Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ComplyDeck, Inc. ("Processor", "we", "us") and the customer ("Controller", "you") who uses our AI-powered compliance automation platform ("Service").

This DPA sets forth the parties' obligations regarding the processing of personal data in connection with the Service, in compliance with:

• GDPR: General Data Protection Regulation (EU) 2016/679
• CCPA: California Consumer Privacy Act
• Other applicable data protection laws

By using ComplyDeck, you acknowledge that you are the Controller of your data and ComplyDeck acts as a Processor on your behalf.

2. Definitions

• "Personal Data": Any information relating to an identified or identifiable natural person that you upload or process through the Service.
• "Processing": Any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, or deletion.
• "Controller": You, the customer, who determines the purposes and means of processing Personal Data.
• "Processor": ComplyDeck, Inc., which processes Personal Data on behalf of the Controller.
• "Sub-processor": A third party engaged by the Processor to assist in fulfilling its obligations under this DPA.
• "Data Subject": An individual whose Personal Data is processed.
• "Customer Data": All data, including Personal Data, that you upload to or create within the Service.

3. Data Processing Details

3.1 Subject Matter and Duration

ComplyDeck processes Customer Data to provide AI-powered compliance questionnaire automation services. Processing continues for the duration of your subscription and for the retention period specified in our Privacy Policy.

3.2 Nature and Purpose of Processing

We process your data to:

• Store and index compliance policy documents you upload
• Generate AI-powered responses to security questionnaires
• Create and maintain vector embeddings for semantic search
• Store Q&A database entries for response consistency
• Authenticate users and manage team access
• Provide customer support and service communications

3.3 Types of Personal Data Processed

• Account Data: Email addresses, names, company names, passwords (hashed)
• Document Content: Security policies, SOC 2 reports, compliance documents
• Questionnaire Data: Questions, answers, reviewer names, approval status
• Usage Data: IP addresses, browser information, access logs
• Team Data: Member names, roles, project assignments

3.4 Categories of Data Subjects

• Your employees and team members
• Individuals mentioned in uploaded compliance documents
• Reviewers and approvers of questionnaire responses

4. Processor Obligations

ComplyDeck shall:

• Process Personal Data only on your documented instructions
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist you in responding to Data Subject requests
• Notify you of any Personal Data breach without undue delay
• Delete or return Personal Data upon termination of services
• Make available information necessary for compliance audits
• Not engage sub-processors without your prior authorization

5. Controller Obligations

You, as the Controller, shall:

• Ensure you have a lawful basis for processing Personal Data
• Provide clear instructions regarding data processing
• Obtain necessary consents from Data Subjects where required
• Ensure accuracy and relevance of Personal Data uploaded
• Comply with applicable data protection laws
• Not upload data that violates third-party rights or laws

6. Authorized Sub-processors

You authorize ComplyDeck to engage the following sub-processors to assist in providing the Service. We maintain appropriate data processing agreements with each sub-processor.

6.1 Cloud Infrastructure & Hosting

• Google Cloud Platform (GCP)
  • Location: United States (us-central1)
  • Purpose: Application hosting (Cloud Run), API infrastructure
  • Data processed: All application data, API requests
  • Certifications: SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, FedRAMP
  • DPA: Google Cloud DPA

6.2 Authentication & Database

• Supabase, Inc.
  • Location: United States
  • Purpose: User authentication, PostgreSQL database, Edge Functions
  • Data processed: User accounts, profiles, project settings, team memberships, invitations
  • Certifications: SOC 2 Type II
  • DPA: Supabase DPA

6.3 Document Storage

• iDrive, Inc. (e2 Cloud Storage)
  • Location: United States (us-west-1)
  • Purpose: S3-compatible storage for policy documents, CSV files, embeddings cache
  • Data processed: PDF policy documents, questionnaire files, Q&A databases
  • Security: AES-256 encryption at rest, TLS in transit
  • DPA: Available upon request

6.4 Vector Database

• Zilliz, Inc. (Zilliz Cloud)
  • Location: AWS EU (eu-central-1)
  • Purpose: Vector embeddings storage for semantic search (RAG)
  • Data processed: Document chunk embeddings, question embeddings, semantic metadata
  • Security: Encrypted at rest, TLS in transit, project-level isolation
  • Note: Only numerical embeddings are stored, not raw document text

6.5 AI Processing

• Google LLC (Gemini API)
  • Location: United States
  • Purpose: AI-powered answer generation, text embeddings
  • Data processed: Document text chunks (for context), questions, generated answers
  • Models used: Gemini 3 Flash (generation), text-embedding-004 (embeddings)
  • Data retention: Google does not use API data for model training
  • DPA: Google Cloud DPA

6.6 CDN & Security

• Cloudflare, Inc.
  • Location: Global edge network
  • Purpose: CDN, DDoS protection, DNS, static hosting (Cloudflare Pages), API proxy (Workers)
  • Data processed: HTTP requests, IP addresses, cached static assets
  • Certifications: SOC 2 Type II, ISO 27001, PCI DSS
  • DPA: Cloudflare DPA

7. Security Measures

ComplyDeck implements comprehensive technical and organizational measures to protect Personal Data:

7.1 Encryption

• In Transit: All data transmitted over TLS 1.3
• At Rest: AES-256 encryption for stored documents and database
• Passwords: Bcrypt hashing with salt (never stored in plain text)
• API Keys: Encrypted storage in Supabase with project-level isolation

