ComplyEdge ComplyEdge
Home Enterprise Privacy Get Started

Legal · v0.1

Data Processing Agreement

GDPR Article 28 · Template effective: 11 July 2026 · Last updated: 11 July 2026

Draft for counsel review. This DPA is a ComplyEdge-adapted template (structure informed by public Horizon/IVD DPA patterns). Operator entity details, SCCs, and governing-law election may be updated after formal legal review (M1.6 review gate). This is not legal advice.

This Data Processing Agreement (“DPA”) is entered into between ComplyEdge (“Processor”) and the organization identified in the signature block below (“Customer”, “Controller”). It supplements the ComplyEdge Terms of Service and governs ComplyEdge’s processing of personal data on the Controller’s behalf through the hosted Service (api.complyedge.io, dashboard.complyedge.io, trust.complyedge.io, and related properties), as required by GDPR Article 28.

How to execute: Email legal@complyedge.io (or support@complyedge.io) with subject “DPA Request” and your organization details. ComplyEdge will return a countersigned copy. Until a signed DPA is in place, do not transmit personal data through the hosted Service where a DPA is legally required for your use case.

Parties

Controller (Customer)

  • Organization name: _______________________________________________
  • Address: _______________________________________________
  • Contact name: _______________________________________________
  • Email: _______________________________________________

Processor (ComplyEdge)

  • ComplyEdge, operating complyedge.io and related domains
  • Email: legal@complyedge.io · privacy@complyedge.io

1. Subject matter and duration

1.1 Subject matter. ComplyEdge processes personal data on behalf of the Controller solely to provide the hosted compliance Service — including policy evaluation via /v1/check and related APIs, audit logging, dashboard access, TrustLint-related hosted features where applicable, and support — as described in the Terms of Service, the Privacy Policy, and this DPA.

1.2 Duration. This DPA is effective from the date of last signature below and continues for as long as ComplyEdge processes personal data on behalf of the Controller, or until the underlying Terms of Service are terminated, whichever comes first.

2. Nature and purpose of processing

2.1 Nature. Receiving content and metadata submitted by the Controller; evaluating that content against configured compliance rules (including OPA/Rego); returning allow/block decisions with citations; writing tamper-evident audit events; authenticating tenant users; delivering transactional notices.

2.2 Purpose. Providing runtime AI-compliance enforcement and evidence tooling instructed by the Controller.

2.3 Prompt/content minimization. In standard production audit logs, ComplyEdge stores a SHA-256 hash of evaluated text (text_hash), not the raw prompt/output, unless a separate written agreement states otherwise. Request metadata (timestamps, endpoint, jurisdiction/rules selection, latency, decision outcome, rule IDs, citations) may be retained as part of the audit trail.

2.4 Retention. Audit events default to 180 days retention (aligned with deployer log-keeping expectations under EU AI Act Art. 26(6) “at least six months,” unless configured otherwise under an eligible plan or written amendment).

3. Types of personal data

The Controller may transmit the following categories through the Service:

  • Account and authentication data (email, OTP-related metadata, tenant identifiers)
  • Content submitted for evaluation that may contain or reference personal data of the Controller’s end users (processed transiently for evaluation; persisted primarily as text_hash in standard audit logs)
  • API usage and audit metadata as described above
  • Billing/contact details for paid plans (payment instruments handled by the payment sub-processor)

The Controller agrees not to transmit special categories of personal data (GDPR Art. 9) through the Service without a separate amendment to this DPA and appropriate safeguards.

4. Categories of data subjects

  • Authorized users of the Controller’s ComplyEdge tenant (employees/contractors)
  • End users of the Controller’s AI systems whose content is submitted for evaluation

5. Processor obligations (ComplyEdge)

ComplyEdge agrees to:

5.1 Instructions only. Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country — unless required to do so by Union or Member State law; in such case, ComplyEdge will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

5.2 Confidentiality. Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security. Implement appropriate technical and organizational measures (GDPR Art. 32) to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit (HTTPS/TLS)
  • Tenant isolation by API key / tenant identifier
  • Minimization of retained content (hash-first audit design in standard production)
  • Access controls and secret management for production systems
  • Regular assessment of security measures

5.4 Sub-processors. Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. Current authorized sub-processors are listed in §6. ComplyEdge will notify the Controller of intended material changes to sub-processors, giving the Controller the opportunity to object.

5.5 Data subject rights assistance. Assist the Controller in responding to requests from data subjects exercising their GDPR rights (access, rectification, erasure, restriction, portability, objection), to the extent feasible given the hash-first audit design and account metadata held for the tenant.

5.6 Deletion/return. At the choice of the Controller, delete or return personal data to the Controller after the end of the provision of services, and delete existing copies — unless required to retain data by applicable law or short-lived backup windows.

5.7 Audit assistance. Make available to the Controller information reasonably necessary to demonstrate compliance with GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to confidentiality, security, and reasonable scheduling. ComplyEdge may charge reasonable fees for audit assistance beyond standard documentation.

5.8 Breach notification. Notify the Controller without undue delay (and, where feasible, within 72 hours) after becoming aware of a personal data breach involving the Controller’s data. Notification will include the information specified in GDPR Art. 33(3) to the extent available at the time.

6. Authorized sub-processors

Sub-processor Country Role
Amazon Web Services, Inc. (AWS) United States (primary region: us-west-2) Hosting, storage, compute
Brevo (Sendinblue SAS / affiliates) EU / as operated by vendor Transactional email (OTP / notices)
Stripe, Inc. (and affiliates) United States / as operated by vendor Payment processing for paid plans (when enabled)

International transfer notice: Some sub-processors are US-based or process data outside the EEA. Where required, ComplyEdge relies on appropriate safeguards under GDPR Chapter V (including Standard Contractual Clauses, Commission Implementing Decision (EU) 2021/914) with those sub-processors. Copies of applicable SCCs may be provided to the Controller upon written request after counsel finalization of the executed pack.

7. Controller obligations

The Controller agrees to:

  • Process personal data only in accordance with applicable law, including ensuring a valid legal basis under GDPR Art. 6 (and Art. 9 for special category data) exists for all processing instructed to ComplyEdge.
  • Ensure that personal data transmitted to ComplyEdge has been collected lawfully and that data subjects have received appropriate privacy notices (GDPR Art. 13/14) disclosing ComplyEdge processing where required.
  • Not transmit special categories of personal data (GDPR Art. 9) without a separate written amendment and appropriate safeguards.
  • Configure integrations, API keys, and content submissions so that only data necessary for the instructed purpose is sent.

8. Governing law

For GDPR compliance interpretation, this DPA is governed by the laws of the Republic of Ireland as an EU reference jurisdiction. For all other purposes, governing law and venue follow the ComplyEdge Terms of Service / order form once the operator entity election is finalized in a published update after counsel review.

9. Signatures

Controller (Customer)

Signature:

Printed name:

Title:

Date:

Processor (ComplyEdge)

Signature:

Printed name:

Title:

Date:

This is a template. The executed version governs. Consult qualified legal counsel before executing this agreement. Related: Terms of Service · Privacy Policy.

ComplyEdge ComplyEdge
GitHub Blog Terms Privacy DPA SaaS Contact

Disclaimer: ComplyEdge provides compliance tooling, not legal advice. Always consult legal counsel for specific regulatory requirements.