ROPAi
Compliance Intelligence
Preparing your privacy workspace
“Article 30 + Chapter V evidence, as a live system.”
Mapping your data flows…

ROPAi

Compliance Intelligence
You’ve been sent a DPIA assessment request
Sign in to continue your assessment inside ROPAi.
Forgot password?
Don't have an account? Create one
🔑
Reset your password
We'll send a reset link to your email address.
← Back to sign in
🔐
Set a new password
Choose a strong password for your ROPAi account.
Already have an account? Sign in
📧
Check your email
We've sent a confirmation link to your email address. Click it to activate your account, then sign in here.
← Back to sign in
Two-factor sign-in
Open your authenticator app and enter the current 6-digit code for ROPAi.
Lost access to your authenticator? Email us for a recovery flow.
← Cancel and sign out
R
ROPAi
Compliance Intelligence
Core
Dashboard 0
ROPA Register
Processors
Transfers 0
Intelligence
Pulse
ROPA Health
Frameworks
Trust Library
Workflows
DPIA Workflow
LIA Workflow
DSAR Workflow
Admin
Settings
Audit Reports
Version History
Billing & Plan
?
Loading…
Admin
30-day Free Trial
Trust & security
Dashboard
Overview of your ROPA compliance status
Welcome to ROPAi
Your Article 30 register, ready in 60 seconds.
Pick the tools your team uses, from Stripe to Microsoft 365. ROPAi drafts a fully-populated register entry for each one, ready for you to review.
Stripe AWS Salesforce Microsoft 365 Google Workspace HubSpot Twilio Slack Notion + more
Good evening, —
—
Your posture at a glance, what's healthy, and what to fix next.
—
ROPA Health
Pulse · live The register is watching itself.
Loading your compliance status…

What's holding your score back

Resolve these to move the number. Biggest impact first.
Action queue—
Loading…
Register status—
Next 30 daysdeadlines
DSAR workflow—
Transfers by region—
Pulse signals—
Recent activity
No recent activity
Post-import review
ROPA imported. Here is where GDPR attention should go next.
ROPAi has reviewed your imported records and turned them into guided operational queues.
Pulse · the living register
Your register is watching itself.
—
register fresh
Signals
Register freshness
—
Conversation
Ask Pulse about your register, score, action queue, or coverage gaps.
Enter to send · Shift+Enter for a new line. Pulse answers from your live register, interpretive questions are routed to your DPO.
Watches
Standing instructions Pulse runs for you, automatically.
News
Regulatory and vendor signals affecting your register.
· · · ·
Status
Risk
Sort
0 shown

Register Health

Health score —
ROPAi scores the register on completeness, review freshness, and Article 30 / 35 / Chapter V follow-up. Click any driver to see the specific records pulling the score down.
Pulling the score down
All drivers clear. No score deductions currently apply.
DPIA action tracker
Mitigation actions across all DPIAs
Once a DPIA recommends a mitigation, ROPAi keeps it visible until it's resolved, sorted by urgency, never lost.
0 overdue 0 open
No live DPIA mitigation actions. ✓
No ROPA Health items yet.
Transfers
Coverage —
International transfers
—
Every international transfer in one place, with its safeguard, transfer assessment, and agreement status. We surface what is missing or outstanding first, and keep the rest quietly maintained.
✓

Every transfer is in good shape.

Safeguards, assessments and agreements are recorded across the board. Nothing needs you right now.

