ROPAi
Compliance Intelligence
Preparing your privacy workspace
“Article 30 + Chapter V evidence, as a live system.”
Mapping your data flows…

ROPAi

Compliance Intelligence
You’ve been sent a DPIA assessment request
Sign in to continue and complete the questionnaire inside ROPAi.
Forgot password?
Don't have an account? Create one
🔑
Reset your password
We'll send a reset link to your email address.
← Back to sign in
🔐
Set a new password
Choose a strong password for your ROPAi account.
Already have an account? Sign in
📧
Check your email
We've sent a confirmation link to your email address. Click it to activate your account, then sign in here.
← Back to sign in
ROPAi
Compliance Intelligence
Core
Dashboard 0
ROPA Register
ROPA Health
Processors
Transfers 0
Data Flow Atlas NEW
DPIA Workflow
LIA Workflow
DSAR Workflow
Actions
New Entry
Audit Reports
Ask ROPAi
Admin
Approval Settings
Version History
Billing & Plan
?
Loading…
Admin
30-day Free Trial
Trust & security
Dashboard
Overview of your ROPA compliance status
Operational retrieval
Ask ROPAi
Ask the workspace where attention is needed and jump straight into the relevant record, DSAR, contract review, or action queue.
Recent prompts
Runs against your register only · EU-hosted · How Ask ROPAi handles your data →
Welcome to ROPAi
Your Article 30 register, ready in 60 seconds.
Pick the tools your team uses — Stripe, AWS, Salesforce, Microsoft 365, the works. ROPAi drafts a fully-populated register entry for each one, ready for you to review.
Stripe AWS Salesforce Microsoft 365 Google Workspace HubSpot Twilio Slack Notion + more
Syncing… · — verified processors · — UTC · Live workspace
Compliance Intelligence · —
Good evening, —
Loading your compliance status…
—
ROPA Health
Open Data Flow Atlas →
✦ —
What needs you today
Items ROPAi has flagged for your attention
Loading…
Recent platform activity
No recent ROPA or DSAR activity
Next 30 days
Renewals, reviews and statutory deadlines coming up
Post-import review
ROPA imported. Here is where GDPR attention should go next.
ROPAi has reviewed your imported records and turned them into guided operational queues.
· · · ·
Status
Risk
Sort
Quick filters
0 entries shown
Compliance Intelligence · Register Health
Loading your compliance status…
ROPAi scores the register on completeness, review freshness, and Article 30 / 35 / Chapter V follow-up.
What's pulling the score down
All drivers clear — no score deductions currently apply.
DPIA action tracker
Mitigation actions across all DPIAs
Once a DPIA recommends a mitigation, ROPAi keeps it visible until it's resolved — sorted by urgency, never lost.
0 overdue 0 open
No live DPIA mitigation actions. ✓
ROPA Health queue
See which records need review, why they matter, and what should happen next.
0 items
No ROPA Health items yet.
Register health
How ROPAi keeps the register healthy
ROPAi groups review freshness and likely governance gaps so teams can see what is stale, why it matters, and what should happen next.
International transfers
—
Processing activities with a destination outside the UK/EEA.
Safeguard in place
—
SCCs, IDTA, adequacy decision or Data Boundary.
TRA outstanding
—
Transfer risk assessment not yet recorded.
No safeguard identified
—
High-priority Chapter V gap to resolve.
Agreement missing / expired
—
IDTA, SCCs + Addendum or Art. 49 basis not recorded or past expiry.
International transfer register
Every activity with a destination outside the UK or EEA, with safeguard, transfer assessment status, and last review in one place.
0 items
No international transfers recorded yet.
Transfer evidence
Keep transfer evidence easy to find
ROPAi brings international transfers into one place so the safeguard and transfer assessment evidence you need is not buried inside individual records.
UK IDTA
International Data Transfer Agreement or the UK Addendum to EU SCCs, as issued by the ICO.
EU SCCs (2021/914)
Modules 1–4 depending on the role of the transferring parties (C2C, C2P, P2P, P2C).
Adequacy
UK or EU adequacy decision (e.g. EEA, Switzerland, South Korea, Japan, EU-US Data Privacy Framework for certified entities).
Transfer risk assessment
Your case-by-case assessment that the safeguard is effective in the destination country — including government access law (Schrems II).
Step 1 of 6
Live transfer monitor
Data Flow Atlas
0 routes
Safeguarded TRA outstanding No safeguard
dragrotate scrollzoom clicksnapshot
Booting Atlas…
🌍
No international transfers yet
The Atlas plots flows where an entry references a non-UK destination. Add one to see it light up here.
1
Quick intake
Supplier details
›
2
AI interview
6–7 questions
›
3
ROPA entry ready
Auto-generated
✦
AI-drafted ROPA, reviewed by you
Start with a few supplier details. ROPAi drafts the guided interview — you review, edit, and sign off each field before the entry is saved.
Legal basis Recipients DPIA screening
Use the legal entity name.
What is this supplier used for?
Will this supplier process personal data for you?
Treating as Yes. Where there is any doubt, we treat the answer as yes. Better to run an unnecessary interview than miss a genuine processing activity.
Tick this if the supplier or internal workflow uses AI, models, or automated reasoning as part of the processing arrangement.
Approximate month and year.
Used for renewal reminders.
Which team owns this supplier?
Add a specific person if one individual owns this supplier relationship.

