PolicyDoc — Customer DPA / DPIA / SCC Tracker

What it is

When your enterprise customer’s procurement team asks for the executed DPA — and the sub-processor consent log — and the DPIA — and proof that you’re using the 2021 SCCs not the 2010 ones — and their renewal date is in the calendar — PolicyDoc is the shape that answers them all in one screen.

What it tracks

• 18 customers across regions: 8 EU, 3 UK, 4 US (HIPAA + state law), 3 APAC, 1 Canada (PIPEDA).
• For each customer:
  • DPA execution + expiry (1-3 year typical renewal cadence)
  • DPIA completion date (GDPR Art 35 high-risk processing)
  • SCC module — 1 (C→C), 2 (C→P, most common), 3 (P→P sub-processor), 4 (P→C)
  • Transfer mechanism — SCCs (2021 + UK addendum), adequacy decision, Data Privacy Framework (Schrems II successor), Binding Corporate Rules
  • Sub-processor consent — when the customer last consented to the current list
  • Retention window per customer’s data-handling policy
  • Regulator — BaFin, CNIL, ICO, BaFin/LfDI, AP, HIPAA, FCA, etc.
• Sub-processor list — 8 typical sub-processors (AWS, Snowflake, Datadog, Sentry, Stripe, Twilio SendGrid, Cloudflare) with region tags. Customer must consent before changes.
• Findings per customer — missing DPA, expired DPA (the 2 seeded customers with expired DPAs), no SCC for EU customer, no DPIA on file, sub-processor consent gap.

Why this shape

Enterprise procurement teams ask for the same 7 artifacts every time. SaaS legal teams build them once, store them in 3 different drives, lose them across renewals. The audit risk isn’t that the docs don’t exist — it’s that nobody can produce them in 48 hours when the customer’s auditor asks.

PolicyDoc puts every artifact in one row, per customer.

How it ships

Single HTML file, ~34KB. Zero dependencies. The customer catalog, SCC module map, transfer mechanism catalog, status logic, and sub-processor consent tracking are 360 lines of vanilla JavaScript.

Open the tool →