER  (as of 2026-06-23)
========================================================================
[F1] Stripe / payment & card data  (regulated [cross-border])  ->  DOCUMENTED
[F2] HubSpot / CRM contacts (email/phone)  (personal)  ->  GAP
       missing: subprocessors_disclosed
[F3] OpenAI API / prompt content w/ customer PII  (regulated [cross-border])  ->  UNVETTED
       missing: dpa, retention_defined, subprocessors_disclosed, transfer_mechanism
[F4] Datadog / application logs (IPs)  (personal [cross-border])  ->  DOCUMENTED
[F5] Notion / internal docs  (low)  ->  DOCUMENTED
[F6] Acme Analytics / aggregated usage (no PII)  (none)  ->  DOCUMENTED
------------------------------------------------------------------------
Flows: 4 DOCUMENTED / 1 GAP / 1 UNVETTED (67% documented)
Regulated-unvetted gate: FIRED on F3
REGISTER VERDICT: NOT DEFENSIBLE
Fix first: F3

A working aid for a vendor / sub-processor data-flow register (GDPR Art. 28/30).
Not legal advice; does not create contracts or transfer mechanisms. References to
GDPR are current as of June 2026 and may change; EU AI Act Article 50 and the
deferred high-risk (Annex III, 2 Dec 2027) regime are out of scope. Confirm with counsel.
04.The Standard

Three rules that keep a register honest.

Required controls adapt to risk

A flow with no personal data just needs a purpose; a regulated cross-border flow needs a DPA, retention, sub-processors, and a transfer mechanism. DOCUMENTED means it has what its risk requires.

GAP isn't UNVETTED

A GAP is a governed relationship with a paperwork hole. UNVETTED means no DPA — the relationship itself isn't governed. The kit keeps the serious failure separate from the to-do.

One ungoverned flow is dispositive

Any personal/regulated UNVETTED flow forces NOT DEFENSIBLE. The documented-share % is context only — it never lets a register with one ungoverned regulated flow call itself complete.

05.What This Is — And Isn't

A working register, not a lawyer and not a contract.

It is
  • A register of vendor / AI / sub-processor data flows with a per-flow verdict.
  • A risk-adaptive control checklist (the kind Art. 30 / Art. 28 contemplate).
  • A runnable engine plus a workbook that reproduces it, line for line.
  • Deterministic and offline — the flows you record, no AI, nothing uploaded.
It isn't
  • A contract generator — it doesn't draft DPAs or set up transfers.
  • A compliance certification of your data processing.
  • An EU AI Act assessment — Article 50 and the high-risk regime are out of scope.
  • Legal advice, or a substitute for counsel on your obligations.

Not legal advice. This is a working aid for a vendor / sub-processor data-flow register (the kind GDPR Art. 30 and Art. 28 contemplate). It records what you enter and flags what's missing; it does not create DPAs or transfer mechanisms and is not a certification. References to GDPR are current as of June 2026 and may change; EU AI Act Article 50 transparency and the deferred high-risk (Annex III, 2 December 2027) regime are out of scope here. Confirm your obligations with counsel.

06.Who It's For

Anyone accountable for where the data goes.

  • · Founders and ops leads building a vendor / processor inventory.
  • · Privacy and compliance owners maintaining records of processing.
  • · Security teams tracking which AI tools see which data.
  • · Teams preparing for a DPA review or a customer security questionnaire.
  • · Anyone who just added an LLM API and isn't sure it's governed.
  • · Buyers of the EU AI Act or NIST kits who need the flow-level layer.
08.Common Questions

The questions privacy and ops owners actually ask before a vendor review.

A flow is one vendor or AI tool processing one category of your data — Stripe handling card data, an LLM API receiving prompts that contain customer PII, a CRM holding contacts. For each flow you record what data it carries, how sensitive that data is (none / low / personal / regulated), whether it crosses a border, and which governance controls are actually in place (a DPA, a defined retention period, disclosed sub-processors, a transfer mechanism, a recorded purpose). The register then grades each flow DOCUMENTED / GAP / UNVETTED and rolls the whole register up to REGISTER COMPLETE / GAPS TO CLOSE / NOT DEFENSIBLE. It's the kind of record GDPR Art. 30 and Art. 28 contemplate — a working aid, not legal advice.

Map every data flow.
Find the one that isn't governed.

One purchase, lifetime access, 12 months of updates. $89, once.

Not legal advice. A working aid for a vendor / sub-processor data-flow register; it does not create contracts or transfer mechanisms. References to GDPR are current as of June 2026 and may change; the EU AI Act high-risk regime is out of scope. Confirm with counsel.

Sold by RedHub AI LLC · Secured by Stripe · redhub.ai