Know where your data goes —and which flow isn't governed.
A register of every vendor, AI tool, and sub-processor that touches your data — and a verdict on whether each flow is governed. The required controls adapt to what the flow carries, and one ungoverned regulated-data relationship is enough to hold the whole register.
Not legal advice. This is a working aid for a vendor / sub-processor data-flow register (the kind GDPR Art. 30 and Art. 28 contemplate). It records what you enter and flags what's missing; it does not create DPAs or transfer mechanisms and is not a certification. References to GDPR are current as of June 2026 and may change; EU AI Act Article 50 transparency and the deferred high-risk (Annex III, 2 December 2027) regime are out of scope here. Confirm your obligations with counsel.
You can name your vendors. Can you name your data flows?
An ungoverned regulated flow — a shadow LLM API seeing customer PII — holds the register.
The records GDPR contemplates: who processes what, where it flows, on what basis.
AI, network, or uploads — deterministic, offline, the flows you record.
Most teams can list their vendors. Far fewer can say, for each one, exactly what data it receives, whether that data crosses a border, and whether a DPA and the rest of the required controls are in place — and fewer still have caught the AI tool quietly receiving customer PII in a prompt. This register makes those flows explicit and tells you which one isn't governed.
Set a sensitivity, tick the controls, watch the gate.
Live demo · set a flow's sensitivity and tick the controls in place
missing: Sub-processors
missing: DPA, Retention, Sub-processors, Transfer
Register verdict
NOT DEFENSIBLE
regulated-unvetted gate FIRED on F3
Flows
4 documented · 1 gap · 1 unvetted (67% documented)
Fix first: F3
The required controls (*) adapt to what the flow carries. A GAP is a governed relationship with a paperwork hole; UNVETTED means no DPA at all. One regulated flow left UNVETTED trips the gate and holds the whole register — 67% documented notwithstanding.
Verbatim output on the shipped 6-flow sample.
Four of six flows are DOCUMENTED and the register is 67% documented — and still NOT DEFENSIBLE, because the OpenAI flow processes customer PII across a border with no DPA at all. HubSpot is only a GAP (a DPA is in place, sub-processors aren't disclosed yet) — but the ungoverned regulated flow is the one that's dispositive.
VENDOR & SUB-PROCESSOR DATA-FLOW REGISTER (as of 2026-06-23)
========================================================================
[F1] Stripe / payment & card data (regulated [cross-border]) -> DOCUMENTED
[F2] HubSpot / CRM contacts (email/phone) (personal) -> GAP
missing: subprocessors_disclosed
[F3] OpenAI API / prompt content w/ customer PII (regulated [cross-border]) -> UNVETTED
missing: dpa, retention_defined, subprocessors_disclosed, transfer_mechanism
[F4] Datadog / application logs (IPs) (personal [cross-border]) -> DOCUMENTED
[F5] Notion / internal docs (low) -> DOCUMENTED
[F6] Acme Analytics / aggregated usage (no PII) (none) -> DOCUMENTED
------------------------------------------------------------------------
Flows: 4 DOCUMENTED / 1 GAP / 1 UNVETTED (67% documented)
Regulated-unvetted gate: FIRED on F3
REGISTER VERDICT: NOT DEFENSIBLE
Fix first: F3
A working aid for a vendor / sub-processor data-flow register (GDPR Art. 28/30).
Not legal advice; does not create contracts or transfer mechanisms. References to
GDPR are current as of June 2026 and may change; EU AI Act Article 50 and the
deferred high-risk (Annex III, 2 Dec 2027) regime are out of scope. Confirm with counsel.Three rules that keep a register honest.
A flow with no personal data just needs a purpose; a regulated cross-border flow needs a DPA, retention, sub-processors, and a transfer mechanism. DOCUMENTED means it has what its risk requires.
A GAP is a governed relationship with a paperwork hole. UNVETTED means no DPA — the relationship itself isn't governed. The kit keeps the serious failure separate from the to-do.
Any personal/regulated UNVETTED flow forces NOT DEFENSIBLE. The documented-share % is context only — it never lets a register with one ungoverned regulated flow call itself complete.
A working register, not a lawyer and not a contract.
- A register of vendor / AI / sub-processor data flows with a per-flow verdict.
- A risk-adaptive control checklist (the kind Art. 30 / Art. 28 contemplate).
- A runnable engine plus a workbook that reproduces it, line for line.
- Deterministic and offline — the flows you record, no AI, nothing uploaded.
- A contract generator — it doesn't draft DPAs or set up transfers.
- A compliance certification of your data processing.
- An EU AI Act assessment — Article 50 and the high-risk regime are out of scope.
- Legal advice, or a substitute for counsel on your obligations.
