Trust Center

Built for the due diligence European buyers apply

Data residency, data-processing terms, subprocessors and security — the documentation set procurement and vendor-review teams ask for, in one place.

Version 1.2 · Last updated 2026-07-18

EU data residency

Stored and processed exclusively within the EU.

Self-host option

Run it on your own infrastructure — zero subprocessors.

Tamper-evident audit

Append-only log; UPDATE/DELETE revoked at the database.

Right to export

Full self-service data export at any time. No lock-in.

Template — subject to legal review. This document set is provided as a working template for customer due diligence. It has been prepared with reference to the GDPR but has not yet been reviewed by qualified legal counsel, and does not constitute legal advice.

Data residency

All customer data processed by Complywerk — client records, product data, compliance obligations, filings, documents and audit trails — is stored and processed exclusively within the European Union.

Cloud offering: the PostgreSQL database, object storage and application tier are hosted on servers located in Germany (EU data residency); database backups and their replicas remain within the EU. No customer data is transferred to, stored in, or processed from any location outside the EU/EEA in the ordinary course of operation.

Self-hosted / private deployment: Complywerk can be deployed entirely on infrastructure controlled by your organisation (Docker-based, with PostgreSQL and local object storage). In this model no data leaves your environment and no subprocessors are engaged.

Where any future feature would involve a transfer of personal data outside the EU/EEA, it will only occur under a valid transfer mechanism (adequacy decision or Standard Contractual Clauses per Art. 46(2)(c) GDPR) and will be announced in advance via the subprocessor register.

Responsibility boundary

Complywerk is compliance-workflow software. The system provides researched rule drafts, derived obligations, deadlines, reminders and a tamper-evident record of what was done — the legal conclusions drawn from them remain the responsibility of licensed professional review. Rule content is marked with its verification status, and country checklists that depend on contract terms carry explicit check-your-contract qualifiers.

Client offboarding: the system's tracking of tail-period obligations — including generating nil-return filings until a registry publishes the market-leaving date — is a workflow capability. Whether and when a client's legal duties actually end in a given country is a legal judgement that stays with the licensed review step, not with the software.

Estimated figures: reported values can carry a value-source tag (measured, spec sheet or estimated) recorded at the point of entry. Estimated values are disclosed in plausibility warnings and in export header annotations, so the reporting methodology is documented and auditable. The system records and discloses the method; it does not certify the figures.

Data Processing Agreement (DPA) — template

This Data Processing Agreement forms part of the service agreement between the customer (the “Controller”) and the provider of Complywerk (the “Processor”) and reflects the parties' agreement regarding the processing of personal data in accordance with Article 28 of Regulation (EU) 2016/679 (“GDPR”).

1. Subject matter and duration
The Processor processes personal data on behalf of the Controller to provide the Complywerk service (EPR / product-compliance obligation management for the Controller's clients), for the duration of the service agreement and until deletion or return of all personal data.
2. Nature and purpose
Hosting, storage, retrieval, display, transmission and deletion of data entered by the Controller, strictly as necessary to provide the contracted service and as documented in the Controller's instructions.
3. Types of personal data
Name, business email and phone, role/title, IP addresses and access logs, and any personal data contained in documents uploaded by the Controller or its clients. No special categories of personal data (Art. 9 GDPR) are required by the service.
4. Documented instructions (Art. 28(3)(a))
The Processor processes personal data only on documented instructions from the Controller, including regarding third-country transfers, unless required by Union or Member State law.
5. Confidentiality (Art. 28(3)(b))
Persons authorised to process the personal data are committed to confidentiality or under an appropriate statutory obligation of confidentiality.
6. Security of processing (Art. 28(3)(c), Art. 32)
Appropriate technical and organisational measures, including encryption in transit (TLS 1.2+) and at rest, role-based access control, two-factor authentication, an append-only tamper-evident audit trail, tenant isolation, and SHA-256 integrity verification of stored documents.
7. Subprocessors (Art. 28(2), 28(4))
The Controller grants a general written authorisation for the subprocessors listed in the public register. The Processor gives at least 30 days' prior notice of any addition or replacement, during which the Controller may object on reasonable data-protection grounds, and remains fully liable for each subprocessor.
8. Data subject rights and assistance (Art. 28(3)(e),(f))
The Processor assists the Controller by appropriate measures in responding to data subject requests (Arts. 15–22) and with security, breach notification and — where applicable — data protection impact assessments (Arts. 32–36).
9. Breach notification
The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, with the information required to meet Arts. 33–34 obligations.
10. Deletion and return (Art. 28(3)(g))
At the Controller's choice, the Processor deletes or returns all personal data after the end of services and deletes existing copies unless storage is legally required. A full self-service data export is available at any time during the term.
11. Audits (Art. 28(3)(h))
The Processor makes available all information necessary to demonstrate Art. 28 compliance and allows for and contributes to audits by the Controller or a mandated auditor, subject to reasonable notice and confidentiality.
12. International transfers
Personal data is processed within the EU/EEA as described in the data residency statement. Any third-country transfer takes place only under Chapter V GDPR (adequacy decision or Standard Contractual Clauses).

