·Alexis Hirschhorn · ISO 42001 Lead Auditor

Data Privacy Management for teams that already know how hard this is.

The privacy module of the Acuna GRC platform, built for the people who understand what most tools miss: that ROPA, DPA, DPIA, TIA, breach response, and DSARs are one connected workflow, not six modules in separate workspaces.

GDPRSwiss FADPUK GDPR+ your framework

Book a demo See the Data Flow →

· the architecture is in the UI ·

Five product views that share one graph. On mobile we show a short summary for each. The stacked desktop collage with full UI detail appears when you widen the screen.

1 / 5 · acuna.io / privacy / ropa

Processing Activities

One register for every PA. Status, frameworks, and references stay on one row.

142 PAs in the mock list
GDPR, FADP, and UK on the same record
Article 30 columns ready to export

2 / 5 · acuna.io / pa / PA-2026-042 / frameworks

Multi-framework on one PA

Each framework keeps its own legal basis without duplicating the operational record.

GDPR and Swiss FADP side by side
Independent review cycles per framework
Add UK GDPR without a second workspace

3 / 5 · acuna.io / privacy / breach-simulator

Breach Simulator

Pick a vendor and see cascade counts for PAs, assets, and data elements.

14 affected PAs in the scenario
47 data elements surfaced
6 flagged as special category

4 / 5 · acuna.io / privacy / questionnaire

Scoped questionnaire

Business owners get a one-time token link tied to the PA they own.

Email from privacy@acuna.io
Scoped editor, no tenant-wide access
Explicit approval step for the privacy team

5 / 5 · acuna.io / pa / PA-2026-042 / data-flow

Data Flow canvas

Subjects, assets, systems, and third parties on one screen for the regulator questions.

Four stages in one view
Residency and jurisdiction on each node
Special-category data highlighted

acuna.io / privacy / ropa

Processing Activities142 PAs

ReferenceNameStatus

PA-2026-042

Employee payroll processing

GDPRFADP

Approved

PA-2026-041

Customer support data

GDPRUK

In Review

PA-2026-040

Marketing analytics

GDPR

Draft

acuna.io / privacy / pa / PA-2026-042

FRAMEWORKS

GDPREU

basis: Legitimate interest Art. 6(1)(f)

Swiss FADPCH

basis: Consent Art. 6 FADP

acuna.io / privacy / breach-simulator

AWS Frankfurt

eu-central-1 · processor

▲ if compromised

Affected PAs14

Affected assets9

Data elements47

Special category6

questionnaire@acuna.io → business owner

from: privacy@acuna.io

Please confirm PA-2026-043 data

You have been sent a scoped link to review and confirm the processing activity you own.

acuna.io/privacy/questionnaire/3f7a8c19b2…d8e

Open scoped editor →

acuna.io / pa / PA-2026-042 / data-flow

Subjects

Customers

Staff

Assets

PostgreSQL

⚠ Health logs

Systems

Helpdesk

Third Parties

Zendesk

→→→

Four product facts that matter to privacy teams. Each row is the same credential you see in the desktop layout, stacked so nothing is squeezed into a narrow column.

1×PA

Multi-framework on one record

GDPR and Swiss FADP govern the same processing activity with independent legal bases on one operational record.

226

Country TIA lookup

Transfer Impact Assessment pre-populates destination jurisdictions from a 226-country dataset.

27+

Seeded data elements

GDPR Article 9 special-category mapping included. Your team adds from a curated base instead of building the ontology first.

EDPB WP248 criteria

The DPIA threshold screener applies all nine criteria. Two or more met triggers the requirement under Article 35.

The shape of the work

You've already done the diagnosis.

01 · the work

The ROPA goes stale on Tuesday.

Current the day you approve it. Slightly out of date by the time the meeting ends. Business owners answer questionnaires in their own time, in their own words. Sub-processor chains drift. Cross-border transfers get a new safeguard every time a court ruling lands.

02 · the tooling

Sold as one suite. Configured as six.

The platform you bought arrived as separate modules with separate workspaces. Implementation took longer than the timeline you were given. Pricing grew on a schedule nobody warned you about. The Article 30 export comes out flat; the relationships live in your head.

