Vendor terms changed.
Can you prove you noticed?

DORA, NIS2, and GDPR all require continuous vendor monitoring. You need the evidence. We generate it.

Start monitoring See real findings
Evidence trail
Date Vendor Change Status
Mar 12 OpenAI DPA changed GDPR Art. 32
Mar 8 Figma Transfer terms updated Reviewed
Feb 28 Slack Sub-processor added 30d to object
Feb 15 Salesforce No changes detected
Feb 3 Canva AI training clause EU AI Act
Jan 22 Deel AI terms added EU AI Act
Jan 10 Klarna Data sharing expanded GDPR Art. 28
01 — Evidence

Real changes your regulators would ask about.

Actual vendor agreement changes from the past 6 months — each one potentially relevant to GDPR, DORA, or EU AI Act obligations. Every one landed without most companies noticing.

LinkedIn ToS RED RISK

Affiliates Expanded to Include All Microsoft Subsidiaries

Before

Affiliates are companies controlling, controlled by or under common control with us, including, for example, LinkedIn Ireland, LinkedIn Corporation, LinkedIn Singapore and Microsoft Corporation.

After

Affiliates are companies controlling, controlled by or under common control with us, including, for example, LinkedIn Ireland, LinkedIn Corporation, LinkedIn Singapore and Microsoft Corporation or any of its subsidiaries (e.g., GitHub, Inc.).

EU AI Act

LinkedIn now shares your professional data with every Microsoft subsidiary — including GitHub — for AI training. No DPA update, no consent refresh, no sub-processor notification.

Review against GDPR Art. 6 (lawful basis). Request an updated DPA with an explicit sub-processor list and purpose limitation for AI training.

OpenAI DPA RED RISK

Security Exhibit Deleted from Data Processing Agreement

Before

Detailed “Exhibit B — Technical and Organizational Measures” with specific controls for Identity/Authentication, Cloud Security, Data Access Control, Physical Security, Incident Response, and Business Continuity.

After

“OpenAI will implement and maintain reasonable and appropriate organizational and technical security measures to protect Customer Data, as set forth in the Agreement and the Trust Portal.”

GDPR Art. 32

OpenAI deleted two pages of specific security commitments from their DPA and replaced them with a vague reference to an external Trust Portal they can change at will.

Assess against GDPR Art. 32 (security of processing). DORA-regulated firms: verify contractual security commitments meet ICT third-party risk requirements.

Figma DPA RED RISK

Schrems II Transparency Disclosures Removed from DPA

Before

Figma received 0 government requests of the type described in the Schrems II CJEU judgment (C-311/18). No court has found Figma eligible to receive process issued under FISA Section 702.

After

Figma publishes this report on an annual basis to share information with its customers regarding the government information requests, if any, Figma has received.

GDPR Art. 44–49

Figma removed the exact data DPOs need for Transfer Impact Assessments — zero government requests under Schrems II, no FISA 702 eligibility — and replaced it with vague annual report language.

Review against GDPR Art. 44–49 (international transfers) and Schrems II (CJEU C-311/18). Request detailed transparency data for your Transfer Impact Assessment.

Vanta ToS RED RISK

Security Breach Liability Cap Reduced from 10x to 2x

Before

Liability for breaches of confidentiality obligations, indemnification obligations, or prohibited uses will not in the aggregate exceed ten times (10x) that amount.

After

For claims arising from a party’s breach of its confidentiality obligations or security obligations under the DPA, each party’s aggregate liability will not exceed two times (2x) the General Cap.

DORA Art. 30 / NIS2 Art. 21

Vanta — a compliance and security vendor — reduced their own liability cap for security breaches by 5x. If your vendor’s commitment to covering breach damages drops from 10x to 2x annual fees, your risk exposure changed. Potentially relevant to DORA Art. 30 and NIS2 Art. 21 requirements for ICT third-party risk management.

Review against DORA Art. 30 (liability allocation for ICT third-party providers) and NIS2 Art. 21 (security risk management). Assess whether the reduced cap meets your organization’s risk tolerance for a security-critical vendor.

02 — Compliance

Three regulations. One monitoring gap.

DORA, NIS2, and GDPR all require you to monitor vendor contracts continuously. None of them accept “we didn’t know it changed” as an answer.

DORA Art. 28 & 30

ICT vendor oversight

Financial supervisors can request your evidence trail at any time. Proviqa helps generate it—continuously, not once a year.

Banks, insurers, investment firms

NIS2 Art. 21

Supply chain security

Your vendor weakened their SLA last month. Your risk profile changed. NIS2 says you should have noticed. Proviqa makes sure you do.

Critical infrastructure, digital services

GDPR Art. 28

Processor compliance

Your vendor changed their DPA—new sub-processors, broader data use. Under GDPR, the controller is responsible. Silence is not oversight.

Any company processing EU personal data

Proviqa provides automated change monitoring for informational purposes. It does not constitute legal advice.

