Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between the customer entity identified in the CompliVibe subscription order form ("Controller") and ValersAI Connect Pvt. Ltd., operating as CompliVibe, Gurugram, India ("Processor").

This DPA supplements the CompliVibe Terms of Service and governs the processing of personal data by CompliVibe on behalf of the Controller in connection with the provision of the CompliVibe platform.

2. Subject matter and duration

CompliVibe processes personal data as necessary to provide the compliance management services described in the Terms of Service, including: AI system compliance assessment, obligation mapping, Annex IV document generation, and regulatory update delivery.

Processing continues for the duration of the subscription agreement and for any post-termination retention period required by applicable law or agreed in writing.

3. Nature and purpose of processing

CompliVibe processes the following categories of personal data on behalf of the Controller:

(a) Account data: names, email addresses, and job titles of Controller's employees who access the platform. (b) Compliance input data: descriptions of AI systems, use cases, and data subjects provided by the Controller for assessment purposes. (c) Usage data: logs of platform actions taken by the Controller's users.

The purpose of processing is solely to provide, maintain, and improve the CompliVibe platform as described in the Terms of Service. CompliVibe does not process personal data for its own purposes or for advertising.

4. Controller obligations

The Controller warrants that: (a) it has the legal basis to provide personal data to CompliVibe for processing; (b) it will comply with its own GDPR and DPDP obligations as a data controller; (c) it will notify CompliVibe promptly of any changes to processing instructions; and (d) it has informed relevant data subjects of the engagement of CompliVibe as a processor where required.

5. Processor obligations

CompliVibe agrees to: (a) process personal data only on documented instructions from the Controller; (b) ensure all personnel with access to personal data are bound by confidentiality obligations; (c) implement technical and organisational security measures as described in our Security page; (d) assist the Controller in responding to data subject rights requests; (e) notify the Controller without undue delay of any personal data breach; (f) delete or return all personal data upon termination of the agreement; and (g) make available all information necessary to demonstrate compliance with this DPA.

Sub-processors: CompliVibe engages sub-processors as listed in our Privacy Policy. We will notify the Controller of any intended changes to sub-processors and give the Controller the opportunity to object.

6. International transfers

Where processing involves a transfer of personal data from the EU/EEA to a third country (including India), such transfers are conducted using the Standard Contractual Clauses (SCCs) adopted by the European Commission, or other adequacy mechanisms as applicable.

For EU customers, the Module Two (Controller to Processor) SCCs are hereby incorporated by reference into this DPA. CompliVibe implements supplementary measures including encryption at rest and in transit as described in our Security documentation.