Last Updated: March 5, 2026
Effective Date: March 5, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and ComplianceKit ("Processor") and is required under GDPR Article 28 for any relationship where a processor handles personal data on behalf of a controller.
In this DPA, the following terms have the meanings given below:
Data Controller
The ComplianceKit customer who has accepted these terms upon registration. Contact details are those provided in your ComplianceKit account.
Data Processor
Nyrvex Digital (Pty) Ltd, trading as ComplianceKit
Email: legal@compliancekit.tech
Postal address available on request via the contact email
This DPA governs the processing of Personal Data by ComplianceKit (Processor) on behalf of the customer (Controller) in connection with the provision of the Services.
This DPA commences on the date the Controller accepts it (upon account registration) and continues for as long as the Processor processes Personal Data on behalf of the Controller, unless terminated earlier in accordance with the Terms of Service.
ComplianceKit processes Personal Data for the following purposes:
The following categories of Personal Data may be processed under this DPA:
Note: ComplianceKit does not process any special category data (Article 9 GDPR) unless you explicitly provide such data in DSAR descriptions or notes.
The Personal Data processed under this DPA relates to:
ComplianceKit, as Processor, agrees to:
Process Personal Data only on documented instructions from the Controller (as set out in this DPA and the Terms of Service), unless required to do so by law.
Ensure that personnel authorised to process Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
Not engage Sub-processors without prior specific or general written authorisation of the Controller. The Controller hereby provides general authorisation for the Sub-processors listed in Section 9 of this DPA. ComplianceKit will inform the Controller of any intended changes to Sub-processors with reasonable notice, giving the Controller the opportunity to object.
Assist the Controller (by appropriate technical and organisational measures) in fulfilling the Controller's obligation to respond to requests by Data Subjects exercising their rights under Chapter III GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.
Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor. This includes notifying the Controller without undue delay after becoming aware of a Personal Data breach.
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies, unless applicable law requires storage of the Personal Data.
Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits and inspections conducted by the Controller or another auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.
The Controller agrees to:
The Controller hereby authorises ComplianceKit to engage the following Sub-processors:
| Sub-processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Supabase / PostgreSQL | Database storage of consent records and DSAR submissions | EU (Ireland, eu-west-1) | EU-hosted (no third-country transfer). Supabase DPA incorporating EU SCCs (Modules 2 & 3, Commission Decision 2021/914). |
| Railway | Application hosting and compute | EU (Netherlands, europe-west4) | EU-hosted. Provider is US-incorporated; Railway DPA incorporating EU SCCs (Modules 2 & 3) covers any US support access. |
| Resend | Transactional email delivery (DSAR notifications) | United States | Resend DPA incorporating EU SCCs (Modules 2 & 3); Resend self-certifies under the EU-US Data Privacy Framework. |
| Sentry | Application error monitoring | United States | Sentry (Functional Software, Inc.) DPA incorporating EU SCCs (Modules 2 & 3); self-certifies under the EU-US Data Privacy Framework. |
| Anthropic | AI provider for policy generation and scan analysis (Claude Haiku) | United States | Anthropic DPA incorporating EU SCCs (Modules 2 & 3), auto-incorporated into Anthropic's Commercial Terms of Service. Prompts contain business/website data only, not website-visitor personal data. |
ComplianceKit will provide at least 14 days' notice before adding or replacing Sub-processors. Notice will be provided by email to the address registered on your account.
Independent controller (not a Sub-processor):Paddle.com Market Ltd (United Kingdom) acts as Merchant of Record for billing and payment processing. For payment, tax and invoicing data Paddle acts as an independent data controller under its own terms, not as ComplianceKit's Sub-processor. The United Kingdom benefits from an EU adequacy decision.
Personal Data is hosted within the European Economic Area (EEA): the database (Supabase, Ireland) and application hosting (Railway, Netherlands). The following Sub-processors may receive Personal Data in the United States, with the safeguards set out in Section 9:
Paddle (billing) operates from the United Kingdom as an independent controller; the United Kingdom benefits from an EU adequacy decision, so no SCCs are required for that transfer.
PENDING LEGAL REVIEW
In addition to GDPR, ComplianceKit (operated by NYRVEX DIGITAL (Pty) Ltd, South Africa) is a "responsible party" under the Protection of Personal Information Act 4 of 2013 ("POPIA"). Section 72 of POPIA restricts the transfer of personal information to a third party in a foreign country unless the recipient is subject to a law, binding corporate rules, or a binding agreement providing an adequate level of protection substantially similar to POPIA's conditions, including similar restrictions on onward transfer (or one of the other statutory grounds — data subject consent, contractual necessity, or data-subject benefit — applies).
ComplianceKit relies on the binding-agreement ground: each foreign Sub-processor listed in Section 9 is bound by a data processing agreement incorporating the EU Standard Contractual Clauses (or, for Paddle, the equivalent UK-approved addendum), which we consider to provide protection substantially similar to POPIA's conditions for lawful processing and onward transfer.
In the event of a Personal Data breach (Article 4(12) GDPR), ComplianceKit will notify the Controller without undue delay and, where feasible, not later than 72 hours after becoming aware. The notification will include, to the extent available:
The Controller is responsible for assessing whether the breach must be notified to the relevant supervisory authority and/or to affected Data Subjects.
ComplianceKit retains Personal Data for the duration of the active subscription. Retention periods for consent records are determined by the Controller's subscription plan:
Upon account deletion or termination of the Services, Personal Data will be deleted within 30 days, except where longer retention is required by law.
Each party shall be liable to the other for any damage caused by a breach of this DPA. ComplianceKit's total liability under this DPA is subject to the limitations set out in the Terms of Service.
Where both parties are responsible for damage caused by a breach of this DPA, they shall be held liable and each party may seek from the other party that part of the compensation corresponding to the part of the damage for which that party is responsible.
This DPA shall be governed by and construed in accordance with the laws applicable to the Terms of Service between the parties.
ComplianceKit may update this DPA from time to time to reflect changes in law, Sub-processors, or Services. We will notify Controllers of material changes at least 30 days in advance by email. Continued use of the Services after the effective date of any change constitutes acceptance.
Data Protection contact: legal@compliancekit.tech
Support: support@compliancekit.tech
Entity: Nyrvex Digital (Pty) Ltd (postal address available on request)
By accepting this DPA during registration, the Controller acknowledges that they have read, understood, and agree to be bound by its terms. Acceptance is recorded with a timestamp in the Controller's account record.