Data Processing Agreement

1. Parties and context

This Data Processing Agreement ("DPA") is entered into between:

• Controller: The Customer (the entity subscribing to the DORA GRC Platform), acting as data controller.
• Processor: DORA GRC, acting as data processor on behalf of the Controller.

This DPA supplements and forms part of the Terms of Service. In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

2. Definitions

Terms used in this DPA have the meanings given in GDPR Article 4. Additionally:

• "Personal Data" means any data processed through the Platform that relates to an identified or identifiable natural person, including names, email addresses, user activity logs, and any personal data contained within Customer Data.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, modification, transmission, erasure, or destruction.
• "Sub-processor" means a third party engaged by the Processor to assist in Processing Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

3. Scope and purpose of processing

The Processor shall process Personal Data solely for the purpose of providing the DORA GRC Platform to the Controller, as described in Annex A and in accordance with the Controller's documented instructions.

The Processor shall not process Personal Data for any purpose other than as instructed by the Controller, unless required by EU or Member State law to which the Processor is subject. In such case, the Processor shall inform the Controller of that legal requirement before Processing, unless the law prohibits such notification.

4. Obligations of the Processor

The Processor shall:

• 4.1 Process Personal Data only on documented instructions from the Controller, including with regard to transfers outside the EU/EEA (Article 28(3)(a)).
• 4.2 Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b)).
• 4.3 Implement and maintain the technical and organisational measures described in Annex C to ensure a level of security appropriate to the risk (Article 28(3)(c), Article 32).
• 4.4 Not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller (Article 28(2)), as described in Section 6.
• 4.5 Assist the Controller in responding to data subject requests, as described in Section 9 (Article 28(3)(e)).
• 4.6 Assist the Controller in ensuring compliance with the obligations under Articles 32–36 of GDPR, taking into account the nature of processing and the information available to the Processor (Article 28(3)(f)).
• 4.7 At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, as described in Section 13 (Article 28(3)(g)).
• 4.8 Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28, and allow for and contribute to audits, as described in Section 12 (Article 28(3)(h)).
• 4.9 Immediately inform the Controller if, in its opinion, an instruction from the Controller infringes GDPR or other applicable data protection provisions.

5. Obligations of the Controller

The Controller shall:

• 5.1 Ensure that it has a lawful basis under GDPR for the processing of Personal Data through the Platform.
• 5.2 Provide the Processor with documented instructions regarding the processing of Personal Data.
• 5.3 Ensure that data subjects have been informed about the processing, including the identity of the Processor, in accordance with Articles 13 and 14 of GDPR.
• 5.4 Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.

6. Sub-processors

6.1 General authorisation

The Controller grants the Processor general written authorisation to engage Sub-processors as listed in Annex B. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes.

6.2 Notification of changes

The Processor shall notify the Controller at least 30 days in advance before engaging a new Sub-processor or replacing an existing one. Notification will be sent to the Controller's registered administrator email address.

6.3 Objection right

If the Controller objects to a new Sub-processor on reasonable grounds relating to data protection, the parties shall discuss the matter in good faith. If agreement cannot be reached, the Controller may terminate the affected services without penalty.

6.4 Sub-processor obligations

The Processor shall impose on each Sub-processor data protection obligations no less protective than those in this DPA. The Processor remains fully liable to the Controller for the performance of its Sub-processors' obligations.

7. International transfers

The Processor stores all Customer Data within the EU/EEA (Cloudflare EU infrastructure). Where a Sub-processor is located outside the EU/EEA, the Processor shall ensure that appropriate transfer mechanisms are in place, including:

• EU Standard Contractual Clauses (SCCs) adopted pursuant to Commission Implementing Decision (EU) 2021/914
• Adequacy decisions under Article 45 of GDPR, where applicable

A list of Sub-processors and their locations is provided in Annex B.

8. Technical and organisational measures

The Processor implements and maintains the technical and organisational measures described in Annex C to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures are designed to provide a level of security appropriate to the risks presented by the Processing.

The Processor shall regularly review and update these measures to reflect changes in technology, applicable law, and the nature of the data processed.

9. Data subject rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under GDPR Chapter III, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

The Platform provides built-in data export functionality (JSON, CSV) that the Controller can use to fulfil access and portability requests. The Processor shall respond to Controller's assistance requests within 10 business days.

10. Data breach notification

In the event of a Data Breach, the Processor shall:

• 10.1 Notify the Controller without undue delay, and in any event within 36 hours of becoming aware of the breach (exceeding the GDPR 72-hour requirement to give the Controller time to notify its supervisory authority).
• 10.2 Provide the Controller with sufficient information to enable the Controller to meet any obligations to report the breach to supervisory authorities or data subjects under Articles 33 and 34 of GDPR, including:
  • The nature of the breach, including categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach, including mitigation
  • The name and contact details of the Processor's point of contact
• 10.3 Take immediate steps to contain and remediate the breach.
• 10.4 Cooperate with the Controller's investigation and provide updates as new information becomes available.

11. Data protection impact assessments

The Processor shall provide reasonable assistance to the Controller with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required under Articles 35 and 36 of GDPR, taking into account the nature of the processing and the information available to the Processor.

