Data Processing Addendum (DPA)
Standard Contractual Clauses for the processing of personal data in accordance with Article 28 of the GDPR.
Agreement Version: 2.0 (Effective February 2026)
1. Definitions
Terms used in this DPA shall have the same meaning as in the GDPR (Regulation (EU) 2016/679).
- Controller: The user or organization using EUAIActReady that determines the purposes and means of processing personal data.
- Processor: EUAIActReady, which processes personal data on behalf of the Controller.
- Data Subject: Any identified or identifiable natural person whose personal data is processed.
- Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
2. Scope and Purpose
This DPA applies to all processing of personal data by the Processor on behalf of the Controller in connection with the provision of the EU AI Act compliance assessment service. The Processor shall process personal data only on documented instructions from the Controller, unless required by Union or Member State law.
The subject matter of processing is the provision of AI Act compliance assessments, risk classifications, report generation, and related services. The duration of processing corresponds to the duration of the Service Agreement (Terms of Service).
3. Types of Personal Data Processed
The following categories of personal data may be processed:
- Identity data: name, email address, company name
- Assessment data: AI system descriptions, risk classifications, compliance answers
- Technical data: IP addresses, browser type, access timestamps
- Payment data: processed exclusively by Stripe; the Processor does not store payment card details
- Team data: team member names and email addresses (Pro and Consultant tiers)
4. Categories of Data Subjects
The processing relates to the following categories of data subjects:
- Users of the platform (employees, consultants, administrators of the Controller)
- Individuals mentioned in AI system descriptions or risk assessments submitted by the Controller
- Client contacts managed through the Consultant tier client portal
5. Processor Obligations (Article 28(3) GDPR)
In accordance with Article 28(3) GDPR, the Processor shall:
- Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by Union or Member State law
- Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement all technical and organizational measures required by Article 32 GDPR (see Section 8)
- Not engage another processor without prior specific or general written authorization of the Controller (see Section 6)
- Assist the Controller in fulfilling their obligation to respond to requests for exercising the Data Subject's rights under Chapter III GDPR
- Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor
- At the choice of the Controller, delete or return all personal data after the end of the provision of services (see Section 10)
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits (see Section 9)
6. Authorized Sub-processors
The Controller hereby provides general written authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object. Current sub-processors:
| Entity | Service | Data Location | Transfer Safeguard |
|---|---|---|---|
| Supabase, Inc. | Database & Authentication | EU (Ireland) | Data stored in EU |
| Stripe, Inc. | Payment Processing | US / EU | EU-US DPF + SCCs |
| Netlify, Inc. | Hosting & CDN | US / Global CDN | SCCs |
| Cloudflare, Inc. | CAPTCHA (Turnstile) | Global Edge | EU-US DPF + SCCs |
| Functional Software, Inc. (Sentry) | Error Monitoring & Performance | US / EU | EU-US DPF + SCCs |
| Resend, Inc. | Transactional Email Delivery | US | SCCs |
7. International Data Transfers
Where personal data is transferred outside the EU/EEA, the Processor ensures that appropriate safeguards are in place in accordance with Chapter V GDPR. These safeguards include EU-US Data Privacy Framework certifications and Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914). The Controller's primary data (account and assessment data) is stored exclusively within the EU (Ireland).
8. Technical and Organizational Measures (TOMs)
The Processor implements the following measures pursuant to Article 32 GDPR:
- Encryption of data in transit using TLS 1.3 or higher
- Encryption of data at rest using AES-256
- Row Level Security (RLS) in Supabase ensuring strict data isolation between users
- Service-role-only database triggers protecting sensitive fields (risk levels, subscription data) from client-side modification
- Secure authentication with email verification and optional CAPTCHA protection
- Regular automated vulnerability scanning and dependency auditing
- Principle of data minimization: only data necessary for service provision is collected
- Access controls: administrative access is restricted to authorized personnel with least-privilege principles
9. Audit Rights
The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance with Article 28 GDPR. Audits shall be conducted with reasonable prior notice (at least 14 days) and during normal business hours. The Controller may engage an independent third-party auditor, subject to confidentiality obligations.
10. Data Deletion and Return
Upon termination of the service agreement, the Processor shall, at the choice of the Controller: (a) return all personal data in a structured, commonly used, and machine-readable format (JSON export), or (b) delete all personal data within 30 days, unless Union or Member State law requires continued storage. The Processor shall certify the deletion in writing upon request.
11. Breach Notification
The Processor shall notify the Controller without undue delay, and in any case within 48 hours, after becoming aware of a personal data breach. The notification shall include: (a) a description of the nature of the breach, (b) the categories and approximate number of data subjects affected, (c) the likely consequences, and (d) the measures taken or proposed to address the breach.
12. Termination
This DPA shall remain in effect for the duration of the Service Agreement. The obligations of the Processor regarding data processing shall survive the termination of this DPA to the extent necessary to complete the deletion or return of personal data.
Note: By using the EUAIActReady platform and accepting our Terms of Service, you are entering into this Data Processing Addendum as the Controller of your data. This constitutes valid acceptance under Article 28(9) GDPR.