Third-Party Risk · GDPR Article 28
Vendor privacy risk software that knows what every processor does with your data
Assess processors, track data processing agreements and evidence Article 28 due diligence from one governed vendor inventory — including the shadow AI and shadow IT nobody registered.
Due diligence records, recurring reviews, DPA evidence and an audit-ready Third-Party Risk Register — linked to the systems and data each vendor can actually touch.

Vendor inventory and vendor risk assessments
Acompli helps teams maintain a vendor inventory and trigger vendor risk assessments based on data access, criticality, processing purpose, system dependency, AI use, transfer exposure or renewal date.
Suppliers, systems and locations in one connected inventory
Maintain structured records for the organisational entities commonly referenced in privacy work. Those records are not kept in isolation — they can be reused across assessments, risk workflows, and Article 30 records.
Wherever they appear, those records keep links back to the underlying entity and its source context.
Connected records. Clear exposure.
IT Systems
Structured records for systems involved in processing personal data, with operational and ownership context.
Third Parties
Processors and external parties recorded once, then referenced across due diligence, assessments, risk, and RoPA.
Locations
Geographic and operational context linked to supplier and system records within the same structure.
Records
DPAs, assessments, risks, reviews and audit evidence linked to the supplier relationship.
Article 28 control record
What a defensible processor record has to prove
This diagram shows the actual processor file behind the product: role, DPA status, sub-processors, transfers and review cycles all need evidence and downstream links.

Vendor change impact
A supplier change should cascade to every affected record
Vendor updates do not stay isolated. New sub-processors, hosting changes, DPA updates and AI features can affect RoPA, DPIAs, transfer reviews, vendor risk and the data map.

Ireland & UK · GDPR Article 28 & Article 30
GDPR vendor management software for Article 28 oversight
GDPR vendor management is the Article 28 lifecycle in one record: due diligence before onboarding, a data processing agreement on file, recurring reviews, sub-processor oversight, transfer checks and evidence the DPC or ICO can inspect. Acompli turns those facts into a structured vendor inventory and Third-Party Risk Register.
Each vendor record stays linked to the systems, processing activities, data access, contracts, transfer safeguards and risks behind the relationship. When a supplier changes, the affected RoPA, assessment and risk records can be reviewed from the same evidence trail instead of reconciled from a spreadsheet.
Key takeaways
- Vendor risk is privacy risk when third parties process, access or influence personal data.
- Article 28 requires controllers to use processors that provide sufficient guarantees and to keep suitable processor contract evidence.
- Acompli links vendor records to systems, data access, RoPA, DPIAs, contracts, risk reviews and evidence.
- Shadow AI and shadow IT should be treated as third-party risk signals when tools process or access personal data.
Last reviewed: 24 June 2026. See whether a RoPA is a legal obligation in Ireland and the UK (Article 30 explainer) · See the Schrems II Transfer Impact Assessment guide.
What matters
Third-party risk work has to stay connected to the processor record
Procurement tools and security-rating feeds can help, but they do not replace the privacy record. A defensible processor record needs the contract, due-diligence evidence, transfer safeguards, sub-processors and review decisions in one place.
- Processor register: role, data access, DPA status and review date.
- Sub-processors: prior-authorisation trail and onward transfer context.
- Transfers: non-EEA suppliers linked to safeguards and any TIA.
- Connected outputs: RoPA and risk updates drafted for human review.
- Audit export: the current evidence without rebuilding it from spreadsheets.
Which tool
Which type of vendor risk tool fits you?
“Vendor risk” software splits into different jobs. Scoring a supplier’s cyber posture is a different question from evidencing GDPR Article 28 processor obligations — the right tool depends on which one a regulator will ask you about.
| Type of tool | Best for | What it does | Watch-out |
|---|---|---|---|
| Security-rating TPRM | Security teams scoring cyber risk across many suppliers | Security ratings, questionnaires and breach monitoring | Rates cyber posture, not the GDPR Article 28 processor record, the DPA or transfer safeguards a supervisory authority inspects |
| Procurement / contract management | Procurement teams managing the contract lifecycle | Stores and routes contracts, including the DPA document | Holds the contract, not the evidenced due diligence, sub-processor trail or transfer position behind each processor |
| Privacy-platform VRM | Privacy teams running Article 28 vendor due diligence | Vendor inventory, DPA tracking and processor assessments | Often a vendor module that sits apart from the RoPA, DPIAs and risk register |
| Privacy-platform-integrated (where Acompli sits) | Privacy teams who need the processor record to feed the RoPA, DPIAs and risk | Article 28 due diligence and assessment-fed vendor records, linked to systems, transfers and sub-processors and human-reviewed | A privacy and governance tool, not a cyber-security-rating feed |
Vendor risk FAQ
Frequently Asked Questions
What is vendor privacy risk management software?
