This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between VISTE FORGE SRL ("Processor") and the entity that accepted the Agreement ("Controller", "Customer", "you"). This DPA applies to the extent that Complair processes Personal Data on behalf of the Customer in the course of providing the Service.
1. Definitions
- "Customer Data" — personal data that the Customer or its Authorised Users upload, enter, or generate in the Service, including AI-system inventory entries, checklist items, documents, vendor questionnaire responses, assistant conversations, and audit logs.
- "Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Subprocessor", "Supervisory Authority", and "Personal Data Breach" have the meanings given in the GDPR (Regulation (EU) 2016/679).
- "SCCs" — the Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914), as may be amended or replaced.
- "Service" — the Complair compliance workspace as described in the Agreement.
2. Scope & roles
The Customer is the Controller of the Customer Data. Complair is the Processor. Complair processes Customer Data solely to provide the Service and as further described in this DPA.
For personal data collected directly by Complair (account registration data, billing data, technical logs), Complair acts as an independent Controller. That processing is governed by our Privacy Policy.
3. Processing instructions
- Complair processes Customer Data only on the Customer's documented instructions, as set out in this DPA and the Agreement.
- If Complair believes an instruction infringes the GDPR or other applicable data-protection law, it will promptly inform the Customer.
- The Customer may issue reasonable additional instructions consistent with the Agreement by emailing privacy@complair.eu.
- Complair does not use Customer Data for its own purposes — including training machine-learning models — unless expressly instructed by the Customer.
4. Details of processing
| Subject matter | Provision of the Complair compliance workspace: AI-system inventory, risk classification, checklist management, document generation, vendor assessments, and the compliance assistant. |
| Duration | For the term of the Agreement, plus the post-termination retention period described in section 11. |
| Nature & purpose | Storage, retrieval, display, AI-assisted analysis (via Anthropic Claude API), PDF/Excel generation, email delivery, and structured export of Customer Data. |
| Categories of data | AI-system descriptions, risk classifications, compliance checklist entries, generated documents, vendor questionnaire responses, assistant conversation logs, audit trail entries, user names, email addresses, and workspace roles. |
| Data subjects | Customer's employees, contractors, and authorised users of the Service; third-party vendor contacts (where added by the Customer for vendor assessments). |
5. Security measures
Complair implements and maintains appropriate technical and organisational measures to protect Customer Data, including:
- Encryption — TLS 1.2+ in transit; AES-256 at rest (database, backups, object storage).
- Authentication — Bcrypt-hashed passwords; session tokens scoped to the workspace.
- Access control — Role-based access (Pundit policies); tenant-scoped controllers and selected model-level tenant guards via
acts_as_tenant; least-privilege access for Complair personnel. - Infrastructure — Hosted on Hetzner in Frankfurt, Germany (EU). Servers hardened, firewalled, and patched regularly.
- Backups — Daily encrypted backups with tested restore procedures; rotated out of cold storage within 35 days.
- Monitoring — Centralised logging, anomaly alerts, dependency scanning, and error monitoring (Sentry, EU).
- Personnel — Background checks, confidentiality agreements, annual security-awareness training for all staff with access to Customer Data.
A more detailed description of our security posture is available on our Security page.
6. Subprocessors
The Customer authorises Complair to engage the subprocessors listed below. Each subprocessor is bound by a written data-processing agreement imposing obligations no less protective than this DPA.
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Anthropic, PBC | Claude API — AI-assisted classification, assistant answers, document generation | Prompt content (AI system descriptions, user queries) | United States (SCCs + supplementary measures) |
| Stripe Payments Europe Ltd. | Subscription billing, payment processing, invoicing | Billing contact details, subscription metadata | Ireland (EU) |
| Hetzner Online GmbH | Application hosting, PostgreSQL database, encrypted backups | All Customer Data at rest | Germany (EU) |
| Resend (Resend, Inc.) | Transactional email delivery (invitations, password resets, notifications) | Recipient email addresses, email content | United States (SCCs) |
| Sentry | Application error monitoring (personal data minimised and scrubbed) | Anonymised error traces, IP addresses (truncated) | European Union |
Changes to subprocessors
- Complair will notify the Customer at least 30 days before adding or replacing a subprocessor, via email to the workspace owner's address.
