Privacy teams stitch assessments together by hand across spreadsheets, Word templates and email threads — then do it all again when the rules change. The detail gets lost; the audit trail doesn't exist.
The same processing details get re-entered into the DPIA, the ROPA, the risk register and the report — four chances to disagree with yourself.
When a regulator or auditor asks "who decided this, and on what basis?", a folder of documents can't answer. Decisions live in inboxes.
Guidance changes, templates fork, and last year's assessment is no longer readable against the rules that produced it. Consistency erodes quietly.
A configurable rules engine — not static forms. Triage answers flow into every downstream artefact. The system suggests; your DPO always decides.
Everything in the MVP serves a single product loop: create → triage → routed outcomes → review → locked report → dashboard → audit.
Questions, branching, scoring, routing and triggers are versioned configuration — not hard-coded forms. Sector packs filter one universal content bank.
Personal-data processing drafts a ROPA record straight from triage and DPIA. The owner confirms or edits — with review dates and overdue flags.
Suggested, library and custom risks scored on your configured matrix with initial and residual bands. High residual risk gates approval, by design.
Data Protection by Design actions and evidence requirements generate automatically — owners, due dates, statuses, and blockers that stop premature sign-off.
On approval, the report snapshots the exact question, rule and matrix versions in force. Historic reports stay readable forever; material changes create a new version.
Every approval, answer change, evidence decision and config change is logged — clock-synced, exportable, and impossible to quietly edit.
Each pack filters the universal content bank to the questions, risks and evidence your sector actually faces. Switch packs on; nothing is duplicated.
Yes. Simpriva runs as centrally-hosted SaaS in Azure UK South with paired UK West — including all backups and telemetry. We do not offer client-installed deployments for the MVP; per-tenant isolation answers the concern that usually motivates install requests.
Each tenant gets its own database within a shared application tier, with evidence files in a per-tenant storage container. That means per-tenant backup, restore and deletion — and an isolation story you can evidence in procurement rather than explain away.
No. Outputs are decision support, not legal advice. The engine suggests routings, risks and evidence; a human DPO or reviewer always decides and can override with a recorded rationale. PECR is handled as an advisory flag-and-review route.
On approval, an assessment snapshots the exact question, rule and matrix versions used, and renders a locked report. Historic reports never depend on re-evaluating today's rules. A material change after approval creates a new version, leaving the old one intact.
The MVP focuses on the DPIA lifecycle, with auto-populated controller-mode ROPA and a Data Protection by Design checklist flowing from the same triage answers. Processor-mode ROPA, Word export and richer dashboards are on the near-term roadmap.