Skip to main content
CompliantHQ

Data Processing Agreement (DPA)

Our standard Article 28 GDPR data processing agreement, available on request and pre-signed for download below.

When you sign up for a paid CompliantHQ plan you become the data controller for the personal data we process on your behalf. Style4 Solutions AB acts as the data processor under GDPR Art. 28. This page summarises our standard DPA — the binding terms that govern how we handle your data.

What the DPA covers

  • Subject matter: Our processing of personal data on behalf of you (the controller) for the purpose of operating CompliantHQ — running scans on your websites, generating action plans, sending product email.
  • Duration: For as long as you have an active CompliantHQ account, plus the retention windows described in our privacy policy.
  • Categories of data subjects: Your users (your team members logged into CompliantHQ); incidentally, anyone whose personal data appears in publicly reachable pages on the websites you scan.
  • Categories of personal data: Email addresses, names, billing details, scan-result metadata.

Our obligations as processor

  • Process personal data only on your documented instructions (the agreed service).
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (see security).
  • Use sub-processors only with your prior authorisation and notify you of changes (see sub-processors).
  • Assist you in responding to data-subject requests and supervisory-authority enquiries.
  • Notify you of any personal-data breach without undue delay.
  • Return or delete all personal data at the end of the processing relationship, unless EU/Swedish law requires further retention (e.g. bookkeeping records under Bokföringslagen).
  • Make available to you all information necessary to demonstrate compliance and allow for audits.

International transfers

Where we transfer your data outside the EU/EEA (today: Anthropic in the US), the transfer is covered by the EU-US Data Privacy Framework supplemented by the European Commission's Standard Contractual Clauses (SCCs) as Art. 46 safeguards.

Sub-processors

The current sub-processor list is at /subprocessors. We notify customers of changes via that page; if you'd like proactive email notification, write to hello@complianthq.ai.

Get the signed DPA

This page is the summary. The binding text — including signature blocks, full sub-processor terms, and EU SCCs — is available as a PDF on request. Email hello@complianthq.ai with subject "DPA request" and we'll send our current standard DPA the same business day. We'll counter-sign on receipt of your version (or sign yours if you prefer your standard form).

This page is not legal advice

The summary above describes our standard terms but is not a substitute for the signed DPA itself. For the binding agreement, use the PDF version. If you need clauses we don't currently have (e.g. specific security frameworks, data-residency commitments beyond Sweden), tell us — we can usually accommodate.

Data Processing Agreement (DPA) — CompliantHQ