Picture of people around a table working

HowTo: Approve new tools with ChangeRequests

HowTo

New tools show up every week. AI tools especially. And every single one wants access to some kind of data. Before your team starts using the latest app someone found on Product Hunt, you need to know what it does with that data. GDPR says so, and honestly, so does common sense.

This guide walks you through the questions to ask and how ComplianceHive's ChangeRequest flow keeps the whole process documented.

Why bother with an approval process?

Your team already uses dozens of tools. Project management software stores client names. AI writing assistants process whatever text people paste into them. Password managers hold the keys to everything.

Without a process, people just start using things. Someone signs up for a free trial, enters customer data, and nobody else even knows the tool exists. That is how you end up with data in places you cannot track, which is exactly what GDPR was designed to prevent.

An approval process does not need to be heavy. It just needs to exist.

Five questions to ask before approving any tool

Before saying yes to a new tool, run it through these questions. They cover legal, security, and cost.

1. What problem does this tool solve?

Start here. If nobody can clearly explain why the team needs it, that tells you something. "It looks cool" is not a reason. "We spend four hours a week copying data between spreadsheets" is.

2. What data will it access?

Figure out exactly what goes in. Customer names? Email addresses? Financial records? Internal documents? The answer determines how much is at stake if something goes wrong.

3. Where is the data stored?

Geography matters more than people think. Data in the EU falls under GDPR. Data in the United States may be subject to U.S. government access requests. Some industries have even stricter rules about where data can live. Check where the vendor actually keeps its servers, not just where the company is headquartered.

4. How do they protect your data?

Is the data encrypted in transit and at rest? Does the vendor have certifications like ISO 27001 or SOC 2? Do they sell or share data with third parties? Your customers trust you with their information. The vendor needs to earn that trust too.

5. What does it cost?

Obvious question, but worth asking carefully. A free tool with weak security might cost you more down the road than a paid one with proper data protection. And "free" often means your data is the product.

How ComplianceHive handles this

In ComplianceHive, every change goes through a ChangeRequest. If you have worked with pull requests in software development, the concept is similar: someone proposes a change, reviewers look it over, and the change only goes live after approval.

This is not an optional setting. It is how the product works.

Here is the step-by-step flow:

Step 1: A colleague adds or updates a System

In ComplianceHive, the tools and software your organization uses are called Systems. When a colleague wants to add a new System or update an existing one, they fill in the details. This creates a ChangeRequest in DRAFT status.

One ChangeRequest can cover multiple Systems. Say your team wants to adopt a new project management tool and retire the old one. Both changes go in the same ChangeRequest.

Step 2: Submit for review

When the ChangeRequest is ready, the colleague moves it to PENDING_APPROVAL. Everyone with review rights gets notified.

Step 3: Reviewers evaluate the ChangeRequest

Colleagues with review permissions examine the proposed changes. They review the ChangeRequest as a whole, not individual System records. One review, all related changes covered.

This is where the five questions from above become useful. Reviewers should check that the submitter has answered them for each System in the request.

Step 4: Approve (or send back)

When reviewers are satisfied, the ChangeRequest moves to APPROVED. The changes then get applied to the actual System records, and the ChangeRequest moves through APPLIED to CLOSED.

If something is off, a single reviewer can reject the ChangeRequest. It moves to REJECTED status. From there, the submitter can reopen it and move it back to DRAFT to revise and resubmit.

Step 5: The audit trail

Every action on a ChangeRequest gets logged. Who submitted it, who reviewed it, when it was approved, what changed. The audit trail lives on the ChangeRequest itself. If an auditor ever asks "who approved this tool and when?", you have one place to point them.

System statuses

Once a System exists in ComplianceHive, it moves through a simple lifecycle:

  • DRAFT means it is being set up but not yet in use.
  • ACTIVE means it is approved and your organization is using it.
  • ARCHIVED means it has been retired.

Three statuses, no grey areas. You can always tell which tools your organization is using right now and which ones have been put away.

Putting it together

Ask the five questions for every new tool request. Let the ChangeRequest flow handle the review process and the paper trail. When the auditor shows up, you will have everything documented in one place instead of digging through email threads and Slack messages.

A documented approval process is one piece of the compliance puzzle, but it is a solid place to start.

Ready to structure your compliance journey? See how ComplianceHive works on the features page, or explore pricing to find the right plan for where you are now.

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free