Data Processing Agreement

ConformAI EU Compliance Documentation

1. Introduction

This Data Processing Agreement (DPA) is entered into between ConformAI ("Data Processor") and the user/organization ("Data Controller"), and complements the Terms of Service. This DPA governs the processing of personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR).

2. Subject Matter and Duration

ConformAI processes personal data on behalf of the Data Controller for the purpose of providing the ConformAI platform and its services. The processing continues for the duration of the service agreement and thereafter only for legally required retention periods.

3. Nature and Purpose of Processing

ConformAI processes personal data including but not limited to:

• User account information (name, email, organization)
• AI system compliance data
• Usage and access logs
• System configuration and settings
• Communication records within the platform

The purpose is to provide AI Act compliance assessment, monitoring, and documentation services.

4. Categories of Personal Data

• Identification data (name, email, role)
• Organization data (company name, size, industry)
• System metadata related to AI implementations
• Device information and IP addresses (logging)
• Communication content within the platform

5. Data Subject Categories

The data subjects whose personal data are processed include:

• Users of the Data Controller who are employees or representatives
• Authorized access holders from the Data Controller's organization
• End users referenced in AI system assessments

6. Controller Obligations

The Data Controller shall:

• Only instruct ConformAI to process personal data for lawful purposes
• Ensure they have the legal right to provide personal data to ConformAI
• Notify ConformAI without undue delay of any data subject rights requests
• Ensure all data provided is accurate and necessary
• Implement appropriate security measures for data at rest within their infrastructure

8. Sub-processors

ConformAI currently processes data through the following third parties:

• Supabase - Authentication and data storage services
• Plausible Analytics - Analytics and usage tracking

The Data Controller is notified of any changes to sub-processors and has the right to object within 30 days.

9. Data Subject Rights

ConformAI will assist the Data Controller in fulfilling data subject rights requests within 10 business days, including:

• Right of access to their personal data
• Right to rectification of inaccurate data
• Right to erasure under GDPR Article 17
• Right to restrict processing
• Right to data portability
• Right to object to processing

10. Data Transfers

All data processing occurs within the EU/EEA region, compliant with GDPR Chapter 5 requirements. ConformAI does not transfer personal data to third countries without appropriate legal mechanisms.

11. Return or Deletion of Data

Upon termination of the service agreement, ConformAI will, at the Data Controller's choice:

• Return all personal data in a machine-readable format, or
• Delete all personal data unless legal obligations require retention

12. Assistance with Compliance

ConformAI will provide reasonable assistance to the Data Controller in meeting their GDPR obligations, including:

• Data Protection Impact Assessment (DPIA) information
• Information for privacy notices and communications
• Cooperation with data protection authorities

13. Audit and Inspection

ConformAI permits audits by the Data Controller or their authorized representatives upon reasonable notice to verify compliance with this DPA.

14. Contact and Questions

For questions about this Data Processing Agreement, please contact ConformAI's Data Protection team at [email protected].

Last Updated: March 2026