Home

Data Processing Addendum

Last updated: 15 July 2026

This Data Processing Addendum (DPA) sets out how Compliance One handles personal data on your behalf, in line with GDPR and comparable laws. It forms part of your agreement with us. If you're an enterprise customer who needs a countersigned copy, just ask — we'll arrange it.

Who is who

In plain terms: you decide what happens to the personal data in your customer content, so you're the controller (or, if you're handling it for your own customers, their processor). We act on your instructions to store and process it, so we're your processor (or sub-processor). This DPA governs that relationship.

What we process, and why

We process the personal data contained in the customer content you upload — for example the names and email addresses of your employees within evidence records — solely to provide the platform: storing it, securing it, and making it available to your authorised users and auditors. We don't process it for any purpose of our own.

Our core commitments

As your processor, we commit to:

  • Process personal data only on your documented instructions — using the platform is your instruction; we won't go beyond it.
  • Ensure the people who handle it are bound by confidentiality.
  • Apply strong technical and organisational security measures (detailed below).
  • Help you meet your own obligations — including responding to data-subject requests and cooperating with regulators.
  • Delete or return personal data when the agreement ends, as set out below.

Security measures

We protect the personal data we process with measures aligned to all six frameworks we support (ISO 27001, SOC 2, ISO 42001, HIPAA, PCI DSS, and NIS2). Concretely:

  • Hosting on AWS, with your choice of data region — EU (Frankfurt), US (Northern Virginia), or Asia-Pacific (Singapore).
  • Encryption of data in transit and at rest.
  • Physical isolation of each organisation's data in its own storage bucket — for example, one customer's evidence can never appear in another's exports.
  • Least-privilege access, continuous monitoring, and audit logging.
  • The option, for enterprise customers, to bring their own storage and retain full custody.

Sub-processors

To run the service we use a small number of sub-processors — for example AWS for hosting and storage. You authorise us to use those listed on our Sub-processors page. We stay responsible for their performance, hold them to data-protection terms at least as strict as these, and will give you advance notice of any intended change so you have a fair chance to object.

International transfers

Regional storage means you can keep personal data in your chosen region. Where a transfer across borders is unavoidable, we rely on appropriate safeguards such as the EU Standard Contractual Clauses, and we transfer only what's necessary. For example, an EU customer's evidence stays in Frankfurt even if a support request is handled elsewhere.

Helping with data-subject requests

If one of your users or customers exercises a right — to access, correct, delete, or export their data — we'll help you respond. The platform's own tools let you find, export, and delete records directly, and where you need more, our team will assist within the timeframes the law expects.

If there's a breach

If we become aware of a personal-data breach affecting your data, we'll notify you without undue delay — not weeks later — and give you the information you need to meet your own reporting obligations, including what happened, what data was involved, and what we're doing about it. We'd rather over-communicate here than leave you guessing.

Audits and assurance

You're entitled to verify that we're doing what we say. We make our compliance documentation and evidence available to demonstrate our controls, and we'll cooperate with reasonable audit requests in a way that doesn't compromise other customers' security.

Return and deletion

When your agreement ends, you can export your data during a reasonable retrieval window. After that, we delete or return personal data on your instruction, except where the law requires us to keep specific records for a defined period. For example, we may retain minimal billing data for tax purposes even after everything else is deleted.

How this fits with your other terms

This DPA works alongside your main agreement and Terms of Service. Where there's a conflict about the processing of personal data specifically, this DPA takes precedence.

Getting a signed copy

Need a countersigned DPA for your records? Email hello@complianceonecloud.com and we'll sort it out.