Data Processing Addendum

Effective: 2026-05-05 · Template pending legal review

This DPA supplements the Terms of Service. It documents how Complaix GmbH (data processor) handles personal data submitted by your organisation (data controller) under GDPR Art. 28.

Subject-matter, duration, nature and purpose

Subject: customer data you place in the Complaix platform. Duration: the subscription term. Nature: compliance workflow, document storage, notifications. Purpose: to provide the contracted service.

Categories of data subjects

Employees and contractors of the customer, plus any personal data the customer chooses to include in AI system records.

Sub-processors

Full versioned list at /subprocessors (with RSS feed for change notifications). Current sub-processors: Supabase (data hosting, EU West), Vercel (application hosting, EU), Brevo (transactional email, EU), Stripe (billing, EU + global for payments), Anthropic (AI document extraction, USA — SCCs + DPF), Sentry (error monitoring, EU region), Upstash (rate-limit Redis), BetterStack (status page + uptime monitoring). We notify you of additions at least 30 days in advance via the account’s admin email.

Security measures

Encryption at rest and in transit; RLS-enforced multi-tenancy; append-only audit log; SOC 2-aligned access controls. Full list on request.

Data subject requests

We provide self-service export (Art. 15 / 20) and deletion (Art. 17) at /settings/privacy. For additional assistance contact privacy@complaix.eu.

International transfers

Primary data storage is in the EU. Any third-country transfers rely on the European Commission’s Standard Contractual Clauses.

Audits

Customers may audit processing activities on reasonable notice, with confidentiality. The most recent penetration-testing report is available on request.