12. Audit rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and Article 28 of GDPR.

The Controller (or an independent third-party auditor appointed by the Controller) may conduct audits of the Processor's processing activities, subject to the following conditions:

• The Controller shall provide at least 30 days' written notice of any audit
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations
• The Controller shall bear the costs of any audit, unless the audit reveals a material breach by the Processor
• Audits shall be limited to once per 12-month period, unless required by a supervisory authority or following a Data Breach

13. Return and deletion of data

Upon termination of the Terms of Service or upon the Controller's written request:

• 13.1 The Processor shall make all Customer Data (including Personal Data) available for export in standard machine-readable formats (JSON, CSV) for a period of 30 days.
• 13.2 After the 30-day export period, the Processor shall securely delete all Personal Data from active systems within 90 days, using methods that render the data irrecoverable.
• 13.3 The Processor may retain Personal Data beyond the deletion deadline only where required by applicable law (e.g., audit trail retention under DORA Article 18). Such retained data shall continue to be protected under this DPA.
• 13.4 Upon request, the Processor shall provide written certification that deletion has been completed.

14. Term and termination

This DPA shall remain in effect for the duration of the Terms of Service and shall automatically terminate when the Terms of Service terminate, subject to the data deletion obligations in Section 13.

Obligations that by their nature should survive termination (including confidentiality, data deletion, and audit rights) shall survive the termination of this DPA.

Annex A: Processing details

Detail	Description
Subject matter	Provision of the DORA GRC compliance management platform
Duration	Duration of the Terms of Service, plus data deletion period
Nature and purpose	Storage, retrieval, display, and export of compliance data entered by the Controller's Authorised Users. AI-assisted analysis of compliance documents (optional, Controller-initiated). Audit trail generation and retention.
Categories of data subjects	Controller's employees, contractors, and agents who use the Platform (Authorised Users). Third-party individuals whose names may appear in compliance records (e.g., vendor contacts, incident reporters).
Types of personal data	Full name, email address, job title/role, user activity logs (timestamps, IP addresses, actions performed), any personal data voluntarily entered into compliance registers by the Controller.
Special categories	The Platform is not designed to process special categories of personal data (Article 9) or criminal conviction data (Article 10). The Controller must not upload such data unless appropriate safeguards are in place.

Annex B: Sub-processors

The following Sub-processors are authorised as of the effective date of this DPA:

Sub-processor	Purpose	Location	Transfer mechanism
Cloudflare, Inc.	Hosting (Pages, Workers, D1 database, R2 storage), CDN, DDoS protection, Workers AI	EU (primary), US (corporate)	EU SCCs, DPF
Resend, Inc.	Transactional email delivery (password resets, contact form notifications)	US	EU SCCs
Functional Software, Inc. (Sentry)	Error monitoring and performance tracking (PII stripped before transmission)	US	EU SCCs
Google LLC	Analytics (Google Analytics 4, consent-based only)	US	EU SCCs, DPF
Better Stack, Inc.	Uptime monitoring (public health endpoint only, no customer data)	EU	N/A (EU-based)
Microsoft Corporation	Entra ID (Azure AD) SSO authentication (optional, Controller-configured)	EU / US	EU SCCs, DPF

Annex C: Technical and organisational measures

The Processor implements the following measures in accordance with Article 32 of GDPR:

C.1 Encryption

• All data in transit encrypted via TLS 1.3
• Sensitive fields (MFA secrets, webhook credentials) encrypted at rest using AES-256-GCM with authenticated encryption
• Passwords hashed using PBKDF2-SHA256 with 310,000 iterations and unique salts (OWASP 2023 recommendation)

C.2 Access control

• Role-based access control (RBAC) with four roles: superadmin, admin, analyst, viewer
• 16 granular permission keys covering all DORA pillars and administrative functions
• Multi-factor authentication (TOTP-based) available for all users
• Microsoft Entra ID (Azure AD) single sign-on integration
• Session management: HttpOnly, Secure, SameSite=Strict cookies with idle and absolute timeouts

C.3 Input validation and application security

• Content Security Policy (CSP) headers on all pages
• HTTP Strict Transport Security (HSTS) with 63-day max-age
• X-Frame-Options: DENY to prevent clickjacking
• HTML sanitisation for all user-generated content (blog posts, comments)
• Rate limiting on authentication and public endpoints
• CORS allowlist-based access control

C.4 Integrity and availability

• SHA-256 hash verification on all uploaded files
• Automated database backups with point-in-time recovery
• Global CDN distribution via Cloudflare for availability and DDoS protection
• Uptime monitoring with alerting (Betterstack)
• Error monitoring with PII-stripping (Sentry)

C.5 Audit and accountability

• Timestamped, user-attributed audit trail for all data modifications
• Audit logs retained for a minimum of 5 years in accordance with DORA requirements
• Failed login attempt tracking with IP address and User-Agent logging
• HMAC-SHA256 authenticated heartbeat protocol for multi-tenant integrity

C.6 Data isolation

• Multi-tenant architecture with per-tenant database isolation
• Tenant-scoped API queries — no cross-tenant data access
• Feature flags enforced at tenant level

C.7 Personnel measures

• All personnel with access to production systems are bound by confidentiality obligations
• Principle of least privilege for infrastructure access
• Administrative access requires multi-factor authentication

18. Contact

For questions about this DPA or data protection matters, contact:

• Email: [email protected]