Purpose

This Agreement governs the Data Processor’s processing of personal data on behalf of the Data Controller in accordance with Article 28 of the GDPR. The processing is part of the delivery of Complir's compliance platform and related services.

Nature of the processing

The Data Processor processes personal data to provide the Data Controller with tools for managing product compliance, including:

Storing supplier contact information

Processing uploaded product-related documentation

Supporting AI-powered workflows for classification, translation, and risk assessment

​

Types of personal data

The types of data may include, but are not limited to:

​

• Name

• Email

• Phone number

• Company affiliation

• Role/title

• Supplier company details

• Uploaded documents containing personal or supplier information

​

Categories of data subjects

The Data Processor may process personal data relating to the following categories of data subjects on behalf of the Data Controller:

• Employees and authorized users of the Data Controller who access or use the Complir platform.

• Supplier contacts and representatives whose information is uploaded or managed within the platform by the Data Controller.

• Subcontractors or external partners whose details may appear in documentation or compliance data provided by the Data Controller.

​

No special categories of personal data (as defined in Article 9 of the GDPR) are intended to be processed under this Agreement.

Security measures

The Data Processor implements appropriate technical and organisational measures, including:

• Encrypted communication (TLS)

• Role-based access control

• Periodic access reviews

• Logging and monitoring via Sentry

• Regular backups

• Use of ISO 27001-certified infrastructure providers

​

Data subject rights and assistance

The Data Processor assists the Data Controller in fulfilling its obligations under GDPR Chapter 3 (data subject rights), including access, correction, deletion, and objection.

Deletion or return of data

Upon termination of the Agreement, the Data Processor will delete or return all personal data at the Data Controller's request, unless otherwise required by law.

Audit rights

The Data Controller may audit the Data Processor’s data processing practices once per year with 30 days' written notice. Audit costs are borne by the Data Controller unless a material breach is found.

Breach notification

The Data Processor will notify the Data Controller without undue delay, and no later than 48 hours after becoming aware of a personal data breach.

Duration

This Agreement remains in effect as long as the Data Processor processes personal data on behalf of the Data Controller.