✓
Safeguard and agreement recorded, assessment on file. Nothing to do here.
—
International transfers
—
Safeguard in place
—
TRA outstanding
—
No safeguard
—
Agreement missing / expired
International transfer register
0 items
No international transfers yet. They appear automatically when an activity sends data outside the UK.
Safeguarded
TRA outstanding
No safeguard
Where your data goes
Select a region on the map to focus, or scroll the full list.
Step 1 of 6
Live transfer monitor
Data Flow Atlas
0 routes
Safeguarded TRA outstanding No safeguard
dragrotate scrollzoom clicksnapshot
Booting Atlas…
🌍
No international transfers yet
The Atlas plots flows where an entry references a non-UK destination. Add one to see it light up here.
1
Quick intake
Supplier details
›
2
AI interview
6–7 questions
›
3
ROPA entry ready
Auto-generated
✦
AI-drafted ROPA, reviewed by you
Start with a few supplier details. ROPAi drafts the guided interview, you review, edit, and sign off each field before the entry is saved.
Legal basis Recipients DPIA screening
Use the legal entity name.
What is this supplier used for?
Will this supplier process personal data for you?
Treating as Yes. Where there is any doubt, we treat the answer as yes. Better to run an unnecessary interview than miss a genuine processing activity.
Tick this if the supplier or internal workflow uses AI, models, or automated reasoning as part of the processing arrangement.
Approximate month and year.
Used for renewal reminders.
Which team owns this supplier?
Add a specific person if one individual owns this supplier relationship.

The AI interview drafts answers for you to review. Fill in manually opens a blank record so you can type every field yourself, no questions asked.

Please complete all fields before continuing.

ROPAi co-pilot
Question 1 of 7
R
ROPAi asks
AI Interview
Suggested terms, click to add
Skip
Article 30 coverage
0 / 7
a
b
c
d
e
f
g
Reasoning
ROPAi will share its inferences as you answer.
ROPA preview
LIVE
Untitled record
Supplier context
Supplier
—
Purpose
—
Owner
—
Named owner
—
Live data flow map
Active node
Inactive
⚠️
DPIA Required, Article 35
Special category data detected. UK GDPR Article 35 requires a Data Protection Impact Assessment before this processing begins.
Answers so far
ROPAi
Generating your ROPA entry

Mapping interview answers to Article 30 fields...

Interview answers received
Analysing processing activities
Mapping to Article 30 fields
Identifying legal basis
Drafting ROPA entry
—
—
—
—
DPIA
Not assessed
LIA
Not assessed
AI Governance
Not in use
Data Flow Diagram
Auto-generated from this entry
Visual map of how personal data flows through this processing activity, who it concerns, what's collected, and where it goes. Useful for auditors, DPOs, and Article 30 reviews.
Data subjects
Processing activity
Recipients / processors
Third country transfer
Activity log
0 events
Needs attention
—
Entries that still need screening or a completed DPIA decision.
Mitigative actions
—
Open mitigation actions still being tracked across completed DPIAs.
Completed
—
Entries where the full DPIA has been recorded as complete.
DPIA review queue
Click an item to open the entry and jump into its DPIA assessment record.
0 items
No DPIA reviews yet. DPIA screening appears as you add activities to your register.
Guidance
Why this matters
ICO guidance expects the DPIA to be completed before high-risk processing starts. Without a product integration, the clearest control ROPAi can provide is an explicit review queue and a recorded assessment trail against the contemplated or live processing activity.
Use screening early
Run the screening while a supplier or processing idea is still being reviewed internally, not only after approval.
Keep a record
Every screening result and DPIA completion state should remain attached to the processing record for accountability.
Use the idea intake
Start with `Assess new processing` when the team is still evaluating a new supplier, model, or data use before it begins.
Pre-Go-Live Intake
Assess a new processing idea before it starts.
Use this when the team is still considering a new initiative, supplier, model, or data use. ROPAi will create a draft record so screening can happen before the processing is approved or switched on.
Contemplated processing Early DPIA screening Accountability trail
Name the initiative, project, supplier, or new data use being considered.
What is the organisation trying to achieve?
Which team is proposing or sponsoring the processing?
Describe the proposed activity in plain English.
What personal data would likely be involved?
Who would be affected by this processing?
If known, when would the processing begin?
If a vendor is involved, add it now. If not, leave blank.
Send a blank questionnaire if you just want them to complete it, or prefill the fields above first and send that version instead.

