Complyance
Get Started Free

Data Processing Agreement

Last Updated: April 24, 2026 Β· Version 1.0

Introduction

This Data Processing Agreement ('DPA') forms an integral part of the Terms of Service between Pavel Buyeu, Individual Entrepreneur registered in Georgia, trading as Complyance ('Processor', 'we', 'us') and the customer identified in the applicable subscription or account ('Controller', 'you').

This DPA sets out the terms under which the Processor processes Personal Data on behalf of the Controller in connection with the Complyance AI compliance management platform ('Service') and complies with Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, 'GDPR') and, where applicable, the UK GDPR and the Swiss Federal Act on Data Protection.

By creating an account or using the Service, the Controller accepts the terms of this DPA. No separate signature is required; however, a signed counterpart is available to any customer upon written request to privacy@complyance.app.

1. Definitions

Capitalised terms used in this DPA have the meanings given in the GDPR. In particular: 'Personal Data', 'Processing', 'Data Subject', 'Supervisory Authority', 'Controller', and 'Processor' carry their GDPR meanings. 'Customer Data' means Personal Data that the Controller or its authorised users submit to the Service. 'Sub-Processor' means any third party engaged by the Processor to process Customer Data on its behalf.

2. Roles of the Parties

The parties acknowledge that, for the purposes of processing Customer Data in connection with the Service, the Controller is the Data Controller and the Processor acts as the Data Processor within the meaning of Article 28 GDPR.

Where the Controller is itself a processor acting on behalf of a third-party controller, the Processor acts as a sub-processor. In such cases the Controller warrants that it has obtained all necessary authorisations from the ultimate controller for the Processor's engagement and for the onward transfers contemplated by this DPA.

3. Subject Matter, Duration, Nature and Purpose

Subject matter: Processing of Personal Data submitted to the Complyance platform by the Controller for the purpose of AI compliance management, including classification of AI systems, gap analysis, compliance-document generation, vendor risk assessment, and evidence storage.

Duration: For as long as the Controller maintains an active subscription to the Service, plus any retention periods set out in our Privacy Policy.

Nature of processing: Collection, storage, organisation, structuring, use, consultation, disclosure to Sub-Processors, restriction, erasure, and destruction of Customer Data as necessary to provide the Service.

Purpose: To enable the Controller to assess, document, and demonstrate compliance with the EU AI Act, GDPR, and other regulations addressed by the Service.

Categories of Personal Data: Account identifiers (email, name), company data, AI-system descriptions and technical metadata, uploaded documentation (which may include personal data selected by the Controller), IP addresses, and usage telemetry.

Categories of Data Subjects: The Controller's personnel (account holders), and any individuals identifiable in documentation or AI-system descriptions that the Controller chooses to upload.

4. Instructions of the Controller

The Processor shall process Customer Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law applicable to the Processor.

The Controller's instructions are set out in: (a) the Terms of Service; (b) this DPA; (c) the configuration options made available within the Service; and (d) any additional written instructions agreed between the parties. The Processor shall inform the Controller without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.

5. Confidentiality

The Processor shall ensure that persons authorised to process Customer Data (including employees and contractors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access to Customer Data is limited to personnel who require such access to perform their duties.

6. Sub-Processors and Data Locations

EU Data Residency Commitment β€” all primary data processing, including application hosting, database storage, and file storage, occurs within the European Union. Sub-processors handling Customer Data at rest are located in Amsterdam (Netherlands), Frankfurt (Germany), or other EU jurisdictions unless explicitly noted below.

The Controller hereby grants the Processor general authorisation to engage the Sub-Processors listed in the Privacy Policy at complyance.app/privacy, as updated from time to time. The current list identifies each Sub-Processor's name, processing purpose, location, and legal basis, and forms an integral part of this DPA. /privacy.

TraceHawk, referenced in the Sub-Processor list, is a sister product operated by the same legal entity (Pavel Buyeu, Individual Entrepreneur, Georgia) and is therefore an internal transfer within the same Controller of the Processor, not a third-party sub-processor transfer.

The Processor shall inform the Controller of any intended changes to the list of Sub-Processors by updating the Privacy Policy and, where the change is material, by email notification at least 30 days before the change takes effect. The Controller may object to the engagement of a new Sub-Processor on reasonable data-protection grounds by notifying the Processor in writing within 15 days of the notification; failing a commercially reasonable resolution, either party may terminate the affected portion of the Service.

