Data Processing Agreement

01 Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the GDPR or the Terms of Service.

• Controller — The Customer (the organization subscribing to the Service) who determines the purposes and means of processing personal data.
• Processor — AI-Copliance, which processes personal data on the Controller's behalf.
• Data Subject — Any identified or identifiable natural person whose personal data is processed under this DPA.
• Personal Data — Any information relating to an identified or identifiable natural person, as defined by applicable data protection law.
• Processing — Any operation performed on personal data including collection, storage, use, disclosure, or deletion.
• GDPR — The EU General Data Protection Regulation (2016/679) and, where applicable, the UK GDPR as retained in UK law.
• Sub-Processor — Any third party engaged by AI-Copliance to process personal data in connection with the Service.
• Security Incident — A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

02 Scope & Relationship

This DPA applies to all personal data that AI-Copliance processes as a Processor on behalf of the Customer (Controller) in the course of providing the Service, as further described in Schedule A.

AI-Copliance will process personal data only:

• To deliver the Service as described in the Terms of Service
• In accordance with the Controller's documented instructions (including those embedded in the configuration of the Service)
• As required by applicable law (in which case AI-Copliance will notify the Controller unless prohibited from doing so by law)

This DPA is published on the AI-Copliance website and applies automatically to all Customers upon acceptance of the Terms of Service. No separate signature or counter-signature is required.

For avoidance of doubt: personal data processed for account administration, billing, and customer support (where AI-Copliance determines the purpose) is processed under AI-Copliance's own Privacy Policy, not under this DPA.

03 Controller's Obligations

The Customer (Controller) is responsible for:

• Ensuring it has a valid legal basis to transfer personal data to AI-Copliance for processing
• Ensuring it has provided all required notices to and obtained all required consents from relevant data subjects
• Ensuring that any personal data uploaded into the Service is limited to what is necessary for the compliance purpose (data minimisation principle)
• Providing instructions to AI-Copliance in writing where processing beyond the default scope of the Service is required
• Ensuring its use of AI-Copliance complies with applicable data protection law

04 AI-Copliance's Obligations as Processor

AI-Copliance agrees to:

• Process only on instruction: Process personal data only in accordance with the Controller's documented instructions and the Terms of Service, unless required to do otherwise by applicable law.
• Confidentiality: Ensure that all personnel authorized to process personal data are bound by confidentiality obligations.
• Security: Implement and maintain the technical and organisational security measures described in Schedule C.
• Sub-processors: Engage sub-processors only in accordance with Section 5.
• Data subject rights assistance: Assist the Controller in fulfilling its obligation to respond to data subject requests in accordance with Section 7.
• Breach notification: Notify the Controller of any Security Incident in accordance with Section 8.
• Deletion/return: Delete or return personal data on request or on termination in accordance with Section 11.
• Audit cooperation: Make available all information necessary to demonstrate compliance with this DPA and cooperate with audits in accordance with Section 10.
• DPA compliance notification: Immediately inform the Controller if, in AI-Copliance's opinion, an instruction from the Controller infringes applicable data protection law.

05 Sub-Processors

The Controller grants AI-Copliance a general authorisation to engage the sub-processors listed in Schedule B. AI-Copliance will:

• Impose data protection obligations equivalent to those in this DPA on all sub-processors by written agreement
• Remain liable to the Controller for the acts or omissions of sub-processors to the same extent as if AI-Copliance performed the processing directly
• Notify the Controller of any intended new sub-processor or material changes to existing sub-processors with at least 14 days' written notice
• Allow the Controller to object to any new sub-processor within 14 days of notification. If the parties cannot resolve such objection, the Controller may terminate the Service with a pro-rata refund of prepaid fees for the unused subscription period

06 Security Measures

AI-Copliance implements the technical and organisational measures described in Schedule C, including but not limited to:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
• Database Row Level Security (RLS) ensuring strict customer data isolation
• Access controls limiting personnel access to personal data to those with a need to know
• Regular security patching and vulnerability management
• Incident response procedures including breach notification

AI-Copliance will review and update these measures periodically and promptly upon becoming aware of any material security risks.

07 Data Subject Rights

If AI-Copliance receives a request directly from a data subject relating to personal data processed under this DPA, AI-Copliance will:

• Promptly forward the request to the Controller (within 5 business days of receipt)
• Not respond to the data subject directly without the Controller's prior authorisation, except to acknowledge receipt

AI-Copliance will provide reasonable assistance to the Controller in fulfilling data subject requests (access, rectification, erasure, portability, restriction, objection), using available technical features of the Service. AI-Copliance may charge a reasonable fee for assistance that requires significant manual effort beyond standard platform capability.

