Data Processing Agreement

1. Definitions

In this DPA, unless the context requires otherwise:

• "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation)
• "Personal Data" has the meaning given in GDPR Article 4(1)
• "Processing" has the meaning given in GDPR Article 4(2)
• "Data Subject" means an identified or identifiable natural person
• "Sub-processor" means any processor engaged by the Processor
• "Customer Data" means Personal Data processed by Processor on behalf of Controller
• "Services" means the Regtrue platform and related services

2. Scope and Purpose

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the Services.

2.1 Purpose of Processing

The Processor shall Process Personal Data only for the following purposes:

• Providing the Regtrue compliance and reporting platform
• Processing ESG, sustainability, and compliance data
• User authentication and access management
• Customer support and communication
• Service improvement and analytics (anonymized)
• Legal compliance and fraud prevention

2.2 Duration of Processing

Processing shall continue for the duration of the Controller's subscription, plus any retention period required by law or as specified in the Terms of Service.

3. Data Categories

3.1 Categories of Data Subjects

• Controller's employees and contractors
• Controller's customers and suppliers (if entered into the system)
• External auditors and reviewers (if given access)

3.2 Types of Personal Data

• Contact information (name, email, phone)
• Professional information (job title, organization)
• Account credentials (hashed passwords)
• Usage data (logs, IP addresses)
• ESG data that may contain personal information

3.3 Special Categories

The Services are not designed to process special categories of personal data (Article 9 GDPR). Controller shall not upload such data without prior written consent from Processor.

4. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from Controller
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Respect conditions for engaging sub-processors
• Assist Controller with data subject rights requests
• Assist Controller with security and breach notification obligations
• Delete or return Personal Data upon termination
• Make available information necessary to demonstrate compliance

5. Security Measures

The Processor implements the following technical and organizational measures:

5.1 Technical Measures

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Role-based access control (RBAC)
• Row-level security (RLS) for data isolation
• Regular security testing and vulnerability assessments
• Automated backup and disaster recovery
• Intrusion detection and monitoring

5.2 Organizational Measures

• Security awareness training for all personnel
• Background checks for employees with data access
• Incident response procedures
• Regular security policy reviews
• Vendor security assessments

6. Sub-processors

Controller authorizes Processor to engage sub-processors listed at https://app.regtrue.com/trust-center/subprocessors.

Before engaging a new sub-processor, Processor shall:

• Update the sub-processor list at least 30 days before the change
• Ensure the sub-processor is bound by equivalent data protection obligations
• Remain liable for the sub-processor's compliance

Controller may object to a new sub-processor by contacting Processor within 14 days of notification. If a resolution cannot be reached, Controller may terminate the affected Services.

7. International Data Transfers

Primary data storage is in the European Union (Frankfurt, Germany). Where transfers outside the EEA are necessary, Processor ensures:

• Adequacy decisions (where available)
• Standard Contractual Clauses (EU Commission approved)
• Supplementary measures where required
• Transfer Impact Assessments as needed

8. Data Subject Rights

Processor shall assist Controller in responding to data subject requests for:

• Access to personal data (Article 15)
• Rectification (Article 16)
• Erasure / "Right to be forgotten" (Article 17)
• Restriction of processing (Article 18)
• Data portability (Article 20)
• Objection to processing (Article 21)

Processor shall respond to Controller requests within 10 business days. If Processor receives a request directly, it shall redirect the data subject to Controller.

9. Data Breach Notification

In case of a Personal Data breach, Processor shall:

• Notify Controller without undue delay, and in any event within 48 hours
• Provide details of the breach nature, affected data, likely consequences
• Describe measures taken or proposed to address the breach
• Assist Controller with breach notifications to authorities and data subjects
• Document all breaches and remediation actions

Breach notifications should be sent to the Controller's designated contact or, if not specified, to the account owner's email address.

10. Audit Rights

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and GDPR Article 28.

Controller may conduct audits (or appoint an independent auditor) with:

• At least 30 days prior written notice
• No more than once per year (unless required by regulators)
• During normal business hours
• Auditor bound by confidentiality

Processor may provide SOC 2 reports, penetration test results, or third-party audit reports in lieu of on-site audits where these adequately address Controller's requirements.

11. Data Deletion

Upon termination of Services:

• Controller may export data within 30 days using built-in export tools
• Processor shall delete Customer Data within 90 days after termination
• Processor may retain data as required by law (with Controller notification)
• Upon request, Processor shall certify deletion in writing

Backup copies may persist for up to 30 days after primary data deletion due to technical retention cycles.

12. Duration and Termination

This DPA shall remain in effect for as long as Processor processes Personal Data on behalf of Controller.

Upon termination of the underlying Services agreement:

• Processing shall cease except for data return/deletion purposes
• Sections 5 (Security), 9 (Breach Notification), and 10 (Audit) survive termination
• Confidentiality obligations continue indefinitely