Legal · v0.1
GDPR Article 28 · Template effective: 11 July 2026 · Last updated: 11 July 2026
This Data Processing Agreement (“DPA”) is entered into between ComplyEdge (“Processor”) and the organization identified in the signature block below (“Customer”, “Controller”). It supplements the ComplyEdge Terms of Service and governs ComplyEdge’s processing of personal data on the Controller’s behalf through the hosted Service (api.complyedge.io, dashboard.complyedge.io, trust.complyedge.io, and related properties), as required by GDPR Article 28.
How to execute: Email legal@complyedge.io (or support@complyedge.io) with subject “DPA Request” and your organization details. ComplyEdge will return a countersigned copy. Until a signed DPA is in place, do not transmit personal data through the hosted Service where a DPA is legally required for your use case.
1.1 Subject matter. ComplyEdge processes personal data on behalf of the Controller solely to provide the hosted compliance Service — including policy evaluation via /v1/check and related APIs, audit logging, dashboard access, TrustLint-related hosted features where applicable, and support — as described in the Terms of Service, the Privacy Policy, and this DPA.
1.2 Duration. This DPA is effective from the date of last signature below and continues for as long as ComplyEdge processes personal data on behalf of the Controller, or until the underlying Terms of Service are terminated, whichever comes first.
2.1 Nature. Receiving content and metadata submitted by the Controller; evaluating that content against configured compliance rules (including OPA/Rego); returning allow/block decisions with citations; writing tamper-evident audit events; authenticating tenant users; delivering transactional notices.
2.2 Purpose. Providing runtime AI-compliance enforcement and evidence tooling instructed by the Controller.
2.3 Prompt/content minimization. In standard production audit logs, ComplyEdge stores a SHA-256 hash of evaluated text (text_hash), not the raw prompt/output, unless a separate written agreement states otherwise. Request metadata (timestamps, endpoint, jurisdiction/rules selection, latency, decision outcome, rule IDs, citations) may be retained as part of the audit trail.
2.4 Retention. Audit events default to 180 days retention (aligned with deployer log-keeping expectations under EU AI Act Art. 26(6) “at least six months,” unless configured otherwise under an eligible plan or written amendment).
The Controller may transmit the following categories through the Service:
text_hash in standard audit logs)The Controller agrees not to transmit special categories of personal data (GDPR Art. 9) through the Service without a separate amendment to this DPA and appropriate safeguards.
ComplyEdge agrees to:
5.1 Instructions only. Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country — unless required to do so by Union or Member State law; in such case, ComplyEdge will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
5.2 Confidentiality. Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 Security. Implement appropriate technical and organizational measures (GDPR Art. 32) to ensure a level of security appropriate to the risk, including:
5.4 Sub-processors. Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. Current authorized sub-processors are listed in §6. ComplyEdge will notify the Controller of intended material changes to sub-processors, giving the Controller the opportunity to object.
5.5 Data subject rights assistance. Assist the Controller in responding to requests from data subjects exercising their GDPR rights (access, rectification, erasure, restriction, portability, objection), to the extent feasible given the hash-first audit design and account metadata held for the tenant.
5.6 Deletion/return. At the choice of the Controller, delete or return personal data to the Controller after the end of the provision of services, and delete existing copies — unless required to retain data by applicable law or short-lived backup windows.
5.7 Audit assistance. Make available to the Controller information reasonably necessary to demonstrate compliance with GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to confidentiality, security, and reasonable scheduling. ComplyEdge may charge reasonable fees for audit assistance beyond standard documentation.
5.8 Breach notification. Notify the Controller without undue delay (and, where feasible, within 72 hours) after becoming aware of a personal data breach involving the Controller’s data. Notification will include the information specified in GDPR Art. 33(3) to the extent available at the time.
| Sub-processor | Country | Role |
|---|---|---|
| Amazon Web Services, Inc. (AWS) | United States (primary region: us-west-2) | Hosting, storage, compute |
| Brevo (Sendinblue SAS / affiliates) | EU / as operated by vendor | Transactional email (OTP / notices) |
| Stripe, Inc. (and affiliates) | United States / as operated by vendor | Payment processing for paid plans (when enabled) |
International transfer notice: Some sub-processors are US-based or process data outside the EEA. Where required, ComplyEdge relies on appropriate safeguards under GDPR Chapter V (including Standard Contractual Clauses, Commission Implementing Decision (EU) 2021/914) with those sub-processors. Copies of applicable SCCs may be provided to the Controller upon written request after counsel finalization of the executed pack.
The Controller agrees to:
For GDPR compliance interpretation, this DPA is governed by the laws of the Republic of Ireland as an EU reference jurisdiction. For all other purposes, governing law and venue follow the ComplyEdge Terms of Service / order form once the operator entity election is finalized in a published update after counsel review.
Signature:
Printed name:
Title:
Date:
Signature:
Printed name:
Title:
Date:
This is a template. The executed version governs. Consult qualified legal counsel before executing this agreement. Related: Terms of Service · Privacy Policy.