This Data Processing Addendum (DPA) sets out how Compliance One handles personal data on your behalf, in line with GDPR and comparable laws. It forms part of your agreement with us. If you're an enterprise customer who needs a countersigned copy, just ask — we'll arrange it.
In plain terms: you decide what happens to the personal data in your customer content, so you're the controller (or, if you're handling it for your own customers, their processor). We act on your instructions to store and process it, so we're your processor (or sub-processor). This DPA governs that relationship.
We process the personal data contained in the customer content you upload — for example the names and email addresses of your employees within evidence records — solely to provide the platform: storing it, securing it, and making it available to your authorised users and auditors. We don't process it for any purpose of our own.
As your processor, we commit to:
We protect the personal data we process with measures aligned to all six frameworks we support (ISO 27001, SOC 2, ISO 42001, HIPAA, PCI DSS, and NIS2). Concretely:
To run the service we use a small number of sub-processors — for example AWS for hosting and storage. You authorise us to use those listed on our Sub-processors page. We stay responsible for their performance, hold them to data-protection terms at least as strict as these, and will give you advance notice of any intended change so you have a fair chance to object.
Regional storage means you can keep personal data in your chosen region. Where a transfer across borders is unavoidable, we rely on appropriate safeguards such as the EU Standard Contractual Clauses, and we transfer only what's necessary. For example, an EU customer's evidence stays in Frankfurt even if a support request is handled elsewhere.
If one of your users or customers exercises a right — to access, correct, delete, or export their data — we'll help you respond. The platform's own tools let you find, export, and delete records directly, and where you need more, our team will assist within the timeframes the law expects.
If we become aware of a personal-data breach affecting your data, we'll notify you without undue delay — not weeks later — and give you the information you need to meet your own reporting obligations, including what happened, what data was involved, and what we're doing about it. We'd rather over-communicate here than leave you guessing.
You're entitled to verify that we're doing what we say. We make our compliance documentation and evidence available to demonstrate our controls, and we'll cooperate with reasonable audit requests in a way that doesn't compromise other customers' security.
When your agreement ends, you can export your data during a reasonable retrieval window. After that, we delete or return personal data on your instruction, except where the law requires us to keep specific records for a defined period. For example, we may retain minimal billing data for tax purposes even after everything else is deleted.
This DPA works alongside your main agreement and Terms of Service. Where there's a conflict about the processing of personal data specifically, this DPA takes precedence.
Need a countersigned DPA for your records? Email hello@complianceonecloud.com and we'll sort it out.