Data Processing Agreement
Article 28 GDPR processor terms between Customer (Controller) and Complycheck (Processor). Use your browser's Print → Save as PDF to download a copy until a signed PDF is published.
Last updated: TODO: publication date.
1. Parties and scope
This Data Processing Agreement (“DPA”) forms part of the Complycheck Terms of Service (the “Agreement”) between the customer organisation (“Controller”) and Complycheck (“Processor”). It applies whenever Processor processes Personal Data on Controller's behalf in the course of providing the service.
Terms not defined here have the meaning given in the GDPR.
2. Subject matter and duration
Processor processes Personal Data on Controller's behalf for the duration of the Agreement and any post-termination period described in Section 9.
3. Nature and purpose of processing
Processor processes Personal Data to provide the Complycheck platform — including tenant-isolated storage, user management, audit logging, and the integrations Controller configures. Processor does not use Personal Data for any other purpose, does not sell it, and does not use it to train machine-learning models without Controller's documented authorisation.
4. Categories of data subjects and personal data
See Annex I at the end of this document.
5. Obligations of the Processor
- Process Personal Data only on documented instructions from Controller, including with regard to transfers, unless required to do so by EU or Member State law.
- Ensure personnel authorised to process Personal Data have committed themselves to confidentiality.
- Implement the technical and organisational measures set out in Annex II to ensure a level of security appropriate to the risk.
- Engage sub-processors only under the conditions set out in Section 6.
- Assist Controller in fulfilling its obligations to respond to data-subject requests and security-incident notifications.
- Notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach.
- Make available to Controller all information necessary to demonstrate compliance with this DPA, and allow audits as described in Section 8.
6. Sub-processors
Controller authorises Processor to engage sub-processors listed at TODO: link to sub-processor list page. Processor will notify Controller of any intended addition or replacement of a sub-processor at least TODO: e.g. 30 days in advance. Controller may object in writing on reasonable grounds; if the objection cannot be resolved, Controller may terminate the Agreement without penalty.
Processor remains fully liable for the performance of its sub-processors.
7. International data transfers
Where Processor or a sub-processor transfers Personal Data outside the European Economic Area, the parties rely on either an adequacy decision or the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), in the appropriate module(s), incorporated into this DPA by reference. Supplementary measures (encryption in transit and at rest, access controls, challenge-and-disclose obligations) are described in Annex II.
8. Audits
Processor will make available to Controller on reasonable request:
- The most recent third-party assessment reports (e.g. SOC 2 Type II, ISO 27001 Statement of Applicability) once available.
- Responses to a standard security questionnaire.
- Subject to confidentiality and not more than once per twelve months (unless required by a supervisory authority), an on-site or remote audit by Controller or a mutually agreed independent auditor, at Controller's expense and at reasonable times.
9. Return and deletion
On termination of the Agreement, Controller may export Customer Data through the platform. Processor will delete or return all Personal Data within TODO: e.g. 30 days of termination, save where retention is required by EU or Member State law. Tenant deletion follows the 30-day grace window described in the Terms of Service.
10. Liability
Each party's liability under this DPA is subject to the limitations set out in the Agreement, except where applicable data-protection law provides otherwise.
Annex I — Processing details
| Categories of data subjects | Controller's employees, contractors, customers, and any other natural persons whose data Controller chooses to process in the platform. |
|---|---|
| Categories of Personal Data | Identification and contact data; employment data; authentication metadata; any other data Controller uploads as evidence or configuration. |
| Special categories | TODO: usually “none”, list if Controller's use case includes them. |
| Frequency of processing | Continuous for the duration of the Agreement. |
| Nature of processing | Storage, organisation, structuring, retrieval, consultation, use, disclosure, restriction, erasure, destruction. |
| Purpose | Providing the Complycheck platform to Controller. |
| Duration | For the term of the Agreement plus the deletion period in Section 9. |
Annex II — Technical and organisational measures
A condensed summary of the measures Complycheck implements. The full description is published on our security page and updated as the platform evolves.
- Tenant isolation. PostgreSQL Row-Level Security ENABLED and FORCED on every tenant-scoped table; three separate database roles (application, admin, migration) with distinct privileges; transaction-local tenant context.
- Encryption. TLS 1.2+ in transit (1.3 preferred); encryption at rest at the storage layer; per-tenant key roadmap for cryptographic deletion.
- Identity and access. Argon2id password hashes, breached-password screening, EdDSA-signed access tokens, single-use rotating refresh tokens, device-fingerprint OTP challenge on unseen devices/IPs.
- Audit logging. Append-only audit log for privileged operations; tenant-scoped auth event log surfaced to users.
- Edge controls. Cloudflare WAF (OWASP CRS), rate limits on authentication endpoints, HSTS preload, DNSSEC.
- Operational security. Secrets in a managed secrets store, scheduled key rotation, separation of duties between SuperAdmin and tenant administration, incident response procedure with 72-hour notification.
- Personnel. Confidentiality undertakings, role-based access on a least-privilege basis, security training.
- Backup and recovery. Encrypted backups with tested restore procedures.