Built for the due diligence European buyers apply
Data residency, data-processing terms, subprocessors and security — the documentation set procurement and vendor-review teams ask for, in one place.
Version 1.2 · Last updated 2026-07-18
EU data residency
Stored and processed exclusively within the EU.
Self-host option
Run it on your own infrastructure — zero subprocessors.
Tamper-evident audit
Append-only log; UPDATE/DELETE revoked at the database.
Right to export
Full self-service data export at any time. No lock-in.
Data residency
All customer data processed by Complywerk — client records, product data, compliance obligations, filings, documents and audit trails — is stored and processed exclusively within the European Union.
Cloud offering: the PostgreSQL database, object storage and application tier are hosted on servers located in Germany (EU data residency); database backups and their replicas remain within the EU. No customer data is transferred to, stored in, or processed from any location outside the EU/EEA in the ordinary course of operation.
Self-hosted / private deployment: Complywerk can be deployed entirely on infrastructure controlled by your organisation (Docker-based, with PostgreSQL and local object storage). In this model no data leaves your environment and no subprocessors are engaged.
Where any future feature would involve a transfer of personal data outside the EU/EEA, it will only occur under a valid transfer mechanism (adequacy decision or Standard Contractual Clauses per Art. 46(2)(c) GDPR) and will be announced in advance via the subprocessor register.
Responsibility boundary
Complywerk is compliance-workflow software. The system provides researched rule drafts, derived obligations, deadlines, reminders and a tamper-evident record of what was done — the legal conclusions drawn from them remain the responsibility of licensed professional review. Rule content is marked with its verification status, and country checklists that depend on contract terms carry explicit check-your-contract qualifiers.
Client offboarding: the system's tracking of tail-period obligations — including generating nil-return filings until a registry publishes the market-leaving date — is a workflow capability. Whether and when a client's legal duties actually end in a given country is a legal judgement that stays with the licensed review step, not with the software.
Estimated figures: reported values can carry a value-source tag (measured, spec sheet or estimated) recorded at the point of entry. Estimated values are disclosed in plausibility warnings and in export header annotations, so the reporting methodology is documented and auditable. The system records and discloses the method; it does not certify the figures.
Data Processing Agreement (DPA) — template
This Data Processing Agreement forms part of the service agreement between the customer (the “Controller”) and the provider of Complywerk (the “Processor”) and reflects the parties' agreement regarding the processing of personal data in accordance with Article 28 of Regulation (EU) 2016/679 (“GDPR”).
- 1. Subject matter and duration
- The Processor processes personal data on behalf of the Controller to provide the Complywerk service (EPR / product-compliance obligation management for the Controller's clients), for the duration of the service agreement and until deletion or return of all personal data.
- 2. Nature and purpose
- Hosting, storage, retrieval, display, transmission and deletion of data entered by the Controller, strictly as necessary to provide the contracted service and as documented in the Controller's instructions.
- 3. Types of personal data
- Name, business email and phone, role/title, IP addresses and access logs, and any personal data contained in documents uploaded by the Controller or its clients. No special categories of personal data (Art. 9 GDPR) are required by the service.
- 4. Documented instructions (Art. 28(3)(a))
- The Processor processes personal data only on documented instructions from the Controller, including regarding third-country transfers, unless required by Union or Member State law.
- 5. Confidentiality (Art. 28(3)(b))
- Persons authorised to process the personal data are committed to confidentiality or under an appropriate statutory obligation of confidentiality.
- 6. Security of processing (Art. 28(3)(c), Art. 32)
- Appropriate technical and organisational measures, including encryption in transit (TLS 1.2+) and at rest, role-based access control, two-factor authentication, an append-only tamper-evident audit trail, tenant isolation, and SHA-256 integrity verification of stored documents.
- 7. Subprocessors (Art. 28(2), 28(4))
- The Controller grants a general written authorisation for the subprocessors listed in the public register. The Processor gives at least 30 days' prior notice of any addition or replacement, during which the Controller may object on reasonable data-protection grounds, and remains fully liable for each subprocessor.
- 8. Data subject rights and assistance (Art. 28(3)(e),(f))
- The Processor assists the Controller by appropriate measures in responding to data subject requests (Arts. 15–22) and with security, breach notification and — where applicable — data protection impact assessments (Arts. 32–36).
- 9. Breach notification
- The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, with the information required to meet Arts. 33–34 obligations.
- 10. Deletion and return (Art. 28(3)(g))
- At the Controller's choice, the Processor deletes or returns all personal data after the end of services and deletes existing copies unless storage is legally required. A full self-service data export is available at any time during the term.
- 11. Audits (Art. 28(3)(h))
- The Processor makes available all information necessary to demonstrate Art. 28 compliance and allows for and contributes to audits by the Controller or a mandated auditor, subject to reasonable notice and confidentiality.
- 12. International transfers
- Personal data is processed within the EU/EEA as described in the data residency statement. Any third-country transfer takes place only under Chapter V GDPR (adequacy decision or Standard Contractual Clauses).
A signable DPA is provided on request during procurement, and inside the product for account owners.
Subprocessor register
The cloud offering is planned to engage the following subprocessors. Status “planned” means the provider has been selected for the cloud architecture but is not engaged in the current deployment. Customers subscribed to change notifications receive at least 30 days' notice before any subprocessor is added or replaced.
| Subprocessor | Purpose | Data location | Status |
|---|---|---|---|
| Supabase | Managed PostgreSQL, authentication and object storage | Germany (EU data residency) | planned |
| Vercel | Application hosting (web app and serverless functions) | Germany (EU data residency) | planned |
| Resend | Transactional email (reminders, digests, portal invitations) | EU data residency option | planned |
Security overview
Technical and organisational measures in the product today, and those committed and in delivery.
Email + password sign-in with TOTP-based two-factor authentication. Development-only login paths are hard-disabled in production builds.
Every write is recorded in an append-only audit log (who, what, when, before/after). UPDATE and DELETE are revoked on the audit table at the database level — audit history cannot be altered, including by operators.
Strict per-tenant isolation enforced in the application layer on every query, with cross-tenant access tests in CI. PostgreSQL Row-Level Security is part of the cloud deployment plan as defence in depth.
Uploaded documents are stored as immutable versions with SHA-256 checksums; prior versions remain retrievable. Retention policies (e.g. GPSR 10-year minimum) prevent premature deletion.
Customers can export their full tenant data set (structured data as CSV/JSON and documents) self-service at any time — no lock-in, and a practical basis for Art. 20 GDPR portability.
TLS 1.2+ for all data in transit. In the cloud offering, data at rest is encrypted with provider-managed AES-256; in self-hosted deployments, at-rest encryption follows the host infrastructure.
Four roles (owner / admin / specialist / viewer) with least-privilege defaults, enforced server-side on every procedure.
Privacy
Controller. For personal data of visitors and account holders, Complywerk is the controller; for data entered into the service by customers, the customer is the controller and Complywerk acts as processor (see DPA).
Data we process. Account data (name, business email, role), usage and security logs (IP address, timestamps, audit-trail actions), and content data entered by customers.
Legal bases. Provision of the contracted service (Art. 6(1)(b)); security, abuse prevention and audit integrity (Art. 6(1)(f)); compliance with legal obligations (Art. 6(1)(c)).
Your rights. Access, rectification, erasure, restriction, portability and objection (Arts. 15–22), and the right to lodge a complaint with a supervisory authority (Art. 77).
Contact. privacy@complywerk.com — this policy skeleton will be finalised with legal counsel prior to commercial launch.