03 · what you're looking for

A tool that respects the real shape of the job.

You're not looking for something that promises to make privacy easy. You're looking for something that respects how the work actually moves: relationships first, documents second, audit trail by default.

The architecture

One graph, not six modules.

RelationshipProcessing Activity connects to

originates from

Data Subjectwho the data is about

collects from

Data Assetwhere data is stored

stores in

System Assetinfrastructure layer

sends to

Third Partyprocessor / controller

governed by

FrameworkGDPR · Swiss FADP · UK

Open any Processing Activity. This is what you see. ↓

Everything in privacy operations is a relationship. A processing activity collects from a data subject, stores in an asset, sends to a third party. The third party has sub-processors. Sub-processors create transfer obligations. Transfer obligations require safeguards. A breach on any node cascades through the graph.

Most platforms model this as six tables and forms that ask you to re-enter the same information into each one. Acuna models it as one graph. The DPA wizard reads the sub-processor chain from your third-party configuration. The Breach Simulator reads affected PAs from asset and third-party links. The Article 30 export ships with the relationship columns.

The relationships are the record.

The view buyers fall in love with

One Processing Activity. The whole story, on one screen.

Open a PA, click Data Flow, and the answer to every regulator’s first four questions renders itself: who the subjects are, what data is involved, where it lives, and who else touches it. Article 30 logic, rendered as architecture.

Processing Activity:

PA-010 · Employee data collection

Live model·

One PA, four stages. Who the data is about, where it is collected and stored, and who receives it. Widen the screen for the full canvas with connectors and data elements.

PA-010 · Employee data collection

Data subjects

originates with

Employees10K–20K

Collects from

data assets

ERP (SAP)Badge accessArt. 9

Stores in

system assets

Azure BlobDEActive DirectoryDE

Sends to

third parties

MicrosoftUSTalentHub HRUS

Amber = cross-border or special-category signal in the product

Data Subjects

data originates with

Employees

Data Subject

10K–20K subjects

Collects From

data assets

ERP System (SAP)

Data Asset

First NameSalary InformationEmail AddressHome AddressSocial Security Number

RESIDENCY · Dublin Data Center

Badge Access System

Data Asset

Biometric TemplateEmail AddressLast NameFirst Name

RESIDENCY · CH Switzerland

Stores In

system assets

Azure Blob Storage

System Asset

Biometric Template

RESIDENCY · DE Germany

Active Directory

Data Asset

First NameSalary InformationLast NameSocial Security NumberHome Address

RESIDENCY · DE Germany

Sends To

third parties

Microsoft

Third PartyProcessor

First NameEmail AddressSalary InformationDate of BirthSocial Security Number

JURISDICTION · US United States

TalentHub HR

Third Party

First NameSalary InformationEmail AddressHome AddressSocial Security Number

JURISDICTION · US United States

01 · article 30 in a glance

Compliance officers read the diagram, not the spreadsheet.

Flow direction, residency, and data elements are visible without opening a single file. The diagram is the Article 30 register, rendered.

02 · cross-border surfaces itself

Every node carries its jurisdiction.

The diagram tells you which Processing Activity has US transfers without you having to ask. Warning treatment fires automatically on cross-border third parties.

03 · special-category flagged for you

GDPR Article 9 mapping is in the model, not in someone's memory.

Biometric, health, and other special categories render in warning treatment automatically. The flag fires before you have to look for it.

“This is the diagram your auditor keeps asking for. It’s also the answer.”

acuna.io / privacy / ropa

Processing ActivitiesExport Article 30 ↓

ReferenceNameFrameworkStatus

PA-2026-042Employee payroll processing

GDPRFADP

Approved

PA-2026-041Customer support data

GDPRUK

In Review

PA-2026-040Marketing analytics

GDPR

Draft

Export columns

Reference

Framework

Status

Collects From

Stores In

Sends To

Sub-Processors

Capability 01 · ROPA

Records of Processing Activities, with the data flows in the export.

