Data Processing Agreement
Last updated: March 25, 2026
This DPA forms part of the OneComply Terms of Service and governs our processing of personal data on your behalf.
1. Controller and Processor
For the purposes of this DPA and in accordance with Article 28 of the GDPR:
- Controller: You (the "Customer") — the organization subscribing to OneComply.
- Processor: OneComply S.A., a company registered in Luxembourg ("Processor").
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law.
2. Purpose and Scope of Processing
The Processor processes personal data solely for the purpose of providing the OneComply compliance management platform, including:
- User account management and authentication
- Compliance framework tracking (DORA, ISO 27001, NIS2)
- Vendor risk management and due diligence
- Evidence and document storage
- Regulatory reporting and submission preparation
- Billing and subscription management
3. Categories of Personal Data
| Category | Data Types |
|---|---|
| User Data | Name, email address, role, organization membership, authentication logs |
| Organization Data | Company name, address, regulatory classification, LEI codes |
| Vendor Data | Vendor contact names, risk assessments, contractual information |
| Evidence Files | Uploaded documents which may contain personal data as determined by Controller |
| Billing Data | Billing email, subscription status (payment details handled solely by Stripe) |
4. Sub-processors
The Controller authorizes the Processor to engage the following sub-processors. The Processor will notify the Controller of any intended changes to this list with at least 30 days' notice.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, file storage | EU (Frankfurt) |
| Vercel Inc. | Application hosting and CDN | EU (Frankfurt) |
| Stripe Inc. | Payment processing and billing | EU (Dublin) |
| Resend Inc. | Transactional email delivery | US (EU data routing) |
5. Data Retention and Deletion
The Processor retains personal data for the duration of the service agreement. Upon termination:
- Active data: Soft-deleted immediately upon account closure request.
- Permanent deletion: All personal data is permanently deleted within 30 days of account closure, unless retention is required by applicable law.
- Evidence files: Removed from storage within 30 days of the deletion request.
- Backups: Personal data is purged from backups within 90 days.
- Audit logs: Anonymized or deleted after 12 months.
The Controller may request data export at any time during the subscription period via the platform's export functionality.
6. Technical and Organizational Measures
The Processor implements the following measures in accordance with Article 32 of the GDPR:
Encryption at Rest
AES-256 encryption for all stored data
Encryption in Transit
TLS 1.3 for all data transmission
Access Control
Role-based access with organization-scoped isolation
Authentication
Secure authentication with session timeout and progressive lockout
Monitoring
Continuous health monitoring and anomaly detection
Incident Response
Documented incident response procedures with 72-hour notification
Backup & Recovery
Daily automated backups with point-in-time recovery
Secure Development
Security-first development lifecycle with code review
7. Data Subject Rights
The Processor assists the Controller in fulfilling data subject requests under Articles 15–22 of the GDPR, including:
- Right of access (Art. 15) — Data export available through the platform
- Right to rectification (Art. 16) — Editable profile and organization data
- Right to erasure (Art. 17) — Account deletion with 30-day permanent purge
- Right to restriction (Art. 18) — Data processing can be suspended on request
- Right to data portability (Art. 20) — Standard format data export (JSON/CSV)
- Right to object (Art. 21) — Contact privacy@onecomply.eu
8. International Data Transfers
OneComply's infrastructure is hosted within the European Union. Where data transfers to third countries are necessary (e.g., certain sub-processor services), we ensure adequate protection through:
- EU Standard Contractual Clauses (SCCs) as per Commission Decision 2021/914
- EU-US Data Privacy Framework adequacy decision where applicable
- Binding Corporate Rules where available
- Data localization within EU region for all primary storage (Supabase EU, Vercel EU)
9. Personal Data Breach Notification
In accordance with Article 33 of the GDPR, the Processor shall:
- Notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach.
- Provide sufficient information to enable the Controller to meet its obligations to report the breach to the supervisory authority.
- Cooperate with the Controller in investigating and remediating the breach.
- Maintain a record of all breaches, including their effects and remedial actions taken.
10. Audit Rights
The Controller has the right to conduct audits and inspections to verify the Processor's compliance with this DPA. The Processor shall:
- Make available all information necessary to demonstrate compliance
- Allow and contribute to audits, including on-site inspections, with reasonable notice
- Inform the Controller immediately if an instruction infringes GDPR or other EU data protection law
11. Term and Termination
This DPA is effective for the duration of the service agreement. Upon termination of the service, the Processor shall, at the choice of the Controller, return all personal data or delete all personal data and certify deletion, unless Union or Member State law requires storage of the personal data.
Contact
For questions about this DPA or to exercise data protection rights:
Data Protection Contact: privacy@onecomply.eu
OneComply S.A. — Registered in Luxembourg