Please complete the idea name, purpose, sponsor team, and processing summary.

Legitimate Interests Workflow
Keep legitimate interests assessments visible when that is the chosen basis.
Entries relying on legitimate interests should surface here automatically. The workflow should show what still needs an assessment, what has been completed, and what should be reviewed again because the processing or balancing decision may have changed.
Action queue Completed record Review reminder
Needs action
—
Entries using legitimate interests without a completed or current LIA.
Review due
—
Completed LIAs that should be checked again before relying on them.
Completed
—
LIAs that have been recorded as complete in ROPAi.
No legitimate-interests assessments yet. They appear when an activity relies on legitimate interests.
Completed LIAs will appear here.
💡 Feedback & ideas
🗺 Product roadmap
Scheduled reports
Recent platform activity
Last 20 actions across ROPA, DPIA, LIA, and DSAR workflows.
No recent platform activity yet.
Account
Workspace
Profile
Your personal details and how ROPAi tailors the experience to your role.
About you
Pulled from your sign-up. Email is managed through Security.
Name
Loading…
Email
Loading…
Workspace role
Admin
How you use ROPAi
Sector and role inform Pulse, the AI Feature Watch heuristics, and the onboarding examples we surface.
✓ Saved
Organisation
The workspace your records sit in. Plan and seats are managed in Billing.
Workspace details
Captured at sign-up. Contact [email protected] to change the legal name on your records.
Organisation name
Loading…
Sector
Not set
Data region
EU West (Ireland) · Supabase
Current plan
Loading…
Plan & billing
Manage your subscription, payment method, and invoices from the Billing screen.
Security
Multi-factor authentication and account hardening.
Multi-factor authentication (TOTP)
Add a time-based one-time code from any authenticator app, Microsoft Authenticator, Google Authenticator, 1Password, Authy, Bitwarden. Required for AAL2 sessions.
Loading…
Checking your current MFA configuration.
Session & sign-in
Your audit trail records every sign-in, ROPA change, and assessment update with a SHA-256 hash chain.
Last sign-in
This session
Audit trail
Append-only · hash-chained · View history →
Notifications
One place for every alert. Connect Slack and tune what pings you, when, and where. Trust Library is set up first; DSAR and DPIA adopt the same rules.
Team & Seats
Invite colleagues and manage their access. Unlocks on Govern.
Approvals
Who signs off ROPA entries before they go live, and under what conditions.
Approval roles
The people or roles authorised to approve entries. Names appear on entry cards and in the activity log.
When is approval required?
Pick the threshold at which a new ROPA entry must be reviewed before being marked live.
Multi-stage approval
Require sign-off from multiple roles in sequence, useful for a formal DPO + Legal review chain.
Enable multi-stage approval
Entries must pass through each stage in order
Additional options
Fine-tune approval behaviour.
Require justification on approval
Approver must add a comment before approving
Auto-approve Low risk entries
Low risk entries skip the approval queue entirely
✓ Saved
DSAR Workflow
Default owners, escalation rules, and team access for subject access requests.
Default owners
Used when a new DSAR is logged and feeds future stage-based automation.
Sources records and evidence.
Prepares the draft response.
Approves complex replies before they're sent.
Guidance for non-legal teams.
Short guidance shown in future workflow steps.
Access control
Map team emails to scoped views. Operations sees DSAR only; a secondary team can be given a narrow evidence inbox; Legal and Admin keep broader access.
DSAR workflow only.
Scoped evidence inbox only.
Broader DSAR review access.
Full workspace access. Unlisted users default to admin for now.
✓ Saved
Transfers Library
Reusable counterparties and technical measures for your IDTAs, SCCs and DPAs. Fill once here, exports pull the right rows automatically.
Parties Registry
Single source of truth for every counterparty on a transfer record. Mirrors Annex I.A of the EU SCCs and Table 1 of the UK IDTA.
TOM Library (Technical & Organisational Measures)
Catalogue your security measures once, then tag each with the SCC clause / IDTA Annex II row it satisfies. The branded export engine pulls tagged TOMs straight into Annex II / Table 4.
Tags drive auto-population of IDTA Table 4 / SCC Annex II on export.
Dashboard
How the dashboard is laid out and how far ahead it looks for renewals.
Dashboard defaults
Applies to the main dashboard hero and the renewal signals on the register.
Number of operational cards in the hero.
How far ahead to surface contract renewals.
✓ Saved
✓ Settings saved