08 Security Incident Notification

In the event AI-Copliance becomes aware of a Security Incident affecting personal data processed under this DPA, AI-Copliance will:

• Notify the Controller without undue delay and no later than 72 hours after becoming aware of the Security Incident
• Include in the notification: nature of the incident, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the incident
• Cooperate with the Controller and provide all reasonable assistance in investigating, containing, and remediating the incident
• Not make any public disclosure regarding the incident without prior consultation with the Controller, unless required by law

Security incidents should be reported to: privacy@aicopliance.com

09 International Transfers

The sub-processors listed in Schedule B are located in the United States. Transfers of personal data from the EEA or UK to these sub-processors are made pursuant to:

• Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor) as issued by the European Commission decision 2021/914, incorporated herein by reference
• UK IDTA — The UK International Data Transfer Addendum to the EU SCCs, where the Controller is subject to UK GDPR

Where SCCs or IDTA apply, the following annexes are deemed completed: Annex I as per Schedule A of this DPA; Annex II as per Schedule C of this DPA.

10 Audit Rights

AI-Copliance will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Upon the Controller's written request with at least 30 days' notice, AI-Copliance will permit and contribute to audits conducted by the Controller or a third-party auditor appointed by the Controller, provided that:

• The audit is conducted during normal business hours and does not unreasonably disrupt operations
• The auditor is bound by a confidentiality agreement before commencing
• Audits are limited to once per 12-month period, unless an audit is necessitated by a Security Incident
• Reasonable costs of the audit are borne by the Controller

AI-Copliance may fulfill the audit obligation by providing relevant third-party audit certifications or penetration test reports in lieu of direct audit access, where these adequately address the scope of the audit.

11 Deletion & Return of Data

Upon termination of the Service or upon written request by the Controller:

• AI-Copliance will delete all personal data processed under this DPA within 30 days of the request or termination date
• Prior to deletion, AI-Copliance will provide the Controller with a reasonable opportunity to export their Customer Data in a standard format (JSON, CSV, PDF)
• AI-Copliance will provide written confirmation of deletion upon request
• AI-Copliance may retain personal data for longer where required by applicable law (e.g., financial records), in which case AI-Copliance will notify the Controller of the retention period and the legal basis

12 Term & Termination

This DPA comes into force when both parties enter into the Terms of Service and remains in force for the duration of the subscription. It terminates automatically on expiry or termination of the subscription, subject to the survival of obligations regarding data deletion, confidentiality, and audit rights.

This DPA is governed by the same law as the Terms of Service and takes precedence over any conflicting provisions in the Terms of Service regarding data protection matters.

Schedule A Processing Details

Schedule B Approved Sub-Processors

Schedule C Technical & Organisational Security Measures

AI-Copliance implements and maintains the following measures in accordance with Article 32 GDPR:

Pseudonymisation & Encryption

• All data transmitted via TLS 1.2 or higher (HTTPS enforced)
• All data at rest encrypted using AES-256 (via Supabase)
• Passwords hashed using bcrypt (Supabase Auth)

Confidentiality

• Row Level Security (RLS) enforced at the database layer — no cross-customer data access
• All personnel with data access bound by confidentiality obligations
• Minimum necessary access principle applied to system administration

Integrity & Availability

• Supabase automated daily backups with point-in-time recovery
• Vercel infrastructure provides 99.9%+ uptime via redundant global deployment
• Database schema changes managed through version-controlled migrations

Resilience

• Application deployed on Vercel's edge network for high availability
• Supabase managed database with automated failover

Testing & Evaluation

• Regular review of dependencies for known vulnerabilities
• Periodic review of access controls and user permissions
• [To be updated as formal penetration testing program is established]

Organisational Measures

• Data breach response procedure in place with 72-hour notification target
• Privacy by design principles applied in feature development
• Subprocessor data processing agreements in place

Acceptance

This DPA is incorporated by reference into the AI-Copliance Terms of Service. By subscribing to and using the Service, the Customer agrees to be bound by this DPA without the need for a separate signature. The DPA takes effect on the date the Customer first accepts the Terms of Service.

This DPA is published at aicopliance.com/dpa and may be updated in accordance with the update provisions in Section 12. The version in effect at the time of the Customer's subscription renewal governs that renewal period.