GDPR Article 30 is usually requested first, and usually hardest to produce fast when relationships are spread across spreadsheets and disconnected tools.

In Acuna, a processing activity is a graph object carrying data subjects, assets, third parties, legal bases, and personal data mappings together. Exports include relationship columns by default: Collects From, Stores In, Sends To, Controllers, Joint Controllers, Processors, Sub-Processors. Workflow states stay object-level: Draft, In Review, Approved, Needs Update.

When the authority asks and the timeline is short, you export. The flows are already in the columns.

PA-2026-042 · Article 30 export with relationship columns selected.

Capability 02 · Multi-framework

GDPR, Swiss FADP, UK GDPR on one PA, independent legal bases.

Multi-framework governance often becomes duplicate workspaces and duplicate records that drift apart over time.

Acuna runs framework governance on one processing activity. Each framework carries its own legal basis selection, review cycle, and export trail. GDPR and Swiss FADP are seeded; UK GDPR or regional overlays attach to the same PA without migration into a second tenant.

You don't run separate workspaces. You don't migrate when a new framework enters scope. You add it to the PA.

Same PA: GDPR and FADP assigned with independent legal bases.

acuna.io / privacy / pa / PA-2026-042

PA-2026-042

Customer support data

OverviewPersonal DataAssetsFrameworksTransfer

GDPREUactive

Legal basisLegitimate interest Art. 6(1)(f)

Review cycleAnnual

Next review2026-11-04

Swiss FADPCHactive

Legal basisConsent Art. 6 FADP

Review cycleAnnual

Next review2026-11-04

+ Add framework: UK GDPR, BDSG...

acuna.io / privacy / assessments

PA-2026-042Customer support data · context shared across assessments

DPIA · Threshold

WP248 screener

Systematic monitoring

Large-scale processing

Vulnerable subjects

Novel technology

DPA · Scope

Art. 28 wizard

Auto: sub-processor chain

Auto: data categories

Auto: subject categories

Audit rights clause

TIA · Schrems II

Transfer analysis

Auto: third party + countries

Safeguard: SCCs

10-question screener

Risk score

↑ all three read from PA-2026-042 ↑

Capability 03 · Assessments

DPIA, DPA, TIA: generated from the same graph.

Privacy teams should not retype the same context into three different wizards just to complete linked assessments.

DPIA uses EDPB WP248 threshold logic from the PA context. DPA reads third-party and sub-processor attributes for Article 28 scope. TIA starts from the linked third party and destination context, then computes risk based on mechanism and questionnaire answers. Shared PA context stays consistent across all three.

Three assessments. One graph. Information you've already captured doesn't get retyped into three more wizards.

DPIA, DPA, and TIA wizards sharing the same PA-2026-042 context strip.

Capability 04 · The graph, reversed

The Breach Simulator: the Data Flow, run backwards.

Pick a third party. The same graph that draws your Data Flow walks itself in reverse, surfacing every Processing Activity that depends on the compromised node, every data asset they touch, and every data element at risk. In a click, not a quarter.

On mobile you see the cascade in order: impact numbers first, then the selected vendor, then when teams use the simulator. The full two-panel layout returns on wider screens.

14PAs

affected processing activities

directly linked to the compromised vendor

9assets

data assets at risk

storing personal data processed via the vendor

47elements

data elements impacted

including 6 classified as special category

Selected third party

Microsoft

Third PartyProcessorSCC + BCR

Linked processing activities

PA-010Employee data collectionHigh

PA-2026-042Customer supportHigh

PA-2026-039Marketing analyticsMedium

PA-2026-038Product telemetryLow

When to use it

Before

Board exposure reviews. Show which vendor would cascade furthest.

During

Active incident. Scope article 33 obligations in real time, under pressure.

After

DPA or audit debrief. Demonstrate structured assessment with traceable output.

⏱

72 hours, GDPR Article 33. The supervisory authority clock starts on awareness. Scoping shouldn't take days.

When the question comes up in the next board meeting, you don’t need a quarter. You need a click.

Capability 05 · Privacy Portal

The Privacy Portal: public DSARs and PA questionnaires, one tenant slug.

Intake workflows consume disproportionate privacy effort when DSAR and questionnaire channels are split into separate systems.

Public DSAR intake runs at /privacy/request/[tenantSlug] with tenant branding, honeypot protection, and per-IP and per-tenant rate limiting. Submissions are tracked with a SHA256-hashed token. Business owner questionnaires use one-time cryptographic token links. The state machine (Stub → Questionnaire Sent → Questionnaire Received → Approved) makes approval explicit.

The chase doesn't scale. The approval does.

Split intake: DSAR public form and scoped PA questionnaire editor.

privacy.acuna.io

/privacy/request/yourcompany

Request your data

Full name

Marie Laurent

m.laurent@example.com

Request type

Access · Download

Submit request

→ 30-day clock starts

/privacy/questionnaire/3f7a8c…d8e

Confirm: PA-2026-042

Data categories

4 selected

Data elements

9 selected

Retention

24 months

Submit

→ Token invalidates

Part of the platform

Inside the Acuna GRC platform: privacy where it belongs.

Privacy is not a silo. The third parties you process data through are the same vendors your TPRM program assesses. DPIA risks should roll up to enterprise risk. Security measures on processing activities should map to controls in your ISMS.

Also connects to: Internal Audit · Policy · Controls · full platform overview →

Enterprise Risk

DPIA risks roll up to the enterprise risk register

TPRM

Privacy third parties share the same vendor record as TPRM assessments

ISMS / ISO 27001

Security measures on processing activities map to controls in the ISMS

Incident Management

Personal data breaches flow through the same incident model used elsewhere in governance

See the full platform →

Alexis Hirschhorn

ISO 42001 Lead Auditor · Acuna GRC

Acuna Data Privacy is led by Alexis Hirschhorn, ISO 42001 Lead Auditor and Acuna's spokesperson on AI governance and privacy operations. The perspective is operational: privacy programs break at the seams between tools, and the durable answer is one connected graph, not six modules.

The decisions behind the product (the graph model, the multi-framework approach, the token-scoped questionnaires, the Breach Simulator) come from close observation of where real privacy operations lose time.

About Alexis →

Is this for you?

You're the right fit if any of these are true.

✓

Your ROPA lives in a tool that doesn't export relationship columns, so the data flows live in your head.

✓

You run GDPR and Swiss FADP (or UK GDPR) and you've accepted duplicate records as the cost of multi-framework.

✓

DSARs arrive by email and live in a shared inbox or a standalone tool with no link to your processing activities.

✓

DPIAs, DPAs, and TIAs share no context and are filled in separately each time a new processing activity is added.

✓

When your board or auditor asks what would be exposed if a particular vendor had an incident, the answer takes days.

Book a 30-minute demo

Bring a real PA, a real vendor chain, or a real audit scenario.

Before you choose

Questions privacy operators ask before they choose a tool.

Answers to the operational questions. No sales copy.

What is a Record of Processing Activities (ROPA), and what does GDPR Article 30 require?

A Record of Processing Activities is the inventory of processing operations that GDPR Article 30 requires controllers and processors to maintain. It documents each processing activity's purpose, categories of data subjects, categories of personal data, recipients, cross-border transfers, retention periods, and the technical and organisational measures in place. The record must be in writing, kept current, and made available to the supervisory authority on request. In practice, the relationship columns (who you collect from, where you store, who you send to) are the part most exports miss and most authorities ask for first.

When is a Data Protection Impact Assessment (DPIA) mandatory?

A DPIA is mandatory under GDPR Article 35 when processing is likely to result in high risk to the rights and freedoms of natural persons. The EDPB WP248 guidance lists nine criteria: large-scale evaluation or scoring, automated decision-making with legal effect, systematic monitoring, special-category data, vulnerable data subjects, novel technologies, data matching across controllers, processing requiring explicit consent as a condition, and processing that prevents the exercise of rights. Meeting two or more of the nine criteria typically triggers the requirement. Single-criterion processing may still warrant a DPIA where context indicates elevated risk.

What is a Transfer Impact Assessment (TIA), and what changed after Schrems II?

