Data Processing Agreement

1. Definitions

Terms used in this DPA shall have the meanings set out below, consistent with GDPR Art. 4 unless otherwise specified.

• "Controller" means the Customer who determines the purposes and means of processing personal data (GDPR Art. 4(7)). In this DPA, the Customer acts as Controller.
• "Processor" means Regulatory Signals, which processes personal data on behalf of the Controller (GDPR Art. 4(8)).
• "Data Subject" means any identified or identifiable natural person to whom personal data relates (GDPR Art. 4(1)).
• "Personal Data" means any information relating to a Data Subject (GDPR Art. 4(1)).
• "Processing" means any operation or set of operations performed on personal data (GDPR Art. 4(2)), including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
• "Supervisory Authority" means the independent public authority established by an EU Member State pursuant to GDPR Art. 51, responsible for monitoring the application of the GDPR.
• "Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed by the Processor (GDPR Art. 4(12)).
• "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
• "SCCs" means the Standard Contractual Clauses adopted by the European Commission under Commission Decision 2021/914 of 4 June 2021.

2. Subject Matter, Nature, Purpose, and Duration of Processing

Subject matter: The Processor provides the Regulatory Signals compliance monitoring platform, which includes website scanning, automated analysis, documentation generation, and alerting services.

Nature: Collection, storage, analysis, structuring, and deletion of personal data as necessary to deliver the platform services.

Purpose: To enable the Controller to monitor regulatory compliance of websites and receive compliance intelligence, documentation drafts, and change alerts.

Duration: Processing commences on the date the Customer accepts the Terms of Service and continues for the full subscription term. Processing terminates upon account closure or subscription expiry, whichever is earlier. Upon termination, the Processor shall delete or return personal data in accordance with Section 11 below (GDPR Art. 28(3)(g)).

3. Categories of Personal Data and Data Subjects

3.1 Categories of Personal Data

The Processor processes the following categories of personal data on behalf of the Controller:

• Account data: Email address, name (if provided at registration), account preferences, subscription tier.
• Authentication data: Session tokens, magic link tokens, OAuth identifiers (Google, GitHub).
• Usage data: Pages viewed, features used, session identifiers, interaction timestamps.
• Scan submission data: Website URLs submitted by the Controller for analysis.
• Technical scan results: Cookies, trackers, and technology metadata detected on scanned websites.
• Generated compliance documents: AI-generated compliance drafts and analysis artefacts produced by the platform.

Note: Payment card data is not processed by Regulatory Signals as Processor under this DPA. Stripe processes payment card data as an independent controller under its own Privacy Policy, Data Privacy Framework certification, and separate contractual terms. Stripe is not a Sub-processor in this DPA chain.

3.2 Categories of Data Subjects

Processing under this DPA may affect the following categories of data subjects:

• Customer employees and authorised users: Individuals who access the Regulatory Signals platform on behalf of the Controller.
• Customer account holders: The natural person(s) who registered the account and manage the subscription.
• End-users of scanned websites (technical metadata only): Technical artefacts (e.g., cookie names, tracker identifiers) incidentally derived from publicly accessible website content submitted for analysis. No personal data of end-users is intentionally collected.

4. Controller Obligations and Warranties

The Controller warrants and represents that:

• Lawful basis (GDPR Art. 6): The Controller has a valid lawful basis for processing personal data and for instructing the Processor to process personal data on its behalf. The Controller alone determines the lawful basis and bears sole responsibility for that determination.
• The Controller has provided all required notices and disclosures to Data Subjects in accordance with GDPR Art. 13–14.
• The Controller will ensure that instructions given to the Processor comply with applicable data protection law.
• The Controller will notify the Processor without undue delay if any instruction given infringes applicable data protection law.
• The Controller accepts sole responsibility for the accuracy, quality, and legality of the personal data it submits to the platform.
• The Controller shall cooperate with the Processor in responding to any Data Subject rights requests, Supervisory Authority enquiries, or Security Incident investigations.

5. Processor Obligations (GDPR Art. 28(3)(a)–(f))

The Processor shall, in accordance with GDPR Art. 28(3), comply with the following obligations:

• (a) Process only on documented instructions: Process personal data only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by Union or Member State law to which the Processor is subject. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits disclosure on important grounds of public interest.
• (b) Personnel confidentiality: Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• (c) Implement appropriate security measures: Implement and maintain the technical and organisational security measures described in Section 6 below (GDPR Art. 28(3)(c) and Art. 32).
• (d) Sub-processor obligations: Not engage another processor (Sub-processor) without prior specific or general written authorisation of the Controller, and comply with the sub-processor provisions in Section 8 below. Where a Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.
• (e) Data subject rights assistance: Assist the Controller, by appropriate technical and organisational measures insofar as practicable, in responding to Data Subject rights requests (access, erasure, portability, objection), as described in Section 10 below.
• (f) Assist with compliance obligations: Assist the Controller in ensuring compliance with obligations under GDPR Art. 32–36 (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and information available to the Processor.
• Pseudonymization: Where technically feasible and proportionate, apply pseudonymization to personal data processed on behalf of the Controller.
• Deletion or return of data: At the Controller's choice, delete or return all personal data upon termination of the DPA, as described in Section 11, and delete existing copies unless Union or Member State law requires retention.

