Data Processing Addendum (DPA)

1. Scope and Applicability

This Data Processing Addendum (“DPA”) applies where Complycia processes personal data on behalf of the Customer in the course of providing compliance automation, documentation generation, and regulatory readiness services (the “Services”).

This DPA supplements and forms part of the Terms of Service and governs the processing of personal data between Complycia and the Customer.

2. Roles and Responsibilities

For the purposes of applicable data protection laws:

• The Customer acts as the Data Controller

• Complycia acts as the Data Processor, as defined under GDPR Article 4

Each party shall comply with its respective obligations under applicable data protection laws.

3. Types of Personal Data

Complycia may process the following categories of personal data solely in connection with the Services:

• Name

• Work email address

• Company name and role

• Account and usage metadata

• Support communications

Complycia does not process special categories of personal data, including but not limited to: medical records, patient information, health data, biometric data, racial or ethnic origin, political opinions, or religious beliefs.

Complycia does not access Electronic Health Record (EHR) systems.

4. Purpose of Processing

Complycia processes personal data solely for the following purposes:

• Providing compliance documentation and licensure-ready binder generation

• Supporting regulatory readiness, audits, and internal compliance workflows

• Operating, maintaining, and improving the Services

• Account administration and billing

• Ensuring system security and integrity

Complycia does not process Customer data for advertising, resale, or training external models without explicit written consent.

5. Subprocessors

Complycia may engage vetted subprocessors to assist in delivering the Services (e.g., cloud infrastructure providers, payment processors).

All subprocessors are subject to written agreements that provide data protection obligations equivalent to this DPA.

Customers may subscribe to receive reasonable notice of material changes to subprocessors and may object on legitimate data protection grounds.

6. Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), United Kingdom, or Switzerland, Complycia ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs)

• Additional technical and organizational security measures where required

Complycia does not rely on cross-border transfers unless necessary to provide the Services.

7. Security Measures

Complycia implements appropriate technical and organizational security measures designed to protect personal data, including:

• Encryption of data in transit and at rest

• Access controls and user authentication

• Role-based permissions

• Continuous monitoring and vulnerability management

• Employee confidentiality obligations and security training

These measures are designed to protect against unauthorized access, loss, or disclosure of personal data.

8. Data Subject Rights

Complycia will reasonably assist the Customer in responding to requests from data subjects exercising their rights under applicable data protection laws, including requests for:

• Access

• Correction

• Deletion

• Data portability

• Restriction or objection to processing

Complycia will promptly notify the Customer if it receives any such request directly.

9. Breach Notification

In the event of a personal data breach affecting Customer data, Complycia shall:

• Notify the Customer without undue delay

• Provide reasonable information regarding the nature of the incident

• Assist the Customer in meeting any applicable regulatory or notification obligations

10. Data Deletion and Return

Upon termination or expiration of the Services, Complycia shall, at the Customer’s choice:

• Delete Customer personal data within a reasonable timeframe, unless retention is required by law

• Provide confirmation of deletion upon request

• Allow secure export of Customer data prior to deletion where applicable

11. Audits and Certifications

Complycia shall make reasonable information available to demonstrate compliance with this DPA upon request, including relevant security documentation.

Where reasonably required, Complycia may allow audits by the Customer or a mutually agreed third party, subject to confidentiality obligations and reasonable notice.

Complycia maintains appropriate compliance practices aligned with applicable data protection standards.

12. Governing Law

This DPA shall be governed by the same governing law and jurisdiction as the Terms of Service, unless otherwise required by applicable data protection laws.

13. Contact

For all data protection inquiries:

📧 Email: privacy@complycia.com