Vendor privacy risk management software tracks the third parties that process or access personal data, and the evidence that makes each relationship defensible. In Acompli, every vendor record holds its processor role, data categories and access, DPA status, technical and organisational measures, sub-processor signals and review dates - linked to the systems and processing activities the vendor actually touches.
What is GDPR vendor management software?
GDPR vendor management runs the Article 28 lifecycle: due diligence before onboarding, a data processing agreement on record, recurring reviews, and evidence the DPC or ICO can inspect. Acompli triggers a vendor risk assessment from onboarding, keeps the DPA and due-diligence evidence on the vendor record, and rolls everything into an audit-ready Third-Party Risk Register.
What is Article 28 processor due diligence?
Article 28 requires controllers to use only processors providing sufficient guarantees - due diligence is the documented check. In Acompli that record covers the processor, processing purpose, data access, technical and organisational measures, DPA status, sub-processors and review dates; completed vendor assessments feed the Article 30 register, and suppliers outside Europe are flagged for Schrems II transfer review.
What should a vendor inventory include?
Vendor name, service and owner; processor or controller role; data categories and data-subject types; systems and data access; DPA status and due-diligence evidence; transfer destinations and safeguards; review dates and open risks. Acompli imports an existing vendor list from Excel and turns each row into a governed record connected to your RoPA, assessments and risks.
How should privacy teams handle shadow AI?
Treat it as third-party risk: record the tool, what personal data or prompts it touches, who uses it and under what terms. Acompli captures shadow AI and shadow IT as vendor signals so they enter the same inventory, get a risk assessment, and either become approved vendors with a DPA on record or get retired - with the decision trail kept for the DPC or ICO.
Is maintaining a processor register a legal requirement in Ireland and the UK?
Under Article 30 GDPR — applied in Ireland (enforced by the Data Protection Commission) and mirrored in the UK GDPR / Data Protection Act 2018 (enforced by the ICO) — controllers and processors must maintain records of their processing, and processor relationships sit within that obligation. Article 28 separately requires a written contract governing every processor, and Article 5(2) accountability means you must be able to produce current, evidenced processor records on request. The small-organisation Article 30(5) exemption rarely applies in practice because processing is usually regular or involves special-category data. A processor register that is current and audit-ready is what the DPC or ICO expects to see in an investigation.
More detailed questions
What should a processor-risk record prove?
It should show the processor role, data access, DPA status, sub-processors, review date, transfer safeguards and connection to the Article 30 RoPA. Acompli keeps those facts as connected Knowledge Base records rather than a static vendor spreadsheet.
What should vendor risk management software track for Article 28?
Track the DPA, due-diligence evidence, sub-processor authorisation, transfer mechanism, TIA where required, open risks and review decisions. Acompli links those items to the supplier record so an audit export is a current record, not a reconstruction.
How does Acompli support processor due diligence and DPA workflows?
Acompli runs a structured Vendor Privacy Assessment, tracks DPA status against Article 28 requirements, and flows approved outputs to the risk register and Article 30 RoPA with evidence links back to the source response.
What should processor risk software track for Schrems II suppliers outside Europe?
For suppliers outside the EEA, the register should capture the transfer mechanism (Standard Contractual Clauses, an adequacy decision, or a derogation), the Transfer Impact Assessment and its supplementary measures, the supplier's location, and any sub-processor chain that leaves the EEA. This operationalises the CJEU's Schrems II ruling (Case C-311/18) and the EDPB's supplementary-measures recommendations — and it matters in Ireland in particular, where the DPC is the lead supervisory authority for many large US-headquartered processors. Acompli links each transfer to its safeguards and TIA so the position is evidenced, not asserted.
How does the Vendor Privacy Assessment template work?
The Vendor Privacy Assessment is a structured due-diligence framework in the template library — covering security posture and certifications, sub-processor arrangements, incident notification and breach procedures, data deletion and return, transfer mechanisms and safeguards, and contractual compliance status. Questions that reference processors and IT systems use Knowledge-Base-linked types, so respondents select from your actual inventory rather than entering free text. When the assessment is complete, extracted risks flow to the Risk Register with evidence links back to the source responses, and the processor record is updated with the outcome and review date.
How does the Knowledge Base connect to our RoPA?
When RoPA entries are generated from approved DPIAs, Acompli synthesises the Article 30 processing record from the assessment responses and the Knowledge Base entities selected during the assessment — processor names and DPO contacts from Third Party records, systems and data residency from IT System records, storage locations from Location records, and transfer safeguards and contract details from each entity's registered fields. The RoPA is derived from assessed, approved relationships rather than maintained as a separate document, so when a processor relationship changes the next assessment produces an updated entry reflecting the current position.
