Data Processing Agreement
This DPA forms part of the agreement between you and ComplianceOS, pursuant to Article 28 of the General Data Protection Regulation (GDPR). It governs how we process personal data on your behalf.
Overview
This Data Processing Agreement ("DPA") is entered into between the entity agreeing to the ComplianceOS Terms of Service ("Controller", "you") and ComplianceOS ("Processor", "we", "us"). This DPA applies to the extent that we process Personal Data on your behalf in the course of providing the ComplianceOS platform.
This DPA is incorporated into and forms part of the Terms of Service. In the event of a conflict between this DPA and the Terms, this DPA shall prevail with respect to data processing matters.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
"Processing" means any operation performed on Personal Data, as defined in Article 4(2) GDPR.
"Controller" means the entity that determines the purposes and means of Processing Personal Data (you, the customer).
"Processor" means the entity that processes Personal Data on behalf of the Controller (ComplianceOS).
"Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"SCCs" means the Standard Contractual Clauses approved by the European Commission for international data transfers.
2. Scope & Roles
You act as the Controller and ComplianceOS acts as the Processor for the following categories of data processing:
| Category | Details |
|---|---|
| Data Subjects | Your employees, contractors, and end-users whose data is described in AI system registrations |
| Categories of Personal Data | Names, email addresses, job titles, AI system descriptions that may reference individuals, deployment context information |
| Purpose of Processing | Providing the ComplianceOS platform: AI system registration, risk classification, compliance assessment, document generation, and related services |
| Duration | For the term of the agreement plus any legally required retention period |
| Nature of Processing | Collection, storage, analysis, generation of compliance documentation, transmission to AI providers for processing |
3. Processor Obligations
ComplianceOS shall:
- Process Personal Data only on your documented instructions, unless required by EU or Member State law
- Ensure that persons authorised to process Personal Data have committed themselves to confidentiality
- Implement appropriate technical and organisational measures to ensure security of processing (Article 32 GDPR)
- Not engage another processor (sub-processor) without your prior written authorisation
- Assist you in responding to requests from Data Subjects exercising their rights under GDPR
- Assist you in ensuring compliance with obligations under Articles 32-36 GDPR (security, breach notification, DPIA, prior consultation)
- At your choice, delete or return all Personal Data upon termination of the service
- Make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits
4. Security Measures
We implement and maintain the following technical and organisational measures:
Encryption
Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access Control
Role-based access, multi-factor authentication, principle of least privilege
Infrastructure
Hosted on Supabase (AWS infrastructure) with automated backups and disaster recovery
Monitoring
Continuous security monitoring, automated vulnerability scanning, intrusion detection
Incident Response
Documented incident response procedures with defined escalation paths
Employee Security
Confidentiality agreements, security awareness training, background checks where applicable
Data Isolation
Logical tenant isolation via Row Level Security (RLS) policies at the database level
Audit Logging
Comprehensive audit trail of all data access and modifications
5. Sub-Processors
You provide general authorisation for us to engage sub-processors. We maintain a current list of sub-processors at /sub-processors.
We will notify you of any intended changes to sub-processors at least 30 days in advance, giving you the opportunity to object. If you object on reasonable grounds related to data protection, we will work with you to find an alternative solution. If no resolution is possible, you may terminate the affected services.
We impose data protection obligations on each sub-processor equivalent to those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.
6. International Data Transfers
Some of our sub-processors are located outside the European Economic Area (EEA). For such transfers, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
- Adequacy decisions by the European Commission, where applicable
- Supplementary measures including encryption, pseudonymisation, and access controls
Details of transfer mechanisms for each sub-processor are listed on our Sub-Processors page.
7. Data Subject Rights
We will assist you in fulfilling your obligations to respond to Data Subject requests under GDPR Articles 15-22. This includes requests for access, rectification, erasure, restriction of processing, data portability, and objection. We will promptly notify you if we receive any request directly from a Data Subject, and will not respond to such requests without your authorisation unless legally required to do so.
8. Personal Data Breach Notification
In the event of a personal data breach (as defined in Article 4(12) GDPR), we will:
- Notify you without undue delay and in any event within 48 hours of becoming aware of the breach
- Provide sufficient information for you to meet your own obligations under Articles 33 and 34 GDPR
- Cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
- Document the breach, including its effects and the remedial action taken
9. Audit Rights
We will make available to you all information necessary to demonstrate compliance with Article 28 GDPR. We will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Audit requests must be made with reasonable notice (at least 30 days). We may charge reasonable fees for audits beyond one per 12-month period. Where possible, we will provide relevant certifications, audit reports, or other documentation as an alternative to on-site audits.
10. Data Deletion & Return
Upon termination of the service or upon your request, we will, at your choice, delete or return all Personal Data processed on your behalf, and delete existing copies unless EU or Member State law requires retention. You may export your data at any time through the platform. After account deletion, we will purge all Personal Data within 30 days, except where retention is required by applicable law (e.g., invoicing records required for tax purposes).
11. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that neither party's liability for breaches of data protection obligations shall be limited where such limitation is not permitted by applicable law.
12. Term & Termination
This DPA commences when you agree to the Terms of Service and remains in effect for as long as we process Personal Data on your behalf. The obligations imposed on the Processor under this DPA shall survive any termination or expiration of the agreement to the extent necessary to fulfil the purposes of processing and comply with applicable law.
Contact
For DPA-related enquiries, requests for a countersigned copy, or to exercise your rights under this agreement: