Third-party risk

Structured supplier and processor oversight within one connected platform

Acompli maintains supplier, processor, system, and location records as part of a connected privacy workflow, with those entities available across assessments, risk, and RoPA. Due diligence activity, supporting records, and downstream outputs remain linked within the same platform.

One platform. One licence. Every module feeds the next.

Get started Book a walkthrough

Acompli Third-Party Risk Brochure — page 1

View Brochure

How it works

From entity record to connected compliance output

Five stages keep supplier and processor records linked to assessments, risk, and Article 30 outputs within one platform.

StartKnowledge Base

Systems, suppliers, and locations in one connected register

Maintain structured records for the organisational entities commonly referenced in privacy work. Those records are not kept in isolation — they can be reused across assessments, risk workflows, and Article 30 records.

The same entities can be referenced across assessment workflows and reused in downstream outputs, with links back to the underlying records and source context.

IT Systems

Structured records for systems involved in processing personal data, with operational and ownership context.

Third Parties

Processors and external parties recorded once, then referenced across due diligence, assessments, risk, and RoPA.

Locations

Geographic and operational context linked to supplier and system records within the same structure.

01Data Intake

Import existing records and extend them over time

Existing supplier and system data can be imported from Excel or CSV into a more connected structure. AI-assisted mapping helps interpret current spreadsheet layouts, propose likely matches, and surface lower-confidence areas for review.

Supplier and system references identified in assessments or supporting documents can be surfaced as draft records for review, helping the Knowledge Base develop alongside actual project work.

Import

Excel & CSV ImportBring in existing supplier and system registers with AI-assisted column mapping.

Assessment DiscoveryEntities identified during assessment work surfaced as draft records for review.

Document ExtractionSupplier references from uploaded contracts and DPAs proposed as new records.

02Natural Language Search

Ask questions across your supplier and system records

Search across connected records in plain English and move directly from the answer to the underlying entity, related assessment context, and supporting material.

Search results remain connected to the underlying entity record, related assessments, and supporting material, so the answer can be reviewed in context.

Knowledge Base — Search

Which vendors process customer data?4 Found

Which suppliers are outside the EEA?2 Found

Do we have a DPA for this processor?Yes

Which systems are linked to this vendor?3 Linked

Which processors handle special category?1 Found

Connected →Every result links to the entity record, assessment context, and source material

03Assessment Integration

Reference registered entities in structured workflows

Assessment workflows reference the systems, suppliers, and locations already held in the platform, supporting a more structured and consistent record of processing context.

Supporting records, documents, assessment answers, and related context remain associated, providing a more complete review trail. AI enhancement draws on Knowledge Base context to produce grounded, organisation-specific answers.

Processor Assessments

Vendor oversight, due diligence, and contract governance reviews referencing registered suppliers directly.

DPIAs & Privacy Assessments

Select from your registered IT estate and processor list instead of recreating context as free text.

Transfer Impact Assessments

Locations and transfer mechanisms linked to the suppliers and systems behind the flow.

Principle →Record once. Reference everywhere. Keep the link.

04Connected Outputs

Approved work feeds risk, RoPA, and the wider record

Once assessment work is approved, outputs support connected risk records, Article 30 records, and a searchable archive — with supplier and processing context carried forward automatically.

Every output carries provenance back to the assessment content and supporting evidence that informed the finding, preserving continuity between the source material and the output.

Risk Register

Supplier-related risks with context

Issues identified during review generate structured draft risk entries linked to source evidence.

RoPA Records

Article 30 linked to assessed activity

Processing records draw from entities and context already captured during assessment.

Searchable Archive

Assessment history preserved

Past due diligence and supplier assessments remain searchable for future reference.

Entity Timeline

Relationship history over time

Each entity accumulates assessment history, review activity, and governance decisions.

05Continuity

Maintain the relationship over time

Because the underlying entity remains in the platform, future assessments, reviews, and updates build on the same registered record. Context survives people changes.

Teams can move from a supplier query to the underlying record, related assessment context, and supporting material in one place. Records remain reusable, reviewable, and connected to the work that produced them.

Connected

Suppliers

Risk

RoPA

Assess

Third-party risk connected

Supplier and processor oversight as part of one connected privacy workflow. Knowledge Base records, assessments, risk, and RoPA outputs working together.

Get started →Book a walkthrough

Frequently Asked Questions

What is a data processor register and why does GDPR require it?

A processor register is a maintained inventory of every third party that processes personal data on your behalf under a documented instruction (Article 28 GDPR). It records the processor's identity, processing scope, transfer arrangements, security measures, and contractual status. GDPR does not specify a format for the processor register, but Article 5(2) accountability requires that organisations demonstrate compliance on demand. In practice, a processor register that is current, complete, and evidenced by reviewed contracts and assessed relationships is one of the most frequently requested documents in regulatory investigations and supervisory audits.

What is the difference between a processor, sub-processor, joint controller, and recipient?

A data processor processes personal data on your behalf under documented instructions — a cloud provider, payroll provider, or marketing platform. A sub-processor is a third party your processor engages to carry out processing on their behalf — their infrastructure provider, for example. You are responsible for your processors' sub-processors under Article 28(4). A joint controller is an entity that determines the purposes and means of processing together with you — a joint venture partner, or a franchisor and franchisee. A recipient is any entity to whom data is disclosed, whether or not they are a controller or processor. Acompli records all five roles in the Third Parties register, with role-appropriate fields for each. Sub-processor lists are maintained per processor, with notification arrangement tracking.

Can we import our existing processor list from Excel?

Yes. Acompli's bulk import accepts Excel and CSV and uses AI column mapping to interpret your existing column headers — and the actual data values — against the Knowledge Base schema. The mapping is presented for review before any data is committed, with confidence scores per column and per-field lineage tracking. Low-confidence mappings are flagged. If your file contains a mix of IT systems, vendors, and locations, the AI detects and separates them into the correct registers. You can also import directly from SharePoint, Google Drive, or OneDrive URLs, or download a pre-formatted template to structure your data before uploading.

How does the Vendor Privacy Assessment template work?

The Vendor Privacy Assessment is a structured due diligence framework available in the template library — covering security posture and certifications, sub-processor arrangements, incident notification and breach procedures, data deletion and return procedures, transfer mechanisms and safeguards, and contractual compliance status. Assessment questions that reference processors and IT systems use KB-linked question types — respondents select from your actual inventory rather than entering free text. Responses are linked to the entities they describe. When the assessment is complete, extracted risks flow to the Risk Register with evidence links back to the source responses. The processor record in the Knowledge Base is updated to reflect the assessment outcome and review date.

How does the Knowledge Base connect to our ROPA?

When ROPA entries are generated from approved DPIAs, Acompli's AI synthesises the processing activity record from the assessment responses and the KB entities selected during the assessment: processor names and DPO contacts from Third Party records; systems used and data residency from IT System records; storage locations from Location records; transfer safeguards and contract details from the entity's registered fields. The ROPA is derived from assessed and approved KB relationships — not maintained as a separate document. When a processor relationship changes, the next assessment of an activity involving that processor produces an updated ROPA entry reflecting the current position.

Can we ask questions about our vendor inventory?