Data Processing Agreement

DATA PROCESSING AGREEMENT

Between:

Data Controller: The Customer ("Controller")
Data Processor: [LEGAL ENTITY NAME TO COMPLETE], trading as ComplianceIQ ("Processor")

1. SCOPE AND PURPOSE

1.1 This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Controller and the Processor.

1.2 The Processor processes personal data on behalf of the Controller for the purpose of providing AI-powered compliance assistance services, including:
- Processing uploaded documents (compliance documents, contracts, policies, and other business documents)
- Processing chat conversations and compliance queries
- Processing compliance audit results and generated documents
- Processing account and billing information

2. DATA PROCESSED

2.1 Categories of data subjects: Controller's employees, clients, customers, and other individuals referenced in uploaded documents.

2.2 Types of personal data: Names, addresses, contact details, financial information, employment details, and any other personal data contained within documents uploaded to the service.

2.3 Special category data: The Processor does not intentionally process special category data. If such data is contained within uploaded documents, the Controller is responsible for ensuring a lawful basis exists.

3. PROCESSOR OBLIGATIONS

3.1 The Processor shall:
(a) Process personal data only on documented instructions from the Controller
(b) Ensure persons authorised to process personal data are under appropriate obligations of confidentiality
(c) Take all measures required under Article 32 of UK GDPR (security of processing)
(d) Not engage another processor without prior written authorisation of the Controller
(e) Assist the Controller in responding to data subject rights requests
(f) Delete or return all personal data upon termination, at the Controller's choice
(g) Make available all information necessary to demonstrate compliance

4. SUB-PROCESSORS

4.1 The Controller provides general authorisation for the Processor to engage the following sub-processors:

| Sub-Processor | Purpose | Data Processed | Location | DPA |
|--------------|---------|----------------|----------|-----|
| Supabase | Database, storage, auth | All customer data | UK (London, eu-west-2) | https://supabase.com/legal/dpa |
| Vercel | Application hosting | Request data | EU/UK edge | https://vercel.com/legal/dpa |
| OpenAI | Text embeddings | Document text chunks | US | https://openai.com/policies/data-processing-addendum/ |
| Anthropic | AI response generation | Questions + context | US | https://www.anthropic.com/legal/data-processing-addendum |
| Stripe | Payment processing | Payment data | US | https://stripe.com/legal/dpa |
| Resend | Email delivery | Email addresses, content | US | https://resend.com/legal |
| Upstash | Rate limiting | IP addresses, user IDs | EU | Signed |

4.2 The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.

5. DATA RESIDENCY & STORAGE LOCATIONS

5.1 Primary Database: Supabase (AWS eu-west-2, London, UK)

5.2 File Storage: Supabase Storage (AWS eu-west-2, London, UK)

5.3 Application Hosting: Vercel (Edge network, EU endpoints)

5.4 AI Processing:
(a) Anthropic Claude API – requests processed in Anthropic's US infrastructure. No customer data is stored or used for training.
(b) OpenAI Embeddings API – text embeddings generated via OpenAI's API. No customer data is stored or used for training.
(c) AWS Bedrock (failover only) – eu-west-2 region. Data stays within the EU.

5.5 International Transfers: Customer data is stored in the UK (AWS eu-west-2). AI processing requests are sent to Anthropic (US) and OpenAI (US) under Standard Contractual Clauses (SCCs) and their respective DPAs. No customer data is retained by these processors beyond the duration of the API call.

5.6 Sub-Processor Register:

| Sub-Processor | Purpose | Location | DPA |
|--------------|---------|----------|-----|
| Supabase (AWS) | Database & file storage | eu-west-2, London | https://supabase.com/legal/dpa |
| Anthropic | AI compliance reasoning | US | https://www.anthropic.com/policies/data-processing-addendum |
| OpenAI | Text embeddings | US | https://openai.com/policies/data-processing-addendum |
| AWS Bedrock | AI failover | eu-west-2, London | https://aws.amazon.com/compliance/data-privacy/ |
| Vercel | Application hosting | EU edge | https://vercel.com/legal/dpa |
| Stripe | Payment processing | US/EU | https://stripe.com/legal/dpa |
| Resend | Transactional email | US | https://resend.com/legal/dpa |

6. SECURITY MEASURES

6.1 The Processor implements the following security measures:
(a) Encryption in transit (TLS 1.2+)
(b) Encryption at rest (Supabase managed encryption)
(c) Row-Level Security (RLS) ensuring complete tenant isolation
(d) No cross-tenant data access
(e) Access controls and authentication
(f) Regular security reviews

7. DATA BREACH NOTIFICATION

7.1 The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach.

7.2 The notification shall include:
(a) Description of the nature of the breach
(b) Categories and approximate number of data subjects affected
(c) Likely consequences of the breach
(d) Measures taken or proposed to address the breach

8. DATA SUBJECT RIGHTS

8.1 The Processor shall assist the Controller in fulfilling its obligations to respond to data subject rights requests, including:
(a) Right of access (Article 15)
(b) Right to rectification (Article 16)
(c) Right to erasure (Article 17)
(d) Right to restriction (Article 18)
(e) Right to data portability (Article 20)

9. INTERNATIONAL TRANSFERS

9.1 Personal data may be transferred to countries outside the UK where sub-processors are located.

9.2 The Processor ensures appropriate safeguards are in place for such transfers, including Standard Contractual Clauses where required.

10. AUDIT RIGHTS

10.1 The Controller may request evidence of the Processor's compliance with this DPA.

10.2 The Processor shall make available all information necessary to demonstrate compliance and allow for audits, including inspections, by the Controller or an auditor mandated by the Controller.

11. TERM AND TERMINATION

11.1 This DPA shall remain in effect for the duration of the service agreement.

11.2 Upon termination, the Processor shall delete all personal data within 30 days, unless retention is required by law.

12. GOVERNING LAW

12.1 This DPA is governed by the laws of England and Wales.

[LEGAL ENTITY NAME TO COMPLETE]
[REGISTERED ADDRESS TO COMPLETE]
[DATE TO COMPLETE]