Can we import our existing processor list from Excel or SharePoint?
Yes. Bulk import accepts Excel and CSV and uses AI column mapping to interpret your existing headers and data values against the Knowledge Base schema, with confidence scores per column and per-field lineage; low-confidence mappings are flagged for review before anything is committed. A mixed file of IT systems, vendors and locations is detected and separated into the correct registers, and you can import directly from SharePoint, Google Drive or OneDrive, or use a pre-formatted template.
Can we ask questions about our vendor inventory?
Yes. A Knowledge Base assistant lets you ask in plain English — for example “which vendors process health data?”, “what systems are missing ISO 27001?”, or “which third parties are outside the EU?” — and get answers with sources drawn from your actual inventory, with no spreadsheets to export or reports to build.
How do completed vendor privacy assessments and Transfer Impact Assessments feed our Article 30 RoPA?
When a Vendor Privacy Assessment is approved in Acompli, the processor's registered fields — DPO contact, sub-processor list, transfer mechanism, Data Processing Agreement reference, and any Transfer Impact Assessment outcome — become the source of truth for that processor across the platform. When you generate a RoPA entry from an approved DPIA, the Article 30(1)(d) recipients block, the Article 30(1)(e) third-country transfers block, and the Article 30(1)(g) security-measures block are synthesised from those assessed values rather than being typed in. This means the Article 30 register reflects what the assessment actually evidenced — the kind of demonstrable accountability under Article 5(2) that the DPC and ICO expect when they audit processor oversight.
What processor records does the DPC expect to see in an audit?
In an Irish supervisory audit, the DPC typically asks to see a current processor inventory, the Article 28 written contract for each processor, the due diligence completed before engagement, the sub-processor list with the controller's prior written authorisation under Article 28(2), the transfer mechanism and any Transfer Impact Assessment for non-EEA suppliers, and how breaches by a processor would be notified to you within 72 hours under Article 33. Records must be evidenced, current and reconcilable to the Article 30 RoPA — Article 5(2) accountability means asserting these controls is not enough. Acompli holds each of these as connected Knowledge Base entities, so the audit pack is a query, not a reconstruction project.
How should you manage sub-processors under GDPR Article 28?
Under Article 28(2) of the GDPR, a processor may not engage a sub-processor without the controller's prior specific or general written authorisation; where the authorisation is general, the processor must inform the controller of any intended addition or replacement of sub-processors and give the controller the opportunity to object. Under Article 28(4), the same data-protection obligations set out in the controller-processor contract must be imposed on the sub-processor by a contract or other legal act, and the initial processor remains fully liable to the controller if the sub-processor fails to meet them. Acompli keeps the sub-processor list, its authorisation status and the onward-transfer context on each vendor record, so the prior-authorisation trail and any objection are evidenced rather than reconstructed, and non-EEA sub-processors are flagged for transfer review.
How does vendor risk management cover the EU AI Act?
Under the EU AI Act (Regulation (EU) 2024/1689), obligations run along the AI value chain. Providers of high-risk AI systems must supply deployers with clear instructions for use and the information needed to use the system appropriately (Article 13), and deployers have their own duties, including using the system in line with those instructions and ensuring human oversight (Article 26). A system is high-risk under Article 6 either as a safety component of a regulated product (Annex I) or because it falls within an Annex III use case, subject to the Article 6(3) exception. Certain systems also carry Article 50 transparency obligations, and providers of general-purpose AI models have separate obligations (Article 53). For a privacy team, AI suppliers are third parties: Acompli records which vendors provide AI, captures the provider's documentation and the system's role, and flags them for EU AI Act review. Whether a system is high-risk is a legal classification a person assesses and records on the EU AI Act workflow, not something the tool decides on its own.
What is the best third-party risk management software?
The best third-party risk management software is decided less by how many questionnaires it sends than by whether each vendor is a governed record that stays current - the Article 28(3) DPA, due-diligence evidence, sub-processor authorisation and transfer safeguards held against the supplier, versioned, and reconcilable to the Article 30 RoPA. Acompli's angle is to govern these as connected, human-approved records tied to the wider GDPR and EU AI Act programme, each vendor decision traceable to approved evidence. For a balanced, unbiased comparison of the available suppliers - evidence-based, drawn from public sources, and honest about where competitors are stronger than Acompli - we have compiled capability charts and vendor-by-vendor breakdowns for you to consider in our full comparison library.
Third-party risk connected
Supplier and processor oversight as part of one connected privacy workflow. Vendor records, assessments, risk, and RoPA outputs working together.