ITFA Vendor Research Agent - Glean Agent Flow

v4 / 6 steps / research + template generation + Google Doc output

Researches vendor documentation (DPA, trust center, security pages, sub-processors, privacy policy) and creates a pre-populated ITFA Schedule 1 Google Doc for the requester. Answers 9 of 14 questions automatically, flags 5 for human input. Operated by Legal/IT/People review team, not the requester.

Trigger

Document Retrieval

Web Research

Template Generation

Output

Input Form (4 fields)

Link to Vendor Website

TEXT - e.g. https://cursor.com

Name of Covered Tool

TEXT - e.g. Cursor, Notion

Department

TEXT - submitting department

Contact Name

TEXT - responsible contact

Phase 1 - Context Loading (sequential)

Read ITFA Guidance

Read document

▶

Goal: Load the ITFA Schedule 1 Guidance for Requestors from Confluence.
Source: Confluence wiki page (fixed URL)
Purpose: Provides the full 14-question questionnaire structure, definitions ("Monitoring," "Employee Personal Data"), and per-question responsibility assignments (Legal, IT, People, Requester).
memory: ALL_DEPENDENCIES

Golden Example - Cursor Completed Form

Read document

▶

Goal: Load a completed ITFA questionnaire (Cursor) as a quality and tone anchor.
Source: Internal document (URL configured post-import)
Purpose: Shows the expected depth, citation style ("Per the [Vendor] DPA at Annex X..."), confidence levels, and formatting for each answer. The agent matches this pattern throughout.
memory: ALL_DEPENDENCIES

Questionnaire Search Parameters

Read document

▶

Goal: Load the search parameters document that guides what information to find for each question.
Source: Google Docs (fixed URL)
Purpose: Maps each ITFA question to specific vendor documentation types and search terms. Tells the research step exactly what to look for (DPA sections, trust center certifications, sub-processor lists, etc.).
memory: ALL_DEPENDENCIES

Phase 2 - Vendor Web Research

Vendor Web Research

Web search

▶

Goal: Research the vendor's public documentation across 5 search domains.

Search areas:

Trust Center / Security - SOC 2, ISO 27001, encryption, access controls, SSO, monitoring
DPA (Data Processing Agreement) - personal data categories, purposes, TOMs, SCCs, deletion, hosting regions
Sub-Processors - names, countries, services provided
Privacy Policy - data types collected, IP/location data, retention periods
Deletion / Retention - timelines, schedules, termination data handling

Terminology awareness: DPA = Data Processing Agreement = Data Processing Addendum = Data Protection Agreement. TOMs = Technical and Organizational Measures. SCCs = Standard Contractual Clauses.

Output per area: URL found (or NOT FOUND), relevant excerpts with direct quotes.
Status: COMPLETE | PARTIAL | MINIMAL
memory: NO_MEMORY (stateless - no prior context carried)

Phase 3 - Template Generation

Format as ITFA Schedule 1 Questionnaire

Respond

▶

Goal: Produce a complete ITFA Schedule 1 questionnaire document using research findings, guidance, and golden example as quality anchor.

14-question coverage:

Q#	Question	Source	Coverage
1	General description of the tool	Web research	Agent
2	Has Legal conducted a risk assessment?	Legal/Privacy	Requester
3	Safeguards / risk-mitigating measures (TOMs)	DPA, Trust Center	Agent
4	Primary purpose of the tool	Requester	Requester
5	Categories of Employee Personal Data	DPA Annex 1	Agent
6	Used for monitoring location/movements?	Vendor docs	Agent
7	Used for performance management?	Vendor docs	Partial
8	Can create reports with Employee Personal Data?	Vendor docs	Partial
9	Roles/titles with access	IT / Requester	Requester
10	Requested implementation timeline	Requester	Requester
11	Where is Employee Personal Data stored?	DPA, Sub-processors	Agent
12	Has Contentful executed a DPA / TIA?	Legal	Partial
13	Known deletion periods	DPA, Privacy Policy	Agent
14	Training measures planned	Requester	Requester

Formatting rules:

Agent-answered questions include source URLs and confidence levels (High/Medium/Low)
Citation style matches golden example: "Per the [Vendor] DPA (at Annex X)..."
Human-required questions output "[Requester to complete]"
Includes Permissions table skeleton and Works Council signature block
Art. 9 GDPR special categories flagged with alert if detected

memory: ALL_DEPENDENCIES

Phase 4 - Output

Create ITFA Questionnaire Google Doc

Create a Google Doc

▶

Goal: Create a Google Doc containing the pre-populated ITFA Schedule 1 questionnaire.
Title: Schedule 1 - [Tool Name] - ITFA Covered Tool Questionnaire
Content: Full formatted output from Step 5, transferred exactly as produced. No modifications.
Note: Requires manual configuration of "Create a Google Doc" action in Glean UI after import.
Fallback: If markdown tables don't convert, try HTML table syntax; if that fails, use structured headers/paragraphs.

Design Notes

ITFA context - The IT Framework Agreement (ITFA) with the German Works Council requires detailed documentation for every new software tool procurement. This agent automates the research portion of that process.
Operator model - Run by Legal/IT/People review team (6-8 people), not by the requester. Keeps the user base small and feedback loops tight.
Coverage: 9 of 14 - Agent fully answers 6 questions, partially answers 3, and flags 5 for human input. "Better than what the requester typically provides" is the success bar.
Stateless research - Step 4 (web research) runs with NO_MEMORY to keep the context window clean for broad search. Steps 1-3 and 5-6 use ALL_DEPENDENCIES.
Confidence levels - Every agent-answered question includes High/Medium/Low confidence so reviewers know where to focus attention.
Omnia integration path - V1 outputs a Google Doc. Post-V1, the agent could trigger automatically from Omnia procurement workflows and populate form fields directly via API.
Owner: Matthew (Legal) / Charlie Fuller (builder). Tested against Cursor as the golden example vendor.