- If the Customer objects on reasonable data-protection grounds, the parties will work in good faith to find an alternative. If no resolution is possible within 30 days, the Customer may terminate the affected Service component without penalty.
- Complair remains fully liable for acts and omissions of its subprocessors as if they were its own.
7. International transfers
Customer Data is stored in Frankfurt, Germany (EU). Where a subprocessor is located outside the EEA (see section 6), Complair ensures an adequate transfer mechanism is in place:
- Standard Contractual Clauses (Module 3: processor-to-subprocessor) as adopted by the European Commission.
- Supplementary measures — encryption in transit and at rest, data minimisation, contractual restrictions on government access, and transfer impact assessments.
Copies of the executed SCCs are available on request at privacy@complair.eu.
8. Assistance to the Controller
Taking into account the nature of the processing, Complair will assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligations to:
- Respond to Data Subject access, rectification, erasure, portability, restriction, and objection requests (Articles 15–22 GDPR).
- Conduct data-protection impact assessments and prior consultations where required (Articles 35–36 GDPR).
- Comply with obligations regarding the security of processing (Article 32 GDPR).
- Notify Personal Data Breaches (Articles 33–34 GDPR).
Where assistance requires substantial effort beyond routine support, Complair may charge reasonable costs at its then-current professional services rates, agreed in advance.
9. Audits & inspections
- Complair will make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or a mandated auditor.
- Audits will be conducted with reasonable prior notice (at least 30 days), during normal business hours, no more than once per year, and subject to reasonable confidentiality obligations.
- Where Complair holds current SOC 2 Type II, ISO 27001, or equivalent certifications, it may offer those reports as an alternative to an on-site audit. The Customer may accept them at its discretion.
10. Data breach notification
- Complair will notify the Customer without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach affecting Customer Data.
- The notification will include, to the extent available:
- Nature of the breach, including categories and approximate number of Data Subjects and records affected.
- Likely consequences of the breach.
- Measures taken or proposed to address the breach and mitigate its effects.
- Contact point for further information.
- Complair will cooperate with the Customer to investigate, remediate, and fulfil any notification obligations to supervisory authorities or Data Subjects. Complair's lead supervisory authority is the Romanian National Supervisory Authority for Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal — ANSPDCP), reachable at dataprotection.ro; cross-border notifications follow the one-stop-shop mechanism under GDPR Article 56.
11. Deletion & return of data
- During the subscription, the Customer may export their data at any time via the Service's built-in export features (PDF, Excel, JSON).
- Upon termination of the Agreement, Complair will retain Customer Data for 30 days to allow final export, then permanently delete it from all production systems.
- Encrypted backups containing Customer Data are rotated out of cold storage within 35 days of deletion from production.
- Where retention is required by applicable law (e.g. invoices under Romanian accounting law — Law 82/1991), the relevant data will be isolated and protected, and deleted once the retention period expires.
12. Liability
Each party's total aggregate liability arising out of or related to this DPA is subject to the limitations of liability set out in the Agreement. This DPA does not limit either party's liability for breaches of its confidentiality obligations or for wilful misconduct.
13. Term & termination
This DPA commences on the date the Customer accepts the Agreement and remains in effect for as long as Complair processes Customer Data. Sections that by their nature should survive (definitions, deletion, liability, confidentiality) survive termination.
14. Contact
Questions about this DPA, requests for a countersigned copy, or data-protection inquiries:
15. Signing
This DPA is incorporated into and forms part of the Agreement. By accepting the Agreement, the Customer accepts this DPA without requiring a separate countersignature. Customers needing a countersigned copy on Processor letterhead may request one at legal@complair.eu and we will return it within 10 business days.
Signed for and on behalf of the Processor: