Legal
Data Processing Agreement
Auftragsverarbeitungsvertrag (AVV)
Last updated: May 2025
Pursuant to Article 28 of the General Data Protection Regulation (GDPR). This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Kodex (“Processor”) and the Customer (“Controller”).
1. Subject Matter and Duration
The Processor processes personal data on behalf of the Controller for the purpose of providing compliance assessment, document management, and AI-assisted compliance analysis services. Processing continues for the duration of the service agreement.
2. Nature and Purpose of Processing
- Storage and analysis of compliance evidence documents uploaded by the Controller
- AI-powered evaluation of compliance controls against regulatory frameworks
- Generation of compliance reports, policies, and risk assessments
- User account management and authentication
3. Types of Personal Data
- Contact information (names, email addresses)
- Employment information (contained in uploaded compliance evidence)
- IT security data (access logs, system configurations)
- Any personal data contained in documents uploaded by the Controller
4. Categories of Data Subjects
- Controller's employees and contractors
- Controller's customers (where included in uploaded evidence)
- Controller's partners and vendors
5. Obligations of the Processor
The Processor shall:
- (a)Process personal data only on documented instructions from the Controller
- (b)Ensure persons authorised to process the data are bound by confidentiality
- (c)Implement appropriate technical and organisational security measures (Art. 32 GDPR)
- (d)Not engage another processor without prior written authorisation of the Controller
- (e)Assist the Controller in responding to data subject requests (Art. 15–22 GDPR)
- (f)Assist the Controller in ensuring compliance with Art. 32–36 GDPR
- (g)Delete or return all personal data at the end of the service, at the Controller’s choice
- (h)Make available all information necessary to demonstrate compliance and allow audits
6. Sub-Processors
The Processor uses the following sub-processors:
| Sub-Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase (Singapore Pte. Ltd.) | Database, authentication, file storage | EU (Frankfurt) | EU data residency |
| Anthropic (PBC) | AI inference for compliance evaluation | USA | Standard Contractual Clauses |
| Stripe (Payments Europe Ltd.) | Payment processing | EU (Ireland) | EU entity, GDPR compliant |
| Upstash (Inc.) | Redis caching and rate limiting | EU (Frankfurt) | EU data residency |
| Vercel (Inc.) | Application hosting and edge functions | USA/EU | Standard Contractual Clauses |
| Resend (Inc.) | Transactional email delivery | EU | EU processing |
| Sentry (Functional Software Inc.) | Error monitoring | EU (Frankfurt ingest) | EU data residency |
The Controller hereby grants general authorisation for the engagement of sub-processors listed above. The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
7. International Data Transfers
Where personal data is transferred to countries outside the EEA, the Processor ensures appropriate safeguards per Chapter V GDPR, including EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and Transfer Impact Assessments.
8. Security Measures
The Processor implements the following technical and organisational measures:
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- Role-based access control with principle of least privilege
- Regular security audits and vulnerability assessments
- Automated monitoring and incident detection
- Employee confidentiality obligations and training
9. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach, providing all information required under Art. 33(3) GDPR.
10. Audit Rights
The Controller may audit the Processor's compliance with this DPA. Audits shall be conducted with reasonable notice and during normal business hours.
11. Term and Termination
This DPA shall remain in effect for the duration of the service agreement. Upon termination, the Processor shall delete all personal data within 30 days unless retention is required by law.
12. Contact
For DPA-related inquiries, please contact: dpa@kodex-compliance.eu
Important: This DPA is provided as a standard agreement. For enterprise customers requiring customised terms, please contact dpa@kodex-compliance.eu.