The AI interview drafts answers for you to review. Fill in manually opens a blank record so you can type every field yourself — no questions asked.

Please complete all fields before continuing.

ROPAi co-pilot
Question 1 of 7
R
ROPAi asks
AI Interview
Suggested terms — click to add
Skip
Article 30 coverage
0 / 7
a
b
c
d
e
f
g
Reasoning
ROPAi will share its inferences as you answer.
ROPA preview
LIVE
Untitled record
Supplier context
Supplier
—
Purpose
—
Owner
—
Named owner
—
Live data flow map
Active node
Inactive
⚠️
DPIA Required — Article 35
Special category data detected. UK GDPR Article 35 requires a Data Protection Impact Assessment before this processing begins.
Answers so far
ROPAi
Generating your ROPA entry

Mapping interview answers to Article 30 fields...

Interview answers received
Analysing processing activities
Mapping to Article 30 fields
Identifying legal basis
Drafting ROPA entry
—
—
—
—
DPIA
Not assessed
LIA
Not assessed
AI Governance
Not in use
Data Flow Diagram
Auto-generated from this entry
Visual map of how personal data flows through this processing activity — who it concerns, what's collected, and where it goes. Useful for auditors, DPOs, and Article 30 reviews.
Data subjects
Processing activity
Recipients / processors
Third country transfer
Activity log
0 events
Needs attention
—
Entries that still need screening or a completed DPIA decision.
Mitigative actions
—
Open mitigation actions still being tracked across completed DPIAs.
Completed
—
Entries where the full DPIA has been recorded as complete.
DPIA review queue
Click an item to open the entry and jump into its DPIA assessment record.
0 items
No DPIA review items yet.
Guidance
Why this matters
ICO guidance expects the DPIA to be completed before high-risk processing starts. Without a product integration, the clearest control ROPAi can provide is an explicit review queue and a recorded assessment trail against the contemplated or live processing activity.
Use screening early
Run the screening while a supplier or processing idea is still being reviewed internally, not only after approval.
Keep a record
Every screening result and DPIA completion state should remain attached to the processing record for accountability.
Use the idea intake
Start with `Assess new processing` when the team is still evaluating a new supplier, model, or data use before it begins.
Pre-Go-Live Intake
Assess a new processing idea before it starts.
Use this when the team is still considering a new initiative, supplier, model, or data use. ROPAi will create a draft record so screening can happen before the processing is approved or switched on.
Contemplated processing Early DPIA screening Accountability trail
Name the initiative, project, supplier, or new data use being considered.
What is the organisation trying to achieve?
Which team is proposing or sponsoring the processing?
Describe the proposed activity in plain English.
What personal data would likely be involved?
Who would be affected by this processing?
If known, when would the processing begin?
If a vendor is involved, add it now. If not, leave blank.
Send a blank questionnaire if you just want them to complete it, or prefill the fields above first and send that version instead.

