Legal
Data Processing Agreement
Last updated: 16 June 2026 · Includes Annex III — Subprocessors
This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Terms”) between ReguAlly — the trading name of Michał Mackiewicz, a natural person established in Poland, as identified in the Legal Notice (“ReguAlly”, “the Operator”, “Processor”, “we”) — and the customer agreeing to the Terms (“Customer”, “Controller”, “you”). It governs our processing of personal data contained in Customer Data on your behalf and on your instructions.
It is designed to satisfy Article 28 of Regulation (EU) 2016/679 (“GDPR”). Terms such as “controller”, “processor”, “personal data”, “processing”, “data subject”, “personal data breach” and “supervisory authority” have the meaning given in the GDPR.
For the avoidance of doubt: you are the controller of the compliance content you put into the Services; we are the processor. Our processing of website-visitor, account-admin and billing-contact data as a controller is governed instead by our Privacy Policy, not by this DPA.
1. Roles and scope
1.1 We process personal data within Customer Data only as a processor, for the purpose of providing the Services, in accordance with this DPA and your documented instructions.
1.2 The Terms, including your use and configuration of the Services, constitute your complete and documented instructions. Additional or different instructions must be agreed in writing and may be subject to fees if they require changes to the Services.
1.3 We will inform you if, in our opinion, an instruction infringes the GDPR or other EU/Member-State data-protection law (Art. 28(3) GDPR), without obligation to provide a legal review of your instructions.
2. Our obligations as processor
We will process Customer Data only on your documented instructions (including as to transfers), unless EU or Member-State law requires otherwise, in which case we will inform you of that requirement before processing, unless the law prohibits it. We will ensure that the personnel we authorise to process Customer Data are bound by an appropriate duty of confidentiality, and we will implement and maintain the technical and organisational security measures set out in Annex II.
Taking into account the nature of the processing and the information available to us, we will provide you with reasonable assistance to: respond to requests from data subjects exercising their rights; meet your own obligations in relation to security, personal-data-breach notification, data-protection impact assessments and prior consultation with a supervisory authority; and demonstrate compliance with Article 28. We will engage sub-processors only in accordance with clause 3, handle transfers only in accordance with clause 4, return or delete Customer Data in accordance with clause 8, and make audits possible in accordance with clause 7.
3. Subprocessors
3.1 General authorisation. You provide a general written authorisation for us to engage subprocessors to process Customer Data, subject to this clause (Art. 28(2) and (4) GDPR).
3.2 Current subprocessors. The subprocessors we currently engage are listed in Annex III.
3.3 Flow-down. We impose on each subprocessor, by written contract, data-protection obligations equivalent to those in this DPA, in particular sufficient guarantees to implement appropriate technical and organisational measures (Art. 28(4) GDPR). We remain fully liable to you for a subprocessor’s performance of its obligations.
3.4 Changes and objection. We will give you at least 30 days’ prior notice of any intended addition or replacement of a subprocessor (for example by updating Annex III and notifying account admins by email, or via an opt-in change feed). You may object on reasonable data-protection grounds within 14 days of notice. If we cannot reasonably accommodate the objection, you may terminate the affected Services for a pro-rata refund of prepaid fees as your sole remedy.
4. International transfers and Standard Contractual Clauses
4.1 No transfer at the Customer↔ReguAlly layer. ReguAlly is established in Poland (EEA). Where you are also established in the EEA, your provision of Customer Data to us is not a transfer to a third country and no transfer mechanism is required for that relationship. Where you are established outside the EEA and EU GDPR applies, the EU Standard Contractual Clauses, Module Four (processor to controller) or, where you act as a processor for your own controller, the module appropriate to that relationship, apply between us, with you as data importer or exporter as applicable.
4.2 Onward transfers to sub-processors. Some sub-processors listed in Annex III are established outside the EEA. For those onward transfers we ensure an appropriate Chapter V safeguard: the EU–US Data Privacy Framework where the recipient is certified, and/or the EU Standard Contractual Clauses (the clauses annexed to Commission Implementing Decision (EU) 2021/914, the “SCCs”), applying Module Three (processor to processor), together with supplementary technical and organisational measures where our transfer assessment indicates they are needed. The mechanism applicable to each sub-processor is shown in Annex III. For transfers subject to UK or Swiss law, the UK International Data Transfer Addendum or the Swiss addendum to the SCCs applies respectively.
4.3 Incorporation and mandate. The SCCs are incorporated into this DPA by reference and are deemed completed as follows: the data-exporter and data-importer details are as stated in the Agreement, this DPA and Annex III; the optional docking clause applies; the option requiring prior authorisation of sub-processors is met by clause 3; the governing law and forum are those of Poland; and Annexes I, II and III to the SCCs are populated by Annex I (Details of processing), Annex II (Technical and organisational measures) and Annex III (Sub-processors) of this DPA. You instruct and authorise us to enter into the SCCs (and any UK/Swiss addendum) with each relevant sub-processor on your behalf, and to agree the operational options above. If you require the SCCs to be executed directly between you and us (for example because you are a non-EEA exporter), we will do so on request.
4.4 Precedence and successor mechanisms. If and to the extent the SCCs conflict with this DPA, the SCCs prevail. If the Data Privacy Framework or the SCCs are invalidated or replaced, or a new valid transfer mechanism becomes available, we may adopt that alternative mechanism on notice to you, and it will apply from the date stated in the notice.
5. Personal data breach
We will notify you without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting Customer Data, and will provide the information reasonably available to help you meet your own obligations under Art. 33 and 34 GDPR. We will take reasonable steps to contain and remediate the breach. Our notification is not an acknowledgement of fault.