Circleci
Sprinto
Hugging Face
Wiz
Elastic
Scale Ai
Datadog
Thoropass
Asana
Vultr
Plaid
Trustarc
Zoominfo
Otter Ai
Bamboohr
Grafana Labs
Smartsheet
Bitsight
Snowplow
Kandji Iru
Greenhouse
Drchrono
Revolut
Mimecast
Midjourney
Rapid7
Carta
Orca Security
Basecamp
Square
Ukg
Github
Linkedin
Fullstory
Loom
Pendo
Tableau
Klarna
Hotjar
Sentinelone
Webex
Shopify
Runway
Knowbe4
Workato
Gainsight
Secureframe
Informatica
Linear
Constant Contact
Canva
Thoughtspot
Netsuite
Churnzero
Box
Pipedrive
Proofpoint
Freshworks
Fly Io
Airtable
Replicate
Dropbox
Lastpass
Pandadoc
Heap
Zendesk
Zscaler
Clickup
Auth0
Cohere
Checkr
Crowdstrike
Neon
Lattice
Reddit
Docebo
New Relic
Splunk
Guidewire
Coupa
X
Hashicorp
Oracle Cloud
Celigo
Qualtrics
Surveymonkey
Openai
Adobe
Gusto
Dbt Labs
Pagerduty
Monday Com
Jasper
Hyperproof
Ramp
Concord
Notion
Elevenlabs
Bumble
Productboard
Mixpanel
Cloudflare
Atlassian
Zapier
Snowflake
Amplitude
Chargebee
Spotify
Workday
Remote Com
Airbnb
Clio
Mongodb
Salesforce
Okta
Veeva
Navan
Athenahealth
Expensify
Ringcentral
Sap
Stripe
1password
Twitch
Tiktok
Gitlab
Sisense
Fivetran
Databricks
Postman
Cornerstone Ondemand
Optro
Calendly
Segment
Sap Concur
Hetzner
Copy Ai
Supabase
Deel
Kareo Tebra
Servicenow
Cursor
Render
Affirm
Mailchimp
Doordash
Perplexity
Typeform
Slack
Vercel
Digitalocean
Heroku
Coda
Anthropic
Miro
Jumpcloud
Hubspot
Totango
Uber
Iterable
Aptible
Avalara
Dynatrace
Tenable
Paypal
Bill Com
Snapchat
Google Cloud
Todoist
Pinterest
Sterling
Vanta
Figma
Drata
Meta
Discord
Stability Ai
Zoom
Snyk
Duck Creek
Descript
Ironclad
Brex
Dropbox Sign
Sentry
Writesonic
Paycom
Confluent
Securityscorecard
Wise
Absorb Lms
Docusign
Rippling
Paylocity
Sailpoint
Litmos
Launchdarkly
Netflix
Intercom
Grammarly
Onetrust
Zuora
Braze
Twilio
Gong
Maxio
Aws
Juro
Synthesia
Linode Akamai
Hundreds of vendors monitored

Your entire vendor portfolio. Monitored.

Terms, DPAs, and privacy policies across hundreds of SaaS vendors—global and EU-native. Don’t see yours? Just ask.

03 — How it works

Three steps. Audit-ready evidence.

01

Add your vendors.

List the SaaS vendors your team depends on. We start monitoring their terms, DPAs, and privacy policies within hours.

02

Every change, mapped to regulations.

Plain-language summaries. Severity ratings. Each change flagged against GDPR, DORA, and NIS2—so your team knows what matters.

03

Your DPO acts. With receipts.

Immediate alerts to DPOs, CISOs, and procurement—with the documented evidence trail auditors expect.

04 — The alternative

The manual way costs more than you think.

Manual review
  • Paralegal checking 50+ vendor pages every quarter
  • ~€2,000 per review cycle in billable hours
  • No regulatory mapping — you do the GDPR cross-referencing
  • No evidence trail — just a spreadsheet with a date on it
  • Coverage gaps between reviews — changes that land in month 2 go unnoticed until month 3
Proviqa
  • Continuous monitoring — every change caught, not just quarterly ones
  • Automated GDPR, DORA, and NIS2 mapping on every diff
  • Timestamped evidence trail auditors can read
  • Immediate alerts to DPOs, CISOs, and procurement
  • Starting from €199/mo — daily monitoring for a third of what quarterly reviews cost
05 — Need a compliance baseline?

See what changed before
you started watching.

Starting DORA or NIS2 compliance? We’ll audit your vendor agreements from the past 6 months—what changed, what’s relevant, and what your team should review first.

1

Share your vendor list

Tell us which vendors to audit. We check terms, DPAs, and privacy policies from the past 6 months.

2

Get a quote within 24 hours

We scope the work and send a flat-fee quote. No surprises, no hourly billing.

3

Receive your compliance report

Side-by-side diffs, regulation mapping, severity ratings, and flagged items—ready for your DPO or CISO.

Request a compliance baseline
06 — The risk

Two moments that matter.

  1. 1

    The auditor asks.

    “How do you monitor vendor contract changes?” If the answer is “manually” or “once a year,” that’s not continuous monitoring. Under DORA Art. 28, GDPR Art. 28, and NIS2 Art. 21, continuous monitoring isn’t optional—it’s a documented obligation. An honest answer without evidence is a finding.

  2. 2

    The change you missed.

    A vendor quietly updated their DPA. Sub-processors changed. The 30-day objection window opened and closed. You never got an alert. You never reviewed it. Under GDPR, silence from the controller isn’t neutrality—it’s implicit consent. The risk didn’t announce itself. It just landed.

For DPOs, CISOs, and compliance teams.

Your vendors changed their terms last month.
Can you prove you noticed?

Start generating the evidence your regulators expect. Two minutes.

Start monitoring

Need a compliance baseline first? Request a baseline audit