6. Security Measures (GDPR Art. 28(3)(c) + Art. 32)

The Processor has implemented the following technical and organisational measures to ensure a level of security appropriate to the risk (GDPR Art. 32):

• Encryption at rest: All personal data stored in the Processor's managed PostgreSQL database (Railway, europe-west4 region, Netherlands) is encrypted at rest using AES-256.
• Encryption in transit: All data transmitted between the Customer's browser and the platform, and between the platform and Sub-processors, is encrypted using TLS 1.2 or higher.
• Pseudonymization: Where applied, personal identifiers are replaced with pseudonyms in analytics and monitoring contexts to reduce re-identification risk.
• Personnel confidentiality: All personnel with access to personal data are bound by confidentiality obligations as described in Section 5(b).
• Access controls: Access to systems processing personal data is restricted on a need-to-know basis, with authentication controls enforced via NextAuth v5 (JWT sessions, OAuth, Magic Link).
• Rate limiting and abuse prevention: API endpoints are rate-limited using Upstash Redis to prevent abuse and unauthorised access attempts.
• Ongoing confidentiality, integrity, and availability: The Processor maintains measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
• Recovery: The Processor maintains the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, utilising Railway's managed database backup capabilities.
• Security incident response: In the event of a Security Incident involving personal data, the Processor shall notify the Controller without undue delay and, where feasible, no later than 72 hours after becoming aware, to assist the Controller in meeting its notification obligations under GDPR Art. 33–34.
• Regular testing and evaluation: The Processor maintains a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

7. Audit Rights (GDPR Art. 28(3)(h))

In accordance with GDPR Art. 28(3)(h), the Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits and inspections.

• Right to audit: The Controller may conduct audits of the Processor's data processing activities at most once per calendar year, upon reasonable prior written notice of no less than 30 days, at the Controller's own expense.
• Alternative assurance mechanism: The Processor may satisfy an audit request by providing the Controller with a current third-party audit report (e.g., SOC 2 Type II, ISO 27001 certificate) covering the systems and processes relevant to this DPA. The Controller may request an on-site inspection only if the audit report is insufficient to demonstrate compliance with a specific obligation under this DPA.
• Confidentiality: Any information obtained by the Controller during an audit or inspection shall be treated as confidential and may only be used for the purpose of assessing compliance with this DPA.
• Contact: Audit requests must be submitted in writing to [email protected].

8. Sub-processor Authorization and List

The Controller grants general written authorisation for the Processor to engage the Sub-processors listed in the table below to assist in delivering the platform services.

Prior notice for changes: The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of Sub-processors. The notification will be published at regulatorysignals.com/dpa and, where the Controller has opted in to notifications, sent by email.

Right to object: The Controller may object to any new or replacement Sub-processor on reasonable grounds by notifying the Processor in writing within 14 days of the notification. Where the Processor cannot accommodate the objection, either party may terminate the agreement on 30 days' written notice without penalty.

* Stripe processes payment card data as an independent controller under its own Privacy Policy, Data Privacy Framework certification, and Standard Contractual Clauses. Stripe is not a Sub-processor under this DPA. The Controller's relationship with Stripe is governed directly by Stripe's terms.

9. International Transfers

Where processing of personal data involves a transfer of personal data outside the European Economic Area (EEA), the parties rely on the following transfer mechanisms under Commission Decision 2021/914 of 4 June 2021 ("C2021/914"):

• Module 2 SCCs (Controller to Processor): For transfers from the Customer (acting as Controller) to Regulatory Signals (acting as Processor) where Regulatory Signals processes data on infrastructure outside the EEA, Module 2 of the SCCs (Commission Decision 2021/914) applies. The Customer, by accepting the Terms of Service, agrees to enter into Module 2 SCCs with Regulatory Signals.
• Module 3 SCCs (Processor to Sub-processor): For onward transfers from Regulatory Signals (acting as Processor) to US-based Sub-processors (Anthropic, Cloudflare, Resend / Forward Email, Upstash, Sentry), Module 3 of the SCCs (Commission Decision 2021/914) applies, incorporated by reference into each Sub-processor agreement.
• No transfer — EEA hosting: Processing performed by Railway on its EU infrastructure (europe-west4, Netherlands) does not constitute a restricted transfer outside the EEA and requires no additional transfer mechanism.