7.2 Access Controls

• Role-based access control (Admin, Member, Viewer)
• Project-level data isolation (multi-tenant architecture)
• Session token authentication with automatic expiration
• Domain-based team organization
• Invite-based team member onboarding

7.3 Infrastructure Security

• Serverless architecture (Google Cloud Run) with auto-scaling
• Container isolation for each request
• Cloudflare WAF and DDoS protection
• Regular security patches and updates
• Environment variable secrets management (no hardcoded credentials)

7.4 Monitoring & Logging

• Application logs retained for operational purposes
• Error tracking and alerting
• Audit trails for team member actions

8. Data Flow Architecture

The following describes how data flows through our system:

8.1 Document Upload Flow

• User uploads PDF → Cloudflare (CDN) → Cloud Run API → iDrive e2 (storage)
• Document text extracted → sent to Gemini API for embedding generation
• Embeddings stored in Zilliz Cloud (vector database)
• Metadata stored in Supabase (PostgreSQL)

8.2 Question Processing Flow

• User submits question → Cloud Run API
• Question embedding generated via Gemini API
• Similar document chunks retrieved from Zilliz Cloud
• Q&A database searched for similar past answers
• Context + question sent to Gemini API for answer generation
• Response returned to user (not stored unless approved)

8.3 Authentication Flow

• User signs up/logs in → Supabase Auth
• Session token issued → stored in browser localStorage
• All API requests authenticated via Supabase JWT verification
• Edge Functions validate permissions and project access

9. Data Retention and Deletion

9.1 Retention Periods

• Account Data: Retained while account is active
• Uploaded Documents: Retained until user deletion or account closure
• Q&A Database: Retained until user deletion or account closure
• Vector Embeddings: Deleted when source documents are deleted
• Usage Logs: 12 months maximum
• AI Processing Logs: Not retained beyond request completion

9.2 Deletion Process

• Users can delete individual documents and Q&A entries at any time
• Account deletion removes all associated data within 30 days
• Backup data purged within 90 days of deletion
• Sub-processors instructed to delete data upon our request

9.3 Data Portability

• Export Q&A database as CSV
• Download original uploaded documents
• Request full data export via support

10. International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction:

10.1 Transfer Locations

• United States: Primary processing (GCP, Supabase, iDrive, Google Gemini API)
• European Union: Vector database (Zilliz Cloud in eu-central-1)
• Global Edge: CDN caching (Cloudflare edge nodes)

10.2 Transfer Mechanisms

For transfers from the EEA/UK to the US, we rely on:

• EU-US Data Privacy Framework (where applicable)
• Standard Contractual Clauses (SCCs) with sub-processors
• Sub-processor certifications and compliance programs

11. Data Subject Rights

ComplyDeck will assist you in fulfilling Data Subject requests:

11.1 Supported Rights

• Access: Provide copies of Personal Data
• Rectification: Correct inaccurate data
• Erasure: Delete Personal Data ("right to be forgotten")
• Portability: Export data in machine-readable format
• Restriction: Limit processing activities
• Objection: Object to certain processing

11.2 Response Process

Upon receiving a Data Subject request, contact us at bala@complydeck.com. We will:

• Acknowledge receipt within 48 hours
• Verify the request legitimacy
• Complete the request within 30 days
• Notify you if we receive requests directly from Data Subjects

12. Breach Notification

12.1 Notification Timeline

In the event of a Personal Data breach, ComplyDeck will:

• Notify you without undue delay (within 72 hours of becoming aware)
• Provide details of the breach, affected data, and remediation steps
• Cooperate with your investigation and regulatory notifications

12.2 Breach Response

• Immediate containment and assessment
• Root cause analysis
• Remediation and prevention measures
• Documentation of the incident and response

13. Audit Rights

You have the right to audit our compliance with this DPA:

• Request documentation of our security practices
• Review sub-processor agreements
• Request third-party audit reports (SOC 2, where available)
• Conduct on-site audits with reasonable notice (subject to confidentiality)

Audit requests should be submitted to bala@complydeck.com with at least 30 days notice.

14. BYOK (Bring Your Own Key)

Enterprise customers may use their own Google Gemini API key:

• Your API key is encrypted and stored in Supabase
• AI processing uses your key, subject to Google's terms
• You maintain a direct relationship with Google for AI processing
• ComplyDeck does not have access to your decrypted API key

15. Changes to Sub-processors

We will notify you before adding new sub-processors:

• Notification via email at least 30 days in advance
• Opportunity to object with legitimate grounds
• If objection cannot be resolved, you may terminate the Service

16. Termination

Upon termination of your subscription:

• You may export your data for 30 days after termination
• We will delete your data within 90 days (unless legally required to retain)
• Sub-processors will be instructed to delete your data
• Written confirmation of deletion available upon request

17. Contact Information

For questions about this DPA or to exercise your rights:

• Email: bala@complydeck.com
• Subject Line: "DPA Inquiry" or "Data Subject Request"
• Website: https://complydeck.com

For urgent security or breach-related matters, please include "URGENT" in the subject line.

18. Governing Law

This DPA is governed by the laws of the State of Delaware, United States, except where superseded by applicable data protection laws (such as GDPR for EU data subjects).

In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.