· Yair Knijn
The data processing agreement signed at onboarding and never revisited
The DPO signs the data processing agreement during onboarding, files it, and moves on. The assumption underneath is that the signature is the control: terms were agreed, a binding contract exists, the box is green. So the file sits there, and the next time anyone opens it is the morning a regulator or a customer's auditor asks for it.
The problem is that the document describes a vendor that no longer exists. Subprocessors got added, a hosting region moved, an encryption commitment quietly softened in a product change. The paper still says what it said. The processing stopped matching it months ago.
What GDPR Article 28 actually requires beyond a signature
Article 28 is not satisfied by having a contract. It requires that processing be governed by binding terms and that those terms keep describing reality. Under Article 28(2), where you granted general authorization for subprocessors (which nearly everyone does, because naming each one is impractical), the processor must inform you of any planned addition or replacement and give you a real chance to object. Article 28(3)(h) hands you a standing audit right: the processor must make available everything needed to demonstrate compliance and submit to inspections.
Those are continuous obligations. A notification you never read is the same, legally, as a notification that was never sent. An audit right you never exercise tells you nothing. The signature opened the relationship; it did not close the question.
Drift: how subprocessors and locations change after signing
Vendors change their supply chain constantly, and most do it the compliant way: a 30-day notice, or an updated subprocessor page you were told to watch. The gap is on your side. The notice lands in a shared inbox. The subprocessor page changes silently and nobody diffs it. A processor you screened adds a fourth-party CDN, or shifts eu-west failover to a region you never assessed, and the email that disclosed it is three quarters old.
- A new subprocessor appears on the vendor's list that was never on the version attached to your DPA.
- Data residency moves from the EEA to a transfer mechanism you never reviewed, breaking your
Art. 44assumptions. - A security measure named in
Annex II(a specific cipher, a pen-test cadence) no longer matches what the vendor's current trust page claims.
Reconciling agreed terms against live estate reality
The only way to catch this is to treat the DPA as one half of a comparison and the live vendor as the other. You need the agreed state (the subprocessor list, residency commitments, and security measures as signed) sitting next to the current state (the vendor's published subprocessor list, the actual region, the present trust page) on a cadence, not on incident. When the two diverge, that divergence is your objection trigger and your audit prompt, while you still have standing to act.
Almost nobody does this, because the agreed state lives in a PDF in a contracts folder and the live state lives across vendor portals and status pages. There is no shared surface where they meet, so the reconciliation is a person, once a year, if that. The objection window closes in the silence.
Continuous DPA assurance instead of a one-time file
Continuous assurance means each vendor record carries the agreed terms as structured data, the current observed terms get refreshed on a schedule, and a delta against the signed version raises a flag a human reviews. It also means every subprocessor notification is logged against the vendor it concerns, with the objection deadline tracked, so a 30-day window is a task and not an accident. That is the difference between holding a DPA and being able to show, on any given day, that the processing still matches it.
In Spot Suite, each vendor lives in a Customer Environment that keeps the signed terms, the subprocessor list, and the residency and security commitments as live fields rather than an attachment, so a drift against the agreed state surfaces as a flag with the objection clock already running instead of a discovery during the audit. The control was never the signature. The control is the reconciliation you can produce on demand. See how we approach security.