The Controller may request a copy of the applicable SCC execution documents by emailing [email protected].

10. Data Subject Rights Assistance (GDPR Art. 28(3)(e))

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject rights requests under GDPR Art. 15–22, including:

• Right of access (Art. 15): The Processor shall provide the Controller with access to personal data it holds on the Data Subject upon written request, within 30 days.
• Right to erasure (Art. 17): The Processor shall delete personal data relating to an identified Data Subject from its systems upon verified written instruction from the Controller, within 30 days, subject to any legal retention obligations.
• Right to data portability (Art. 20): The Processor shall export personal data in a structured, machine-readable format (JSON) upon request, accessible via the platform's account settings or the data export API endpoint.
• Right to object (Art. 21): Where a Data Subject objects to processing based on legitimate interests, the Processor shall assist the Controller in assessing the objection and, where upheld, cease the relevant processing within a reasonable timeframe.
• Other rights: The Processor shall notify the Controller without undue delay of any Data Subject rights request received directly by the Processor, and shall cooperate with the Controller in fulfilling any rights requests under GDPR Art. 16 (rectification), Art. 18 (restriction), and Art. 19 (notification obligation).

Data Subject rights requests should be directed to the Controller in the first instance. Where the Processor receives a direct request, it will redirect the Data Subject to the Controller.

11. Term, Termination, and Data Return/Deletion (GDPR Art. 28(3)(g))

Term: This DPA remains in force for the duration of the subscription term described in Section 2.

Termination: This DPA terminates automatically upon expiry or cancellation of the Customer's subscription or upon termination of the Terms of Service.

Data return and deletion (Art. 28(3)(g)): Upon termination:

• The Processor shall, at the Controller's choice, either return all personal data to the Controller in a structured, machine-readable format (JSON export available via the platform settings) or securely delete all personal data.
• Deletion or return shall be completed within 30 days of termination.
• Upon request, the Processor shall provide written confirmation that deletion has been completed.
• The Processor shall delete copies held by Sub-processors to the extent technically possible and contractually required under Sub-processor agreements.
• Notwithstanding the foregoing, the Processor may retain personal data where required by applicable Union or Member State law (e.g., tax records for up to 7 years under Irish law). Any such retained data shall remain subject to the confidentiality obligations of this DPA.

12. Liability and Indemnification

Liability cap: Subject to applicable law, each party's total aggregate liability to the other under or in connection with this DPA, whether arising in contract, tort (including negligence), or otherwise, shall not exceed the total fees paid or payable by the Controller to the Processor in the twelve (12) months immediately preceding the event giving rise to the liability ("Liability Cap").

Exclusions from cap: The Liability Cap does not apply to liability arising from:

• Breach of the confidentiality obligations in Section 5(b);
• Liability to Data Subjects for infringement of their rights under GDPR Chapter III (including but not limited to Arts. 15–22); or
• Any liability that cannot be limited or excluded by applicable law.

Indemnification: Each party shall indemnify the other against all claims, losses, damages, and costs (including reasonable legal fees) arising out of or in connection with that party's own breach of this DPA or applicable data protection law.

13. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Ireland, consistent with the governing law provision of the Terms of Service. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Ireland, subject to any mandatory rights the Controller may hold under the law of its country of establishment or habitual residence.

EU/EEA Controllers: As Irish law is EU law, the rights conferred by the GDPR are fully preserved and cannot be waived by this DPA. GDPR Art. 79 grants Controllers and Data Subjects the right to bring data protection claims before the courts of the country of habitual residence or establishment.

Supervisory Authority: Nothing in this DPA prevents the Controller or any Data Subject from lodging a complaint with the relevant Supervisory Authority (Ireland: Data Protection Commission, www.dataprotection.ie).

14. Effective Date and Amendments

Effective date: This DPA becomes effective on the date the Customer accepts the Terms of Service (i.e., the date of Customer acceptance). It is not backdated.

Amendments: The Processor reserves the right to amend this DPA to reflect changes in applicable data protection law, regulatory guidance, or the Processor's processing activities. Where amendments are material, the Processor shall provide at least 30 days' prior notice by:

• Updating this page at regulatorysignals.com/dpa; and
• Notifying the Controller by email (where the Controller has provided an email address).

Continued use of the platform after the effective date of any amendment constitutes acceptance of the revised DPA. If the Controller objects to a material amendment, it may terminate its subscription before the amendment's effective date without penalty for the unexpired period.

15. Contact

For all matters relating to this DPA, including audit requests, sub-processor change notifications, data return requests, and general data protection enquiries:

Related legal documents:

• Privacy Policy — how we collect and use personal data as a Controller when you visit the website.
• Terms of Service — the contract governing your use of the platform.
• Security — technical and organisational security measures overview.