Request processing

How the live queue is performing

Upcoming deadlines

Requests requiring attention
Showing the live DSAR queue.
No requests yet. Log a subject access request to start your first case.
Reporting
Dated KPIs across every subject request. This is the spreadsheet, generated.

Targets

The bands behind the numbers above. Yours to set.

Custom KPIs

Track anything the business reports on. Saved to this workspace.
days
Each KPI counts cases matching the filter, then the % meeting the threshold. Drives the green/amber/red band.

Per-case register

RequesterTypeHandler ReceivedAcknowledgedDueResponded Days to ackDays to respondSLA
Days-to-ack = acknowledged − received. Days-to-respond = issued − received. SLA met = issued on or before the statutory deadline. Open cases show no SLA outcome until issued.

Workload by handler

Open cases per handler, allocation at a glance. Counts every open case regardless of the period filter.

Withholding & refusal register

Everything withheld, redacted or refused in the period, with its statutory basis. The aggregate defence file for an ICO conversation.
Open evidence requests
0
Cases waiting on underwriting
Overdue
0
Past the DSAR deadline
Completed today
0
Reports marked complete
Underwriting evidence requests will appear here.
XML + Open Banking reports
Underwriting evidence inbox
Provide the XML and Open Banking reports requested by DSAR Operations.
RequesterRequestDeadlineRequested byAction
No underwriting evidence requests are open right now.
—
—
—
—
Next action
—
ROPAi brief
A quick internal brief built from the case record, workflow state, evidence, and blockers.
Decide and route
Use triage to assess complex, third-party, agency, and fraud-review requests before the case moves into evidence work.
Triage decision
Choose the outcome of triage so the next step is explicit.
Date acknowledged Back-datable. Drives days-to-acknowledge.
Why it is here
Evidence is still being gathered
ROPAi is holding the case in this stage until the required evidence sources are complete.
What moves it forward
Complete the remaining evidence tasks
Once the checklist is complete, ROPAi moves the case into drafting automatically.
Evidence checklist
Track source-system searches before this case moves into drafting.
0 of 0 complete
Request evidence from a colleague
ROPAi worked out where this person's data lives from your register. Click Request to ask the owner, a secure upload link goes straight onto this case, no data travels by email.
Where the evidence lives
Documents stay in your own systems (Dixa, SharePoint, mailboxes). ROPAi records where each one lives, so this case file points at everything without holding any of it.
Send to Legal
This case routes to Legal. Hand the compiled pack over for legal sign-off.
Legal review & sign-off
This case routes to Legal because of its request profile. Capture the legal sign-off on the compiled response pack in Compile & review.
Response letter
Pick the controlled template the response goes out under. The substance was compiled and signed in the earlier steps, this is the letter that carries it.
Dispatch & close
Issue the controlled response, record the delivery method, and close the case here.
Activity timeline
Case thread
New subject access request
Capture the request once. Add the inbound email and ROPAi classifies it, sets the statutory clock, and builds the case and framework around it.
Request details
Inbound email
Paste the request email. ROPAi reads it to classify the request and prefill the details above. Optional, but it makes the case richer and seeds the correspondence timeline.
Routing
Not sure? Leave it as Standard SAR. Agency = a claims firm acting for someone. Third-party = someone asking about another person. Triage can change this later.
Notes
ROPAi will pre-fill, you decide
Sets the verification posture, calculates the response deadline when it can start, suggests default owners, recommends the response template, and drafts the evidence checklist for this request type, all reviewable and editable before the case goes live.
✓
Ready to send
All evidence is gathered, the draft is controlled, and the case is ready for final issue.
Send response
Final confirmation before dispatch. Record the delivery method and close the case cleanly.
Case
DSAR case
Delivery guidance
Record the delivery method and any separate password-sharing step in the dispatch note.
Template
Controlled template
Evidence
Checklist status
Use this 12-character password for the ZIP or response pack, and send it through a separate channel from the attachment email.
🆕
All
Alerts
Activity log
Sent log
Change log

