Which jurisdictions are supported?

GDPR (EU + UK), CCPA / CPRA (California), DPDPA (India), LGPD (Brazil), PIPEDA (Canada) on day one. Per-jurisdiction templates, per-jurisdiction response-time benchmarks. New jurisdictions added on customer request.

How does this handle vendors without a documented DSAR contact?

ScopeMantle maintains a vendor-contact registry built from public privacy pages, DPA filings, and direct customer contributions. Vendors without a documented contact are flagged for manual escalation with a default fallback to the published privacy@ address.

How is this different from OneTrust?

OneTrust is the heavyweight enterprise platform — long sales cycle, six-figure starting cost, professional-services-heavy implementation. ScopeMantle is purpose-built for mid-market privacy teams of one — same loop (discover, send, track, evidence) without the enterprise lift.

Where does the data live?

EU-region or US-region tenants on customer choice. Vendor metadata is shared; subject data is tenant-isolated. Full DPA available; sub-processor list is public.

Built for privacy officers

DSARs across your full vendor inventory in one workflow.

ScopeMantle is the substrate for mid-market privacy teams who own GDPR, CCPA, and DPDPA fulfillment without a department to back it up. Discover every vendor with data. Send requests. Track responses. Generate evidence.

Most privacy officers in mid-market SaaS are a team of one. ScopeMantle exists so 'I have to send a DSAR to every vendor' takes a morning, not a quarter.

Book a demo See how it works

What gets in the way today

The shape of the problem.

The vendor list is wrong before you start

ROPA spreadsheets reflect what procurement signed contracts with — not what employees actually granted OAuth scopes to. The shadow inventory is often 5-10× the documented one.

DSAR fulfillment is per-vendor manual work

GDPR Article 15 doesn't care that your vendor list has 200 entries. Each request is per-vendor email, per-vendor template, per-vendor response tracking. The clock is 30 days.

Evidence is the work, not the answer

Regulators want the audit trail, not the screenshot. Without tooling, evidence collection is ad-hoc, which becomes a liability during regulator review.

What ScopeMantle does

Capabilities that map to the work.

Continuous vendor inventory

Every third-party OAuth grant in Google Workspace, Microsoft 365, and Okta — refreshed continuously. Shadow vendors and AI-generated SaaS apps included. ROPA upkeep stops being a manual task.

DSAR send-and-track

One workflow issues subject-access and deletion requests to every vendor in the inventory. Per-jurisdiction templates (GDPR, CCPA, DPDPA, LGPD, PIPEDA, UK GDPR). Response tracking with regulator-grade evidence.

Evidence file per request

Every DSAR closes with a packet: vendors contacted, responses received, time-to-respond benchmark, screenshots if requested. The audit trail is the deliverable, not the work.

What you can do this week

A concrete starting point, not a roadmap.

Connect Google Workspace or Microsoft 365 in read-only inventory mode.
Compare the OAuth-grant inventory to the ROPA — typical drift is 5-10×.
Issue a test DSAR to the top 20 vendors using the default GDPR template.
Generate a quarterly third-party-risk PDF for the board / DPO meeting.
Schedule revocation review for the highest-risk grants.

Frequently asked

Common questions.

Audit the drift. Govern the grants. Close the loop.

First inventory in 15 minutes. SSO and SCIM out of the box. SOC 2 Type II in progress.

Book a demo DSAR Playbook

About ScopeMantle

ScopeMantle is an OAuth-grant audit and DSAR-automation platform for mid-market SaaS companies, sold primarily through an open MSSP partner program (70/30 wholesale split, deal registration, no direct-sale conflict in partner territories) and secondarily direct. Built in 2026.

Explore the partner program →

70 / 30 wholesale · deal registration honoured · no direct-sale conflict