The Processor shall ensure that each Sub-Processor is bound by written obligations no less protective than those imposed on the Processor under this DPA, and shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

7. International Transfers

Customer Data at rest is stored exclusively within the European Economic Area. Limited transfers outside the EEA occur only to: (a) OpenRouter and Anthropic in the United States, for AI inference β€” governed by Standard Contractual Clauses; (b) Google LLC in the United States, for OAuth sign-in identity β€” governed by Google's Standard Contractual Clauses; and (c) Paddle.com Market Limited in the United Kingdom, for payment processing β€” covered by the UK GDPR adequacy decision.

The parties adopt the Standard Contractual Clauses issued by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for any transfer of Customer Data to a country not benefiting from an adequacy decision, including the appropriate modules for Controller-to-Processor and Processor-to-Sub-Processor transfers. The Processor shall perform transfer-impact assessments and apply supplementary measures where required.

8. Technical and Organisational Measures

The Processor shall implement and maintain appropriate technical and organisational measures ('TOMs') to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. Current measures include:

  • Encryption of Customer Data at rest (AES-256) and in transit (TLS 1.3)
  • Role-based access control, least-privilege principle, and multi-factor authentication for all administrative access
  • Private networking between application, database, and storage components inside the Railway EU West environment
  • Encrypted backups retained for up to 90 days with documented disaster-recovery procedures
  • Centralised security logging, 24/7 automated threat detection, and error monitoring via Sentry (EU data plane)
  • Regular dependency vulnerability scanning and timely patching of critical CVEs
  • Confidentiality commitments for all personnel with access to Customer Data and periodic data-protection training
  • Annual review of TOMs and update in line with evolving threats and regulatory guidance

9. Assistance with Data-Subject Rights

Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, in the fulfilment of the Controller's obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, and objection). Data-subject requests received directly by the Processor that identify the Controller will be forwarded to the Controller without undue delay and without substantive response.

10. Assistance with Controller Obligations

The Processor shall assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 GDPR, including security of processing, notification of personal-data breaches, communication of a personal-data breach to Data Subjects, data-protection impact assessments, and prior consultation with Supervisory Authorities, taking into account the nature of Processing and the information available to the Processor.

11. Personal-Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any confirmed Personal-Data Breach affecting Customer Data.

The notification shall include, to the extent known at the time: the nature of the breach; the categories and approximate number of Data Subjects and records concerned; the likely consequences; the measures taken or proposed to address the breach; and the contact point for further information. Where not all information is available within the initial notification, the Processor shall provide further information in phases without undue delay.

12. Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

The Controller may request an audit no more than once per calendar year (except where mandated by a Supervisory Authority or following a confirmed Personal-Data Breach). Audits shall be conducted during business hours, with at least 30 days' prior written notice, in a manner that does not unreasonably interfere with the Processor's business operations. Where available, third-party security certifications, penetration-test reports, and ISO or SOC attestations will be provided in lieu of an on-site audit.

13. Return or Deletion of Customer Data

Upon termination of the Service or earlier on written request of the Controller, the Processor shall, at the choice of the Controller, delete or return all Customer Data to the Controller, and delete existing copies unless Union or Member State law requires storage of the Personal Data.

Self-service export of Customer Data in machine-readable format is available at all times through the Service. Following account termination, production Customer Data is deleted within 30 days and backup copies within 90 days, except where retention is required by law (e.g., financial records retained for 7 years under the Law of Georgia on Accounting, Reporting and Auditing).

14. Liability

The liability of each party under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA excludes or limits either party's liability where such exclusion or limitation is prohibited by the GDPR or other mandatory applicable law, including liability for administrative fines under Article 83 GDPR and claims from Data Subjects under Article 82 GDPR.

15. Governing Law and Miscellaneous

This DPA is governed by the laws of Georgia (the country), without prejudice to mandatory provisions of EU or Member State data-protection law. Disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the Tbilisi City Court, Georgia, except where Regulation (EU) 1215/2012 (Brussels I Recast) grants EU consumers the right to bring proceedings before the courts of their country of residence.

If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect. In the event of any conflict between this DPA and the Terms of Service or Privacy Policy, this DPA prevails with respect to the Processing of Customer Data. Terms of Service Β· Privacy Policy.

To request a signed counterpart of this DPA for your records, or to exercise any right set out above, contact privacy@complyance.app.

Contact

Email: privacy@complyance.app

Website: complyance.app