Trust Center & Subprocessor Monitor

Monitor vendor trust centers, subprocessor lists, DPA pages, and security posture. Detect subprocessor additions and removals, DPA updates, certification drift, and security page changes. Outputs one summary-first digest per vendor with executiveSummary, actionNeeded, recommendedActions, changedSinceLastRun, pageSummaries, and evidence.

---

Quickstart (2 minutes)

Step 1 — Add your vendor:

{
  "vendors": [
    {
      "id": "okta",
      "name": "Okta",
      "criticality": "high",
      "owner": "Security / Legal",
      "subprocessorsUrl": "https://www.okta.com/privacy/okta-personal-data-sub-processors/",
      "dpaUrl": "https://www.okta.com/privacy/data-processing-addendum/"
    }
  ],
  "delivery": "dataset",
  "datasetMode": "changes_only",
  "snapshotKey": "trust-center-quickstart"
}

Step 2 — Run once to capture baseline. The first run produces status: "initial" for all pages.

Step 3 — Schedule recurring runs (daily or weekly). Subsequent runs will detect drift and set actionNeeded: true with evidence when subprocessors or DPA content changes.

---

Vendor Configuration

Shorthand fields (quickstart-friendly)

Field	Pack	Description
trustCenterUrl	trustCenter	Main trust center page
subprocessorsUrl	subprocessors	Subprocessor list page
securityUrl	security	Security posture page
dpaUrl	dpa	Data Processing Addendum
privacyUrl	privacy	Privacy policy page

Full urlPacks (advanced)

{
  "id": "salesforce",
  "name": "Salesforce",
  "criticality": "mission_critical",
  "urlPacks": {
    "subprocessors": [{ "id": "sf-sp", "url": "https://..." }],
    "dpa": [{ "id": "sf-dpa", "url": "https://..." }],
    "trustCenter": [{ "id": "sf-trust", "url": "https://..." }],
    "security": [{ "id": "sf-sec", "url": "https://..." }]
  }
}

Supported packs: trustCenter, subprocessors, security, dpa, privacy, changelog

---

Output Fields Per Vendor

Field	Description
vendorId	Stable vendor identifier
vendorName	Display name
status	initial / changed / unchanged / partial / error
severity	high / watch / info
actionNeeded	true when compliance follow-up is required
changedSinceLastRun	true when any monitored page changed
executiveSummary	One-line human-readable summary
recommendedActions	Ordered list of follow-up actions
changedPacks	Which packs changed (subprocessors, dpa, etc.)
pageSummaries	Per-page status with brief description
evidence	Changed lines grouped by pack (added / removed)

---

Delivery Modes

Mode	When to use
dataset	Default. Apify Dataset output. Use datasetMode to filter rows.
webhook	POST summary to your endpoint on every run (or only on changes).
email	Placeholder — not yet implemented.

Dataset Modes

datasetMode	Rows included
changes_only	Initial + changed + error
action_needed	Only actionNeeded: true rows
all	Every vendor regardless of status

---

Scheduling

For compliance monitoring, schedule weekly or bi-weekly runs using Apify Scheduler. Use the same snapshotKey across runs to maintain baselines.

For immediate alerting, use delivery: "webhook" with datasetMode: "action_needed" and notifyOnNoChange: false.

---

Local Development

node src/index.js             # Reads input.json or input.local.json
node --test test/*.test.js    # Run tests

Set APIFY_INPUT_PATH, OUTPUT_DIR, and STATE_DIR environment variables to control paths.