Claire keeps getting “we picked a new online meeting tool, can you sign off?” with no spec. She refuses three-week audits for standard use: committees, internal training, occasional client calls. She publishes a short grid managers fill before her scoping call with IT.
Why audits drift
Without a frame, the DPO gets a marketing screenshot and three register lines. Session recording is on “because the manager prefers it,” with no retention. Claire has seen collaborative spaces forgotten six months after a pilot.
Her thirty-minute goal is not to certify the universe: decide if the tool enters the register as-is, with conditions, or stays in limited test.
30-minute audit grid
Claire times it: ten minutes documentation, ten business interview, ten decision and actions. Each row needs evidence (link, PDF, contract excerpt).
If more than three cells stay empty, Claire delays production and limits the trial to two internal accounts.
| Control | Question | Expected evidence | Typical decision |
|---|---|---|---|
| Purpose | Why this tool? | 3-line business note | OK / clarify |
| Legal basis | Contract, legitimate interest, consent? | Register mention | OK / legal |
| Hosting | Country of data and flows | DPA + host sheet | OK / reject |
| Sub-processors | Up-to-date list? | DPA annex | OK / complete |
| Retention | Logs, recordings, accounts | Internal policy | OK / configure |
| Rights | Access, erasure, export | HR/IT procedure | OK / process |
| Security | Transit encryption, admin access | Vendor doc + SSO if on | OK / harden |
| Exit | End of contract | Export/deletion clause | OK / negotiate |
DPO / compliance decision model
Claire uses three levels: A (register + contract OK, wider pilot), B (restricted internal, no recording, 90-day review), C (stop or alternate tool). Meeting by Leagora often lands A or B when France DPA and Leagora docs are filed.
She asks IT to create Team (5) rooms for DPO tests, Project (12) for committees with moderate personal data, Workshop (25) only after external participant flows are validated.
- A: production, participant information
- B: internal, no recording, SSO reviewed
- C: sub-processor or transfer risk undocumented
Scenario: services SMB, new collaborative space
HR declares Meeting by Leagora for internal remote interviews. Claire opens the DPA, checks France hosting and Leagora infrastructure, notes encryption stated on the site, disables recording by default on the business side. Twenty-five minutes: B+ decision, A after framework contract signature.
She has IT run the free one-hour two-participant trial to confirm the guest path matches the register (no mandatory account, minimal data).
Deliverables after the audit
Claire returns a one-page sheet: purpose, retention, owner, DPA link, review date. Custom domain is noted if external candidates get the link—impact on privacy notices.
Three months later she does not redo everything: she only checks “retention” and “sub-processors” if the vendor changed annexes.
Frequently asked questions
No. Claire reserves the grid for SMBs and standard use; healthcare needs HDS and deeper analysis.
No: one vendor processing; Team, Project and Workshop share the same contract.
Separate decision: HR or training purpose, short retention, access rights, storage if France hosting confirmed.
Yes if real personal data flows; Claire limits trials to two identified internal participants.