LET'S TALK
← All work
GDPR Art 28SCC 2021/914EU-US DPFSchrems IIDeep Prototype

DPADeskbook — Sub-Processor DPA Inventory

38 sub-processors. DPA + SCC 2021/914 module + DPF status + adequacy decision + Schrems II Transfer Impact Assessment. Surfaces 4 vendors with legacy 2010 SCCs (invalid since Dec 2022), 1 with expired DPF self-cert, 3 with transfers to non-adequate jurisdictions (BR, IN, CN), and the Heap.io shadow-IT no-DPA entry.

DPADeskbook — Sub-Processor DPA Inventory preview
Open live →

What it is

The artifact every enterprise prospect’s privacy review asks for first. The DPA chain on one screen: DPA signed date, SCC module + version (2021/914), DPF self-cert status, transfer mechanism, Schrems II TIA, DPIA cross-reference.

What’s in it

  • 38 sub-processors — AWS, Stripe, Snowflake, Auth0, Datadog, Twilio, SendGrid, Intercom, Segment, Sentry, Cloudflare, GitHub, 1Password, Persona, OpenAI, Anthropic (shadow IT), Heap (decommissioned), Mixpanel (sunsetting), Zendesk (deprecated), PartnerCo (LATAM non-adequate), TranslateCo (IN non-adequate), ChinaPartnerCo (CN archive), Veriff (EE), plus 14 more.
  • 5-check compliance per row:
    1. DPA signed within 24 months — older = re-negotiate; >2y = flag
    2. SCC version 2021/914 — Commission Implementing Decision; 2010-SCC invalid since Dec 27, 2022
    3. DPF self-certification active — verifiable on commerce.gov/dpf list
    4. Adequacy / transfer mechanism — adequate / us-dpf / non-adequate
    5. Schrems II TIA complete — EDPB Recommendations 01/2020
  • Per-row drilldown — each row carries the DPA date, SCC module (Module 2 = Controller-to-Processor for most SaaS), DPF state, adequacy decision, TIA status, and the cross-reference to DPIATracker activities that use this sub-processor.
  • Failing patterns surfaced:
    • Mailchimp + Mixpanel + Zendesk — SCC 2010 (invalid since Dec 2022)
    • Heap.io — no DPA signed (shadow IT, see IncidentLog INC-08233)
    • PartnerCo (BR), TranslateCo (IN), ChinaPartnerCo (CN) — non-adequate jurisdictions requiring TIA + supplementary measures
    • Zendesk — DPF self-cert expired

Why this shape

GDPR Art 28(3) requires every processor relationship to be governed by a written contract. Art 44-49 governs international transfers. Schrems II (C-311/18) required Transfer Impact Assessments on every transfer to a non-adequate jurisdiction. SCC 2021/914 mandates the modular SCC clauses. DPADeskbook prototypes the inventory that surfaces all four obligations on one screen — and flags the rows that fail.

How it ships

Single HTML file, ~21KB. Zero dependencies. 38 sub-processors × 5-check pipeline + per-row regulatory citations in 220 lines of vanilla JavaScript.

Open the tool →