A signable DPA is provided on request during procurement, and inside the product for account owners.

Subprocessor register

The cloud offering is planned to engage the following subprocessors. Status “planned” means the provider has been selected for the cloud architecture but is not engaged in the current deployment. Customers subscribed to change notifications receive at least 30 days' notice before any subprocessor is added or replaced.

SubprocessorPurposeData locationStatus
SupabaseManaged PostgreSQL, authentication and object storageGermany (EU data residency)planned
VercelApplication hosting (web app and serverless functions)Germany (EU data residency)planned
ResendTransactional email (reminders, digests, portal invitations)EU data residency optionplanned
Zero-subprocessor option. Zero-subprocessor option: in the self-hosted / private deployment model, Complywerk runs entirely on infrastructure controlled by your organisation and engages no subprocessors.

Security overview

Technical and organisational measures in the product today, and those committed and in delivery.

Two-factor authenticationIn delivery

Email + password sign-in with TOTP-based two-factor authentication. Development-only login paths are hard-disabled in production builds.

Tamper-evident audit trailShipped

Every write is recorded in an append-only audit log (who, what, when, before/after). UPDATE and DELETE are revoked on the audit table at the database level — audit history cannot be altered, including by operators.

Tenant isolationIn delivery

Strict per-tenant isolation enforced in the application layer on every query, with cross-tenant access tests in CI. PostgreSQL Row-Level Security is part of the cloud deployment plan as defence in depth.

Document integrity & versioningShipped

Uploaded documents are stored as immutable versions with SHA-256 checksums; prior versions remain retrievable. Retention policies (e.g. GPSR 10-year minimum) prevent premature deletion.

Right to exportShipped

Customers can export their full tenant data set (structured data as CSV/JSON and documents) self-service at any time — no lock-in, and a practical basis for Art. 20 GDPR portability.

EncryptionIn delivery

TLS 1.2+ for all data in transit. In the cloud offering, data at rest is encrypted with provider-managed AES-256; in self-hosted deployments, at-rest encryption follows the host infrastructure.

Role-based access controlShipped

Four roles (owner / admin / specialist / viewer) with least-privilege defaults, enforced server-side on every procedure.

Privacy

Controller. For personal data of visitors and account holders, Complywerk is the controller; for data entered into the service by customers, the customer is the controller and Complywerk acts as processor (see DPA).

Data we process. Account data (name, business email, role), usage and security logs (IP address, timestamps, audit-trail actions), and content data entered by customers.

Legal bases. Provision of the contracted service (Art. 6(1)(b)); security, abuse prevention and audit integrity (Art. 6(1)(f)); compliance with legal obligations (Art. 6(1)(c)).

Your rights. Access, rectification, erasure, restriction, portability and objection (Arts. 15–22), and the right to lodge a complaint with a supervisory authority (Art. 77).

Contact. privacy@complywerk.com — this policy skeleton will be finalised with legal counsel prior to commercial launch.