Your plan & billing

Manage your subscription, upgrade your plan, or access the Stripe billing portal to update your payment method.

30-day Free Trial
Your trial is active. Choose the plan that should take over when the trial ends. Live features and plan descriptions stay aligned with the current workspace.
Monthly
Secure payments Powered by Stripe. We never store card details. All transactions are PCI DSS compliant.
Cancel anytime No long-term contracts. Cancel from the billing portal and your plan continues until the end of the period.
Questions? Email [email protected], we reply the same day.
Trust & security EU-hosted (Ireland), encryption at rest + in transit, tenant isolation via RLS. View hosting, sub-processors & DPA →
—
—
Renewal Check
Let's confirm this entry is still accurate before the contract renews.
Is your organisation still using this supplier?
Has the scope changed?
Think about changes to data types, countries, sub-processors, or purposes since the last review.
Has the scope of personal data processing changed?
e.g. new data categories, transfers to new countries, new sub-processors added
Update renewal date
Great, the ROPA entry is still accurate. Please set the new contract expiry date.
Fresh interview needed
A new AI discovery interview will run to update the ROPA entry. The existing entry will be preserved in version history.
Ready to start the fresh interview for ?
Mark for offboarding
Next steps for your DPO: Confirm all personal data has been deleted or returned, verify the Data Processing Agreement has been terminated, and archive the ROPA record.
Mark this entry as Action Required and notify the DPO?
Ask a colleague
Data minimisation: the recipient sees just what they need to answer. Nothing else from the case leaves the platform, and the email itself carries no personal data.
Previous requests on this case
Loading…
A colleague needs your input
A data request needs information only you can confirm. You're only seeing the details required to answer.
Loading…
Confirm identity verification
Record that this requester's identity has been positively verified before any personal data is disclosed. This is logged to the audit trail.
Trust & security
How ROPAi stores, processes and protects your data.
Hosting
EU · Ireland
Supabase EU-West (Dublin), Netlify EU edges.
Encryption
AES-256 at rest · TLS 1.2+ in transit
Keys managed by Supabase.
Tenant isolation
Postgres Row-Level Security
Every row scoped to your org_id.
Breach SLA
72h notification
Aligned to UK GDPR Article 33.
Evidence trail
Activity history live · append-only storage planned
Current demo activity is visible in-product; Supabase append-only history is the pre-pilot hardening item.
Assurance roadmap
Cyber Essentials Plus Q1 2027 · ISO 27001 Q4 2027
SOC 2 Type I targeted for Q2 2028; SOC 2 Type II Q4 2028.
Sub-processors
Supabase Inc., Postgres, auth, storage (EU-Ireland) · Netlify Inc., hosting, serverless functions · Anthropic PBC, Claude AI for ROPA interviews and document drafting (zero-retention API; prompts not used for training) · Stripe Payments Europe Ltd., billing (card data never touches our servers).
AI data handling
Claude is used to conduct ROPA interviews, draft DPIAs and summarise audit evidence. Prompts are sent to Anthropic's API under a zero-retention agreement, not used to train models. You can review and edit every AI output before it's saved to your register.
Retention & deletion
You control retention. Deletions are soft by default (audit-preserving) with hard-delete on request. On account termination, data is exported and purged within 30 days.
Sector framework alignment