6. Assistance and records
6.1 We will provide reasonable assistance with your data-protection impact assessments and prior consultations with supervisory authorities where the processing relates to the Services (Art. 35–36 GDPR).
6.2 We maintain records of processing carried out on your behalf to the extent required by Art. 30(2) GDPR.
7. Audits
7.1 We will make available the information necessary to demonstrate compliance with Art. 28 GDPR, including up-to-date third-party certifications or audit reports where we hold them.
7.2 Where that information is insufficient, you may audit our processing no more than once per 12 months (and following a breach), on 30 days’ written notice, during business hours, without unreasonable disruption, subject to confidentiality. Audits may be performed by you or an independent auditor who is not our competitor. Each party bears its own costs unless the audit reveals a material breach by us.
8. Deletion and return
On termination or expiry, and following any export window in the Terms, we will at your choice delete or return Customer Data and delete existing copies, unless EU/Member-State law requires continued storage. Backups are deleted on their normal rotation cycle.
9. Liability and precedence
9.1 Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms (clause 11).
9.2 In the event of a conflict between this DPA and the Terms on a data-protection matter, this DPA prevails. Where the Standard Contractual Clauses apply and conflict with this DPA, the Clauses prevail.
10. Term
This DPA takes effect when you accept the Terms and continues for as long as we process Customer Data on your behalf.
Annex I — Details of processing
Roles: Customer = controller; ReguAlly = processor.
Subject matter: provision of the ReguAlly compliance platform and AI Features.
Duration: for the term of the Services plus any export/retention period in the Terms and this DPA.
Nature and purpose: hosting, storage, organisation, retrieval, analysis, AI-assisted generation, and display of Customer Data to provide compliance mapping, gap analysis, document generation and action planning; plus support and security.
Types of personal data (as determined by what Customer chooses to input):
- – Identity and contact details of the Customer’s personnel and, where the Customer inputs them, of the Customer’s own data subjects (e.g. names, roles, business contact details);
- – Organisational and processing-activity details that may contain personal data (e.g. DPO contact, names within uploaded documents, descriptions of data flows);
- – Any other personal data the Customer chooses to include in inputs or uploaded documents.
The Customer controls what it inputs and is responsible for not submitting unnecessary or excessive personal data, in particular special-category data (Art. 9) beyond what the Service requires.
Categories of data subjects: the Customer’s staff and Authorised Users; and any individuals referenced in content the Customer inputs (e.g. employees, contacts, representatives).
Special categories: processed only if and to the extent the Customer chooses to input them; the Customer is responsible for the lawful basis and conditions under Art. 9.
Annex II — Technical and organisational measures (Art. 32)
We maintain, and require subprocessors to maintain, measures appropriate to the risk, including:
- Encryption: TLS for data in transit; encryption at rest for stored data.
- Access control: role-based access on least-privilege principles; unique accounts; strong authentication for administrative access; logging of access to production systems.
- Tenant isolation: logical separation of Customer Data between tenants.
- Network security: firewalling, segmentation, and restricted production access.
- Secure development: code review, dependency management, and change control.
- Resilience: backups and the ability to restore availability after an incident.
- Monitoring and incident response: logging, alerting and a documented incident-response process feeding the breach-notification obligation in clause 5.
- Personnel: confidentiality obligations and security awareness.
- Data minimisation by design: defaults and placeholders that avoid collecting unnecessary personal data; AI processing that does not train models on Customer Data.
- Hosting region: primary storage and database hosting in the EU/EEA.
Annex III — Subprocessors
The following subprocessors process Customer Data to provide the Services. Roles, locations and transfer mechanisms below are stated to our knowledge and will be updated on any material change (see clause 3.4).
| Subprocessor | Service | Personal data processed | Location | Transfer safeguard |
|---|---|---|---|---|
| Supabase, Inc. | Database, authentication and file storage (primary data store) | All Customer Data stored in the platform | EU/EEA region | EU hosting; SCCs / EU–US DPF for any non-EEA support access |
| Vercel, Inc. | Application hosting, serverless functions and content delivery | Data in transit, request/usage logs | EU edge/functions | EU–US DPF and/or SCCs |
| Anthropic, PBC (Claude API) | AI model processing | Customer Data submitted to the AI generator at time of generation | US (direct Anthropic API has no EU-region option as of 2026) | SCCs |
| Google LLC / Google Ireland Ltd (Gemini API / Vertex AI) | AI model processing | Text from Customer Data sent for embedding at index/query time | EU (Vertex AI EU endpoint) | EU–US DPF and/or SCCs |
| Resend, Inc. | Transactional email (account, notifications, reminders) | Recipient name, email address, message content | EU (eu-west-1) | EU–US DPF and/or SCCs |
| PostHog, Inc. (EU Cloud) | Product and website analytics | Pseudonymous usage events; cookieless on the public website | EU (Frankfurt) | EU hosting — no transfer for EU-stored data |
| Lemon Squeezy, LLC (a Stripe company) — Merchant of Record | Payment processing, billing, invoicing, tax handling, fraud prevention | Billing name, email, address, tax ID, payment metadata | US | EU–US DPF and/or SCCs. Note: as Merchant of Record, Lemon Squeezy/Stripe also acts as an independent controller for payment, tax and fraud purposes under its own DPA and privacy notice. |
Not a subprocessor — self-hosted infrastructure. Our workflow automation is self-hosted on our own infrastructure. It is not a third-party subprocessor; the providers of the underlying hosting are covered above to the extent Customer Data is processed there.