Please complete the idea name, purpose, sponsor team, and processing summary.

Legitimate Interests Workflow
Keep legitimate interests assessments visible when that is the chosen basis.
Entries relying on legitimate interests should surface here automatically. The workflow should show what still needs an assessment, what has been completed, and what should be reviewed again because the processing or balancing decision may have changed.
Action queue Completed record Review reminder
Needs action
—
Entries using legitimate interests without a completed or current LIA.
Review due
—
Completed LIAs that should be checked again before relying on them.
Completed
—
LIAs that have been recorded as complete in ROPAi.
No LIA items yet.
Completed LIAs will appear here.
💡 Feedback & ideas
🗺 Product roadmap
Scheduled reports
Recent platform activity
Last 20 actions across ROPA, DPIA, LIA, and DSAR workflows.
No recent platform activity yet.
Approval roles
Define who can approve ROPA entries. These roles will be shown on entry cards and in the activity log.
When is approval required?
Choose the conditions under which a ROPA entry must go through approval before being marked live.
Multi-stage approval
Require sign-off from multiple roles in sequence before an entry is approved. Useful for organisations with a formal DPO + legal review process.
Enable multi-stage approval
Entries must pass through each stage in order
Additional options
Fine-tune approval behaviour for your organisation.
Require justification on approval
Approver must add a comment before approving
Auto-approve Low risk entries
Low risk entries skip the approval queue entirely
Dashboard defaults
Choose how far ahead the dashboard should look when surfacing upcoming contract renewals.
Controls how many operational menu cards appear in the dashboard hero.
Used for register renewal signals and future dashboard renewal views.
DSAR workflow defaults
Define the default owners for DSAR cases. These roles will be used when a new request is logged and later power stage-based workflow automation.
Responsible for sourcing records and evidence.
Responsible for preparing the draft response.
Approves complex replies before they are sent.
Guidance for non-legal teams on when to pull Legal into the case.
Short guidance to appear in future workflow settings.
DSAR access control
Map team emails to the DSAR workspace. Operations users can be restricted to DSAR only, and a secondary team can be given a narrow evidence inbox for fulfilment of specific request types.
These users will only see the DSAR workflow screens.
These users will see only the scoped evidence inbox.
Legal users keep broader DSAR review access.
Admins keep full workspace access. Unlisted users default to admin for now.
Parties Registry
Single source of truth for every counterparty that appears in your IDTAs, SCCs and DPAs. Fill once here and pick from a dropdown on every transfer record. Mirrors Annex I.A of the EU SCCs and Table 1 of the UK IDTA.
TOM Library (Technical & Organisational Measures)
Catalogue your security measures once, then tag each with the SCC clause / IDTA Annex II row it satisfies. The branded export engine pulls tagged TOMs straight into Annex II / Table 4. Mirrors Annex II of the EU SCCs and Table 4 of the UK IDTA.
Tags drive auto-population of IDTA Table 4 / SCC Annex II on export.
✓ Settings saved
Open
0
Requests in flight
Needs attention
0
Overdue, escalated, or at risk
Completed
0
Closed requests
DSAR workflow
Manage subject access requests end to end
Showing the live DSAR queue.
RequesterStatusSLAOwnerNext step
No requests yet — click “+ New request” to start your first case.
Open evidence requests
0
Cases waiting on underwriting
Overdue
0
Past the DSAR deadline
Completed today
0
Reports marked complete
Underwriting evidence requests will appear here.
XML + Open Banking reports
Underwriting evidence inbox
Provide the XML and Open Banking reports requested by DSAR Operations.
RequesterRequestDeadlineRequested byAction
No underwriting evidence requests are open right now.
Operational summary
Case owners
ROPAi stakeholder summary
A quick internal brief built from the case record, workflow state, evidence status, and current blockers.
Deliberation and routing
Use triage to assess complex, third-party, agency, and fraud-review requests before the case moves into evidence work.
Triage decision
Choose the outcome of triage so the next step is explicit.
Comments and decisions
Keep the deliberation record, ops notes, and legal decision trail inside triage.
Why it is here
Evidence is still being gathered
ROPAi is holding the case in this stage until the required evidence sources are complete.
What moves it forward
Complete the remaining evidence tasks
Once the checklist is complete, ROPAi moves the case into drafting automatically.
Evidence checklist
Track source-system searches before this case moves into drafting.
0 of 0 complete
Comments and decisions
Keep ops notes, legal review points, and sign-off records visible on the case.
Response drafting
Use the controlled template and prepare the response pack.
Draft handoff
Acknowledge when the draft has been sent for review or is ready for final issue.
Send-ready pack
Activity timeline
Case history
Activity log for the request from intake through to dispatch and closure.
New DSAR request
Log the request details and let ROPAi build the workflow around it.
ROPAi will pre-fill, you decide
Sets the verification posture, calculates the response deadline when it can start, suggests default owners, recommends the right response template, and drafts the evidence checklist for this request type — all reviewable and editable before the case goes live.
Paste inbound email
Use ROPAi to classify the request, recommend the route, and prefill the case.
Paste an inbound privacy email and ROPAi will classify the request, suggest the template, and prepare the case.
Review extracted fields
Adjust anything that looks wrong before creating the case.
✓
Ready to send
All evidence is gathered, the draft is controlled, and the case is ready for final issue.
Send response
Final confirmation before dispatch. Record the delivery method and close the case cleanly.
Case
DSAR case
Delivery guidance
Record the delivery method and any separate password-sharing step in the dispatch note.
Template
Controlled template
Evidence
Checklist status
Use this 12-character password for the ZIP or response pack, and send it through a separate channel from the attachment email.
System Of Record
Processors is your formal register of suppliers handling personal data.
Use this screen to maintain the formal record: DPA status, transfer position, ownership, and contract dates for each supplier handling personal data. This is the official record, not the prioritisation view.
DPA status Transfers Contract renewals
ROPAi — our own trust posture
We're your sub-processor too. Here's the assurance roadmap we commit to — visible where you make onboarding decisions.
View full trust page →
LiveEU-Ireland hosting · Supabase + Netlify
PlannedCyber Essentials Plus · Q1 2027
PlannedSupabase append-only activity history · pre-pilot hardening
PlannedISO 27001 · Q4 2027
PlannedSOC 2 Type I · Q2 2028
PlannedSOC 2 Type II · Q4 2028
🆕
All
Alerts
Activity log
Sent log
Change log

Your plan & billing

Manage your subscription, upgrade your plan, or access the Stripe billing portal to update your payment method.

30-day Free Trial
Your trial is active. Choose the plan that should take over when the trial ends. Live features and plan descriptions stay aligned with the current workspace.
Monthly
Secure payments Powered by Stripe. We never store card details. All transactions are PCI DSS compliant.
Cancel anytime No long-term contracts. Cancel from the billing portal and your plan continues until the end of the period.
Questions? Email [email protected] — we reply the same day.
Trust & security EU-hosted (Ireland), encryption at rest + in transit, tenant isolation via RLS. View hosting, sub-processors & DPA →
Renewal Check
Let's confirm this entry is still accurate before the contract renews.
Is your organisation still using this supplier?
Has the scope changed?
Think about changes to data types, countries, sub-processors, or purposes since the last review.
Has the scope of personal data processing changed?
e.g. new data categories, transfers to new countries, new sub-processors added
Update renewal date
Great — the ROPA entry is still accurate. Please set the new contract expiry date.
Fresh interview needed
A new AI discovery interview will run to update the ROPA entry. The existing entry will be preserved in version history.
Ready to start the fresh interview for ?
Mark for offboarding
Next steps for your DPO: Confirm all personal data has been deleted or returned, verify the Data Processing Agreement has been terminated, and archive the ROPA record.
Mark this entry as Action Required and notify the DPO?
Trust & security
How ROPAi stores, processes and protects your data.
Hosting
EU · Ireland
Supabase EU-West (Dublin), Netlify EU edges.
Encryption
AES-256 at rest · TLS 1.2+ in transit
Keys managed by Supabase.
Tenant isolation
Postgres Row-Level Security
Every row scoped to your org_id.
Breach SLA
72h notification
Aligned to UK GDPR Article 33.
Evidence trail
Activity history live · append-only storage planned
Current demo activity is visible in-product; Supabase append-only history is the pre-pilot hardening item.
Assurance roadmap
Cyber Essentials Plus Q1 2027 · ISO 27001 Q4 2027
SOC 2 Type I targeted for Q2 2028; SOC 2 Type II Q4 2028.
Sub-processors
Supabase Inc. — Postgres, auth, storage (EU-Ireland) · Netlify Inc. — hosting, serverless functions · Anthropic PBC — Claude AI for ROPA interviews and document drafting (zero-retention API; prompts not used for training) · Stripe Payments Europe Ltd. — billing (card data never touches our servers).
AI data handling
Claude is used to conduct ROPA interviews, draft DPIAs and summarise audit evidence. Prompts are sent to Anthropic's API under a zero-retention agreement — not used to train models. You can review and edit every AI output before it's saved to your register.
Retention & deletion
You control retention. Deletions are soft by default (audit-preserving) with hard-delete on request. On account termination, data is exported and purged within 30 days.
Sector framework alignment
NHS / public sector — mapping ROPAi evidence surfaces to Data Security and Protection Toolkit (DSPT) assertions and NCSC Cyber Assessment Framework (CAF) outcomes. In discovery with NHS / public-sector advisors. Financial services — FCA Consumer Duty and operational resilience mappings planned. EU AI Act — FRIA and Annex III support scaffolded into the DPIA workflow.
Open full trust page → Request DPA Contact security
Score driver
−0
Transfer Agreement
UK IDTA · EU SCCs + UK Addendum · Article 49 derogation
Pick from Parties Registry · + Add new party
Pick from Parties Registry. Use the same picker for SCC Annex I.A.
The master DPA this IDTA / Addendum supplements.
Auto-suggested from the data exporter's jurisdiction.
Drives the review reminder on the dashboard.
Sets the clock for the next review.
Unique audit ID printed on every export.
Annex III — Sub-processors (Modules 2 & 3 — Clause 9 prior notification)
Notification window defaults to 14 days (Clause 9(a) general option) and starts on the proposed date. Sub-processors cannot be set "Active" until the window has elapsed and approval is recorded.
Lifecycle & Termination
Triggers the off-boarding checklist (Clause 16 / IDTA Table 1 termination).
Off-boarding checklist (SCC Clause 16 / IDTA Table 1)
Transfer Impact Assessment (TIA)
Chapter V UK GDPR (Arts. 44–49) · Schrems II · EDPB Rec. 01/2020 (applied as best practice)
Saved
ROPA Compliance Audit Report
Schedule recurring audit report
ROPAi will draft an audit report on schedule and save it to your report log for DPO review and sign-off.
✓ Enhanced tier feature — available on Professional and DPO Practice plans.
⚡ Vendor Library
One-click add common processors. Pre-filled with UK GDPR compliant data.
🔍
0 tools selected — each becomes a draft entry you can review.
Import existing ROPA
Upload an Excel (.xlsx) or CSV file. ROPAi will map the columns and add any new rows to your register.
📂
Click to browse or drag & drop
Supports .xlsx and .csv
Your columnMaps toSample value
SupplierExisting purposeIncoming purposeDecision
Manage custom columns
Add custom fields to every ROPA entry — e.g. AI checklist, internal notes, or bespoke compliance flags.
Add new column
📄 Privacy Notice — Generated by ROPAi
Based on this ROPA entry · UK GDPR compliant
Import completed template
Upload a completed ROPAi screening template or editable full DPIA template. Templates repopulate the screening record or replace the saved full assessment sections.
📄
Drop your completed ROPAi template here
PDF, DOCX, or TXT accepted. Use ROPAi editable templates for the most reliable round-trip.
Imported content — review before saving