Data Inventory & Mapping Builder — Systems, Flows & One-Click RoPA (App + Any-Infrastructure Sync)
You cannot defend, disclose, or delete what you haven't mapped. Every obligation in your program — notices, DSARs, transfers, retention, breach scoping — starts with knowing what data you hold, where it lives, and where it moves. This is the tool that holds that answer, built the way lean teams actually work.
👉 Try the live demo — build a sample inventory, watch the flow map flag a cross-border transfer in red, and generate the Article 30 RoPA. Runs in your browser; nothing to install.
Enterprise data-inventory outcomes, nothing to deploy. The heavyweight discovery platforms earn their keep at 50,000 employees. Below that, they're a six-month implementation for a problem a practitioner can map in an afternoon — with the right structure. This is that structure, in a single file that runs in any browser, on any infrastructure, including air-gapped.
What's inside:
- Systems registry — every place personal data lives, with owner, hosting, location, data categories (special-category flagged), subjects, purpose, lawful basis, and retention. Seed dozens at once by pasting a CSV from your CMDB, SSO app list, or finance's SaaS ledger.
- Live data flow map — systems as nodes, flows as edges, drawn automatically as you work. Flows that leave the organization render dashed; cross-border flows with no transfer mechanism render red. Your posture, visible at a glance.
- Gap engine — special-category data without a lawful basis, systems without retention or an owner, transfers without safeguards: surfaced automatically, worded the way you'd write the finding yourself.
- One-click RoPA — the Article 30 register generates live from the inventory, so it can't drift out of date. Print to PDF or export CSV for your GRC tool. The register is a view over the map — the way it should have worked all along.
- Any-infrastructure sync — autosaves in the browser; exports/imports the full inventory as one JSON file; and pushes or pulls to any HTTPS endpoint you already run — GitHub, SharePoint, S3, Google Apps Script, or your own server. No connectors to buy, no PrivOptic infrastructure involved, because there is none.
Fits the rest of your program: flows flagged red hand off to the Transfer Impact Assessment Builder; retention gaps hand off to the Records Retention Schedule Builder; vendor recipients hand off to the Vendor Risk Scorecard. This is the hub the other tools spoke into.
Your data never touches ours: the app runs entirely client-side with no telemetry, no account, and no license server. Nothing you enter is transmitted to PrivOptic.
License: one organization, unlimited users, perpetual. Rebrand and adapt it internally — that's what it's for.
Tooling for privacy operations — categories, bases, and mechanisms are planning defaults to verify against your facts and counsel. Not legal advice.