Data Processing Agreement

DATA PROCESSING AGREEMENT

Between:

Data Controller: The Customer ("Controller")
Data Processor: [LEGAL ENTITY NAME TO COMPLETE], trading as ComplianceIQ ("Processor")

1. SCOPE AND PURPOSE

1.1 This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Controller and the Processor.

1.2 The Processor processes personal data on behalf of the Controller for the purpose of providing AI-powered compliance assistance services, including:
- Processing uploaded documents (compliance documents, contracts, policies, and other business documents)
- Processing chat conversations and compliance queries
- Processing compliance audit results and generated documents
- Processing account and billing information

2. DATA PROCESSED

2.1 Categories of data subjects: Controller's employees, clients, customers, and other individuals referenced in uploaded documents.

2.2 Types of personal data: Names, addresses, contact details, financial information, employment details, and any other personal data contained within documents uploaded to the service.

2.3 Special category data: The Processor does not intentionally process special category data. If such data is contained within uploaded documents, the Controller is responsible for ensuring a lawful basis exists.

3. PROCESSOR OBLIGATIONS

3.1 The Processor shall:
(a) Process personal data only on documented instructions from the Controller
(b) Ensure persons authorised to process personal data are under appropriate obligations of confidentiality
(c) Take all measures required under Article 32 of UK GDPR (security of processing)
(d) Not engage another processor without prior written authorisation of the Controller
(e) Assist the Controller in responding to data subject rights requests
(f) Delete or return all personal data upon termination, at the Controller's choice
(g) Make available all information necessary to demonstrate compliance

4. SUB-PROCESSORS

4.1 The Controller provides general authorisation for the Processor to engage the following sub-processors:

| Sub-Processor | Purpose | Data Processed | Location | DPA |
|--------------|---------|----------------|----------|-----|
| Supabase | Database, storage, auth | All customer data | UK (London, eu-west-2) | https://supabase.com/legal/dpa |
| Vercel | Application hosting | Request data | EU/UK edge | https://vercel.com/legal/dpa |
| OpenAI | Text embeddings | Document text chunks | US | https://openai.com/policies/data-processing-addendum/ |
| Anthropic | AI response generation | Questions + context | US | https://www.anthropic.com/legal/data-processing-addendum |
| Stripe | Payment processing | Payment data | US | https://stripe.com/legal/dpa |
| Resend | Email delivery | Email addresses, content | US | https://resend.com/legal |
| Upstash | Rate limiting | IP addresses, user IDs | EU | Signed |

4.2 The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.

5. SECURITY MEASURES

5.1 The Processor implements the following security measures:
(a) Encryption in transit (TLS 1.2+)
(b) Encryption at rest (Supabase managed encryption)
(c) Row-Level Security (RLS) ensuring complete tenant isolation
(d) No cross-tenant data access
(e) Access controls and authentication
(f) Regular security reviews

6. DATA BREACH NOTIFICATION

6.1 The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach.

6.2 The notification shall include:
(a) Description of the nature of the breach
(b) Categories and approximate number of data subjects affected
(c) Likely consequences of the breach
(d) Measures taken or proposed to address the breach

7. DATA SUBJECT RIGHTS

7.1 The Processor shall assist the Controller in fulfilling its obligations to respond to data subject rights requests, including:
(a) Right of access (Article 15)
(b) Right to rectification (Article 16)
(c) Right to erasure (Article 17)
(d) Right to restriction (Article 18)
(e) Right to data portability (Article 20)

8. INTERNATIONAL TRANSFERS

8.1 Personal data may be transferred to countries outside the UK where sub-processors are located.

8.2 The Processor ensures appropriate safeguards are in place for such transfers, including Standard Contractual Clauses where required.

9. AUDIT RIGHTS

9.1 The Controller may request evidence of the Processor's compliance with this DPA.

9.2 The Processor shall make available all information necessary to demonstrate compliance and allow for audits, including inspections, by the Controller or an auditor mandated by the Controller.

10. TERM AND TERMINATION

10.1 This DPA shall remain in effect for the duration of the service agreement.

10.2 Upon termination, the Processor shall delete all personal data within 30 days, unless retention is required by law.

11. GOVERNING LAW

11.1 This DPA is governed by the laws of England and Wales.

[LEGAL ENTITY NAME TO COMPLETE]
[REGISTERED ADDRESS TO COMPLETE]
[DATE TO COMPLETE]