A Transfer Impact Assessment evaluates whether a cross-border transfer of personal data to a country without an EU adequacy decision has effective safeguards against government access and surveillance. The requirement was crystallised by the Schrems II judgment, which struck down the EU-US Privacy Shield and required transferring parties to assess, on a case-by-case basis, whether their chosen mechanism (typically Standard Contractual Clauses) provides equivalent protection in the destination country's legal environment. A TIA documents the destination, the mechanism, the surveillance exposure analysis, and any supplementary measures applied.

What is the 72-hour rule for personal data breaches under GDPR?

Under GDPR Article 33, controllers must notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware, where the breach is likely to result in a risk to the rights and freedoms of natural persons. Where notification is made after 72 hours, reasons for the delay must be included. If the breach is also likely to result in a high risk to individuals, the controller must notify affected data subjects directly under Article 34. Processors must notify the controller without undue delay after becoming aware.

How long do I have to respond to a Data Subject Access Request (DSAR)?

Under GDPR Article 12, a controller must respond to a data subject access request without undue delay and within one calendar month of receipt. Where the request is complex or numerous, the period may be extended by a further two months, provided the data subject is informed of the extension and the reasons within the first month. The 30-day clock begins on receipt of the request, not on verification of the requester's identity, though identity verification is permitted before fulfilling the request itself.

What goes into a Data Processing Agreement (DPA) under GDPR Article 28?

A Data Processing Agreement under GDPR Article 28 must define the subject matter, duration, nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. It must require the processor to: process only on documented instructions; ensure confidentiality commitments for authorised personnel; implement appropriate technical and organisational security measures; engage sub-processors only with the controller's prior written consent; assist the controller with data subject rights, security, breach notification, DPIAs, and prior consultation obligations; delete or return all personal data on termination; and make available all information necessary to demonstrate compliance.

How does multi-framework compliance work in practice: GDPR and Swiss FADP on the same processing activity?

When a processing activity is governed by both GDPR and Swiss FADP, the requirements differ: GDPR requires a lawful basis under Article 6 (and Article 9 for special categories), while Swiss FADP requires a justification under its own provisions and has different documentation timelines. Running two separate registers creates two copies of the same operational fact that drift apart. The operationally durable approach is to maintain one processing activity record and attach framework-specific attributes (legal basis, review cycle, export trail) independently. One record, two governance lanes, audit evidence kept separate by framework.

How do you keep a ROPA current without chasing business owners?

The most effective mechanism is one-time, cryptographically scoped questionnaires sent to business owners with a link that expires on submission. The token scopes the editor to exactly the PA the owner is responsible for, nothing more. On submission, the token invalidates, the PA moves to a Questionnaire Received state, and the privacy team reviews and applies the answers. The state machine makes the approval step explicit: the privacy team is not chasing; they are approving. Drift is managed through object-level indicators on data element classifications and third-party changes, not through scheduled manual reviews.

What is a data flow diagram in privacy compliance, and what should it show?

A data flow diagram in privacy compliance visualises how personal data moves through one processing activity: from the data subjects it originates with, through the data assets and systems that store and process it, to the third parties that receive it. A well-built diagram surfaces four things at once: the categories of data subjects affected; the specific data elements involved, with special-category data (GDPR Article 9) flagged separately; the residency or jurisdiction of every node where the data lives or is processed; and the role of every external party (controller, processor, sub-processor). Under GDPR Article 30, the data flow is implicit in the Record of Processing Activities; the diagram makes it visible. A diagram that omits country residencies, role distinctions, or special-category flags is not a data flow diagram. It is a system map. The structural difference matters because regulators and auditors ask about transfers, roles, and Article 9 exposure as their opening questions. A properly built flow answers all four before they are asked.

↑ each answer is the atomic version; links to canonical articles coming

See it live

See the architecture for yourself.

Bring a real processing activity, a real vendor chain, or a real audit scenario. We'll show how the graph handles it in one live model.

Book a demo

acuna data privacy · one graph, not six modules · gdpr · swiss fadp · uk gdpr