A Record of Processing Activities (RoPA) is the accountability document [GDPR art. 30] requires most organisations to maintain — a structured list of what personal data you process, why, and how. miniterms builds this register from your business profile and your declared processing activities, and shows you exactly which parts are backed by evidence versus simply stated.
Coverage: evidence, asserted, gap
Every field in the register carries a provenance badge:
| Badge | Meaning |
|---|---|
| Evidence | Backed by an anchored receipt from elsewhere in miniterms (e.g. a signed subprocessor attestation) |
| Asserted | Stated by you in your business profile or an activity record, not independently verified |
| Gap | Missing — must be completed for the register to be accurate |
The Coverage card at the top of /dashboard/ropa totals these across the register so you can see how complete it is at a glance.
Controller and DPO
The Controller card shows your entity name, registered address, and contact email — pulled from your business profile — plus your DPO details if you've recorded one, per [GDPR art. 30(1)(a)].
Processing activities
Each row in the activities table is one processing activity, with its purpose, data subjects, data categories, retention period, recipients, and any international transfers. You can:
- Add activity — enter a new processing activity manually.
- Seed from my documents — pre-fills activities from your Privacy Policy and DPA profile data. Review and refine each seeded activity for accuracy — seeded activities initially share your profile-wide data categories and subjects.
- Edit / Delete — update or remove any activity you added.
Cross-register fields
Below the activity table, the register also tracks organisation-wide fields required by Article 30: your security measures (Art.32), your subject-rights process (Arts.15–22), and your privacy-notice status (Art.13).
Sign and export
- Sign register produces a verifiable receipt of the register's current state. To verify it, download the verifiable JSON and paste it at verify.dekimu.com/verify-receipt.
- Export .md / Export .json download a copy of the register in either format, independent of signing.
Signing requires your workspace to have provenance configured — if it isn't, the button shows "Signing not configured" and downloads/exports still work.
Limits
The register is only as complete as what you've entered — miniterms cannot discover processing activities you haven't declared. Close every "gap" badge before relying on the register for an audit or regulator request.