EUAIActReady

Data Processing Addendum (DPA)

Standard Contractual Clauses for the processing of personal data in accordance with Article 28 of the GDPR.

GDPR Article 28 Compliant
SCCs for International Transfers

Agreement Version: 1.2 (Effective January 2026)

1. Definitions

Terms used in this DPA shall have the same meaning as in the GDPR.

  • Controller: The user/organization using AIActReady.
  • Processor: EUAIActReady (AIACTREADY PRACTICAL V4.0).
  • Data Subject: Any individual whose personal data is processed.
  • Personal Data: Any information relating to an identified or identifiable natural person.

2. Scope and Purpose

This DPA applies to the processing of personal data by the Processor on behalf of the Controller in order to provide the AI Act compliance assessment services. The Processor shall process personal data only on documented instructions from the Controller.

3. Categories of Data Subjects

The processing includes data relating to:

  • Users of the platform (employees, consultants, administrators)
  • Individuals mentioned in AI system descriptions or risk assessments
  • Client contacts (for Consultant tier users)

4. Processor Obligations

The Processor shall:

  • Ensure that persons authorized to process the personal data have committed themselves to confidentiality.
  • Implement appropriate technical and organizational measures (TOMs) as required by Article 32 GDPR.
  • Assist the Controller in fulfilling their obligation to respond to requests for exercising the Data Subject's rights.
  • Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR.

5. Authorized Sub-processors

The Controller authorizes the use of the following sub-processors for the fulfillment of the service:

EntityServiceLocation
Supabase, Inc.Database & AuthUS
Stripe, Inc.Payments & InvoicingUS / Global
Netlify, Inc.Hosting & CDNUS

6. Security Measures

The Processor provides the following security guarantees:

  • Encryption of data in transit (TLS 1.3+)
  • Encryption of data at rest (AES-256)
  • Strict Row Level Security (RLS) in Supabase
  • Regular security audits and automated vulnerability scanning
  • Minimal data collection principle

7. Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. In any case, such notification shall occur within 48 hours.

8. Termination and Deletion

Upon termination of the service, the Processor shall, at the choice of the Controller, delete or return all the personal data to the Controller, unless Union or Member State law requires storage of the personal data.

Note: By using the AIActReady platform and accepting our Terms of Service, you are entering into this Data Processing Addendum as the Controller of your data. This digital signature is legally binding under GDPR.