Back to Security

Legal & Compliance

Data Processing Agreement

GDPR-compliant DPA for financial institutions and regulated entities. Required by your CCO? Download the signed version or request a custom agreement.

Request signed DPACustom agreement

GDPR Art. 28

Fully compliant processor agreement

SCCs included

EU Commission Decision 2021/914

72h breach notice

Art. 33 GDPR obligation

Available in EN/FR

Signed PDF on request

Key provisions

What the DPA covers

Summary of key provisions — the full signed DPA is available on request.

1

Subject matter and duration

This DPA governs the processing of personal data by Netwanted S.à r.l.-S (Processor) on behalf of the Client (Controller) in connection with the provision of the Komplync platform. The DPA is effective for the duration of the subscription agreement.

2

Nature and purpose of processing

Personal data is processed solely to provide the Komplync service: AI-assisted content generation, compliance checking, approval workflow management, and audit trail logging. No data is used for AI model training, sold to third parties, or processed for any purpose not specified in the agreement.

3

Types of personal data processed

The Processor processes: (a) account data — name, email address, job title; (b) content data — marketing texts and compliance reports submitted by Users; (c) usage logs — generation timestamps, approval actions, IP addresses. No special categories of personal data are processed.

4

Sub-processors

The Processor uses the following approved sub-processors, all located in the EU/EEA: Supabase (database, EU region), Anthropic (AI generation, data processed under EU SCCs with no retention), Resend (transactional email, EU region), Vercel (hosting, EU edge nodes). A current list is maintained and Clients are notified 30 days before any change.

5

Security measures (Art. 32 GDPR)

Technical and organisational measures include: AES-256 encryption at rest; TLS 1.3 in transit; access control via role-based permissions; MFA enforcement; immutable audit logs; annual penetration testing; incident response procedures with 72-hour breach notification.

6

Data subject rights

The Processor assists the Controller in responding to data subject requests under Arts. 15–22 GDPR (access, rectification, erasure, portability, restriction, objection). Requests are fulfilled within 30 days. Contact: privacy@komplync.com.

7

Data transfers outside the EEA

All personal data is stored and processed within the EEA. Where sub-processors (e.g. Anthropic) process data outside the EEA, Standard Contractual Clauses (SCCs) under EU Commission Decision 2021/914 are in place, supplemented by technical safeguards ensuring no personal data is retained by the model.

8

Deletion and return of data

Upon termination of the subscription, personal data is deleted within 30 days. Audit trail logs required for regulatory purposes may be retained for up to 5 years per CSSF requirements. The Controller may request a full data export before deletion.

Need a signed copy for your legal team?

Send us your organisation name and we'll return a countersigned DPA within 2 business days. Enterprise clients can request a custom agreement reviewed by our Luxembourg-registered legal team.

legal@komplync.com

Response within 2 business days · Available in English and French