Not legal advice. This is a working aid for a vendor / sub-processor data-flow register (the kind GDPR Art. 30 and Art. 28 contemplate). It records what you enter and flags what's missing; it does not create DPAs or transfer mechanisms and is not a certification. References to GDPR are current as of June 2026 and may change; EU AI Act Article 50 transparency and the deferred high-risk (Annex III, 2 December 2027) regime are out of scope here. Confirm your obligations with counsel.
Anyone accountable for where the data goes.
- · Founders and ops leads building a vendor / processor inventory.
- · Privacy and compliance owners maintaining records of processing.
- · Security teams tracking which AI tools see which data.
- · Teams preparing for a DPA review or a customer security questionnaire.
- · Anyone who just added an LLM API and isn't sure it's governed.
- · Buyers of the EU AI Act or NIST kits who need the flow-level layer.
Where this sits in the governance line.
The broader AI Act program — inventory, risk tiering, and a cross-framework register.
Govern / Map / Measure / Manage with a use-case register and vendor-questionnaire bank.
Sets the policy that says which vendors and data flows are allowed in the first place.
The sibling grain — what your AI agents and connectors can reach, scored for access risk.
The questions privacy and ops owners actually ask before a vendor review.
A flow is one vendor or AI tool processing one category of your data — Stripe handling card data, an LLM API receiving prompts that contain customer PII, a CRM holding contacts. For each flow you record what data it carries, how sensitive that data is (none / low / personal / regulated), whether it crosses a border, and which governance controls are actually in place (a DPA, a defined retention period, disclosed sub-processors, a transfer mechanism, a recorded purpose). The register then grades each flow DOCUMENTED / GAP / UNVETTED and rolls the whole register up to REGISTER COMPLETE / GAPS TO CLOSE / NOT DEFENSIBLE. It's the kind of record GDPR Art. 30 and Art. 28 contemplate — a working aid, not legal advice.
Because one ungoverned regulated flow is dispositive. In the worked six-flow sample, four flows are DOCUMENTED — but the OpenAI API flow processes customer PII across a border with no DPA at all, so it's UNVETTED, and any personal or regulated flow that's UNVETTED forces the whole register NOT DEFENSIBLE. The documented-share percentage is shown for context only and never sets the verdict. A shadow LLM API quietly receiving PII with no agreement isn't made acceptable by everything else being in order; the gate refuses to let a comforting average bury it. Put a DPA in place for that flow and the gate releases.
It's the difference between a paperwork hole and an ungoverned relationship. UNVETTED means the load-bearing control — a Data Processing Agreement — is missing for a flow that requires one: the relationship itself isn't governed. GAP means the DPA is in place but another required control is missing (a retention period not yet defined, sub-processors not yet disclosed): a governed relationship with a hole to close. The kit keeps the serious failure separate from the to-do, because they need different responses — a GAP is housekeeping, an UNVETTED regulated flow is the thing that holds your whole register.
The required set adapts to risk rather than applying one flat checklist. A flow with no personal data just needs a recorded purpose. Low-sensitivity adds a DPA. Personal or regulated data adds a defined retention period and disclosed sub-processors. And any flow that crosses a border adds a transfer mechanism (SCCs or an adequacy basis), whatever its sensitivity. DOCUMENTED means a flow carries everything its own risk requires — so a regulated cross-border flow is held to more than an internal low-sensitivity one. The exact required set varies by your role (controller vs processor), jurisdiction, and data type; the kit's defaults are a sensible baseline, not a legal determination.
No. It's a register and a gap-finder, not a contract generator — it never drafts a DPA, creates a transfer mechanism, or certifies your processing. It records what you tell it about each flow, checks it against the controls that flow's risk requires, and tells you which flows aren't governed and what each is missing, with the flow to fix first; the included Gap Closure Runbook walks through resolving each one. It's deterministic and offline — no AI, no network, nothing uploaded — so the same register always produces the same verdict, and it governs data flows, never people.
Neither. It's a working aid for maintaining a vendor / sub-processor data-flow register (the kind GDPR Art. 28/30 contemplate) — not legal advice, not a compliance certification, and not an EU AI Act assessment: Article 50 transparency and the deferred high-risk (Annex III, 2 December 2027) regime are out of scope here. The GDPR references are concepts current as of June 2026 and may change, and which categories count as regulated and which transfer basis applies are specific to your situation, so confirm your obligations with counsel. It pairs with the EU AI Act Readiness Kit and the NIST AI RMF Readiness Kit (the broader governance programs) and the AI Agent & Connector Access Auditor (its sibling — what your AI agents and connectors can reach).
Map every data flow.
Find the one that isn't governed.
One purchase, lifetime access, 12 months of updates. $89, once.
Not legal advice. A working aid for a vendor / sub-processor data-flow register; it does not create contracts or transfer mechanisms. References to GDPR are current as of June 2026 and may change; the EU AI Act high-risk regime is out of scope. Confirm with counsel.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai