Status: Optional add-on · In planning

DPMS is not part of the standard feature scope. We are developing the module as an optional add-on that becomes available after the GA release. It is not yet included in current beta access. If you need DPMS functions, let us know — we'll add your requirements to the planning and get back to you once the module is available.

Record of processing (Art. 30 GDPR)

Every controller must maintain a record of its processing activities. The DPMS module will provide the structure for this: per processing activity — purpose, legal basis, categories of data subjects, categories of personal data, recipients, third-country transfers, retention periods, technical and organizational measures (TOMs). With filtering, export (PDF, CSV) and versioning.

Templates for typical processing activities (HR, accounting, CRM, applicant management, video surveillance) will be included and customizable per tenant.

Data protection impact assessment (Art. 35)

Where processing is likely to result in a high risk to the rights and freedoms of data subjects, a DPIA is mandatory. The module guides through the DPIA process: risk assessment, description of processing, assessment of necessity and proportionality, safeguards, consultation with the data protection officer. The result is a structured document, exported and anchored in the audit log.

Threshold assessment

The module helps with the preliminary check: based on the processing activity and the risk indicators stored there (special categories of data, profiling, surveillance, etc.), the system gives a suggestion whether a DPIA is likely required. The legal assessment is made by the data protection officer or responsible person — the suggestion is not a substitute.

DPA management

SMEs are often simultaneously DPA principals (toward service providers) and DPA processors (toward business customers). The module will manage both sides:

  • Incoming DPAs (you as processor): DPAs linked to clients, TOMs, sub-processor lists, conditions.
  • Outgoing DPAs (you as controller): DPAs with service providers, TOMs review, sub-processor approvals.
  • Link to contract management — every DPA is also a contract with term and termination.
  • Sub-processor tracking — changes are reflected with notification obligation and right to object.

Data subject rights (Art. 15-22 GDPR)

Access, rectification, erasure and objection requests are not rare — and must be answered within one month. The module logs every incoming request as a workflow, sets the response deadline automatically, documents the handling and provides templates for access responses. Anonymized statistics show management the count and processing time.

Incident response (Art. 33, 34 GDPR)

A data protection incident must be reported to the supervisory authority within 72 hours unless it is unlikely to result in a risk. The module structures the intake: what happened, which data is affected, how many persons, what risk, what immediate measures. A 72-hour deadline is automatically set. The notification to the supervisory authority is drafted, the data subject notification is supported with templates where applicable. Every step is traceable in the audit log.

Audit trail across the entire DPMS

Data protection compliance is not about creating a record once — it is about evidence that the record lives. The module logs every change to the record, every DPIA revision, every DPA renewal, every data subject request, every incident. On a supervisory authority inspection, the system delivers full evidence at the press of a button — no last-minute Excel reconstruction.

Need DPMS functions today? If you depend on any of the modules described above, let us know. We'll add your requirements to the module planning and get back to you once the module is available.