NHS / public sector, mapping ROPAi evidence surfaces to Data Security and Protection Toolkit (DSPT) assertions and NCSC Cyber Assessment Framework (CAF) outcomes. In discovery with NHS / public-sector advisors. Financial services, FCA Consumer Duty and operational resilience mappings planned. EU AI Act, FRIA and Annex III support scaffolded into the DPIA workflow.
Open full trust page → Request DPA Contact security
Score driver
−0
Transfer Agreement
Record how this transfer is safeguarded, IDTA, SCCs with UK Addendum, or an Article 49 derogation.
Pick from Parties Registry · + Add new party
Pick from Parties Registry. Use the same picker for SCC Annex I.A.
The master DPA this IDTA / Addendum supplements.
Auto-suggested from the data exporter's jurisdiction.
Drives the review reminder on the dashboard.
Sets the clock for the next review.
Unique audit ID printed on every export.
Annex III, Sub-processors (Modules 2 & 3, Clause 9 prior notification)
Notification window defaults to 14 days (Clause 9(a) general option) and starts on the proposed date. Sub-processors cannot be set "Active" until the window has elapsed and approval is recorded.
Lifecycle & Termination
Triggers the off-boarding checklist (Clause 16 / IDTA Table 1 termination).
Off-boarding checklist (SCC Clause 16 / IDTA Table 1)
Transfer Impact Assessment (TIA)
Chapter V UK GDPR (Arts. 44–49) · Schrems II · EDPB Rec. 01/2020 (applied as best practice)
DSAR workflow designer
Configure the evidence checklist your team works through for each request type. Saved templates apply to new cases; unconfigured types use the built-in default.
Saved
Request sign-off
Send a sign-off request from ROPAi. The email is logged to your audit trail.
Pre-filled from Settings → Approvals when a matching slot is configured.
A link to the assessment is appended automatically. Branded email shell + your sender details are added on send.
Add approver
Who signs off ROPA entries before they go live. Slot drives the Request sign-off email routing.
The Request sign-off button on a DPIA will email the approver listed against the matching slot.
Without an email, Request sign-off opens with a blank To: field for you to fill in.
ROPA Compliance Audit Report
Schedule recurring audit report
ROPAi will draft an audit report on schedule and save it to your report log for DPO review and sign-off.
✓ Available on Govern and Orchestrate plans.
⚡ Vendor Library
One-click add common processors. Pre-filled with UK GDPR compliant data.
🔍
0 tools selected — each becomes a draft entry you can review.
Import existing ROPA
Upload an Excel (.xlsx) or CSV file. ROPAi will map the columns and add any new rows to your register.
📂
Click to browse or drag & drop
Supports .xlsx and .csv
or paste straight from Excel / Google Sheets
Your columnMaps toSample value
SupplierExisting purposeIncoming purposeDecision
Manage custom columns
Add custom fields to every ROPA entry, e.g. AI checklist, internal notes, or bespoke compliance flags.
Add new column
Set up multi-factor authentication
Scan the QR code below with your authenticator app (Microsoft Authenticator, Google Authenticator, 1Password, Authy, Bitwarden, etc.), then enter the 6-digit code it generates.
Generating secret…
Can't scan? Enter this secret manually:
✓
MFA is now active
From your next sign-in, ROPAi will ask for a 6-digit code in addition to your password. Keep your authenticator app backed up, losing it requires an email recovery flow.
📄 Privacy Notice, Generated by ROPAi
Based on this ROPA entry · UK GDPR compliant
Import completed template
Upload a completed ROPAi screening template or editable full DPIA template. Templates repopulate the screening record or replace the saved full assessment sections.
📄
Drop your completed ROPAi template here
PDF, DOCX, or TXT accepted. Use ROPAi editable templates for the most reliable round-trip.
Imported content, review before saving