Data Processing Agreement
[Draft — final version pending legal review]
Last updated: April 2026
1. Parties
This Data Processing Agreement (“DPA”) is entered into between:
- Data Controller: The customer (“Controller”) who has subscribed to the Conflai platform.
- Data Processor: Conflai SL, a Spanish limited company (CIF B-XXXXXXXX), with registered office in Alicante, Spain (“Processor”).
2. Scope and Purpose
The Processor processes personal data on behalf of the Controller solely for the purpose of providing the Conflai compliance documentation, classification, and monitoring services as described in the Terms of Service.
3. Categories of Data
- User account data (name, email, role)
- AI system metadata (name, description, purpose, provider, modality)
- Classification outputs (risk category, reasoning, confidence scores)
- Compliance documentation drafts
- Audit log entries (user actions, timestamps, IP addresses)
4. Data Subjects
The data subjects are the Controller's employees, contractors, and authorised users who access the Conflai platform.
5. Sub-processors
The Processor uses the following sub-processors, all with EU data residency:
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon (EU) | PostgreSQL database hosting | EU (Frankfurt) |
| Vercel | Web application hosting | EU region |
| Hetzner | Background workers and Redis | EU (Falkenstein/Nuremberg) |
| Anthropic | AI classification and document generation | API (data not retained for training) |
| Stripe | Payment processing | EU |
| Resend | Transactional email delivery | EU |
6. Security Measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Multi-tenant data isolation with tenant-scoped database queries
- Append-only audit logging of all data mutations
- Role-based access control (admin, editor, viewer)
- Magic-link authentication (no passwords stored)
- Rate limiting on authentication and API endpoints
7. Data Retention
Personal data is retained for the duration of the Controller's subscription. Upon termination, the Processor will delete all personal data within 30 days, except where retention is required by law (e.g., audit logs for regulatory compliance).
8. Data Subject Rights
The Processor assists the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection) under GDPR Articles 15-22. Requests should be directed to dpo@conflai.eu.
9. Breach Notification
The Processor will notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a personal data breach affecting the Controller's data.
10. Governing Law
This DPA is governed by Spanish law and the courts of Alicante shall have exclusive jurisdiction.
Contact
For DPA-related queries, contact dpo@conflai.eu.