GDPR Article 28 Processor Summary

1. Parties and role

This summary describes processing activities performed by ComplySafe.io as a data processor on behalf of customers acting as data controllers under GDPR.

ComplySafe.io processes personal data only on documented customer instructions and only for the purpose of providing compliance scanning services.

2. Categories of data

• Account information such as name and email address
• Website URLs and publicly accessible content
• Repository metadata and files provided through integrations
• Scan results, reports, and compliance findings

3. Purpose of processing

Personal data is processed solely to perform automated compliance analysis, generate reports, and provide related service functionality requested by the customer.

4. Retention and subprocessors

Scan data and reports are retained only for limited periods described in the Privacy Policy or until deletion is requested, unless longer retention is legally required.

ComplySafe.io uses vetted subprocessors for infrastructure and payment processing. Current subprocessors include hosting and billing providers, and additional details are available on request.

5. Security and confidentiality

Security measures include encryption in transit and at rest, strict access controls, monitoring, and segregation of customer data.

Personnel with access to personal data are bound by confidentiality obligations and receive appropriate data protection training.

6. Assistance and restrictions

ComplySafe.io assists customers with data subject rights requests where required under GDPR.

Customer data is never used to train machine learning or AI models.

7. Jurisdiction and contact

ComplySafe.io is registered in Estonia and processes personal data in accordance with GDPR requirements.

For questions or to request a full Data Processing Agreement, contact contact@complysafe.io.