Data Processing Agreement (DPA)
Last updated: March 27, 2026. This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and ComplianceRadar.dev, operated by Damir Andrijanic ("Processor"), when and to the extent ComplianceRadar.dev processes personal data on your behalf under Article 28 GDPR.
1. Subject matter and duration
The subject matter of processing is the provision of the ComplianceRadar.dev service, including website compliance scans, account administration, and generation of related reports. Processing continues for the duration of the applicable service relationship, unless earlier terminated in accordance with the Terms of Service.
2. Nature and purpose of processing
Processing activities may include collection, structuring, analysis, storage, retrieval, transmission, and deletion of personal data strictly as necessary to deliver and secure the service, provide support, prevent abuse, and comply with documented Controller instructions and applicable law.
3. Categories of data subjects and personal data
Depending on your use of the service, data subjects may include your employees, contractors, website visitors, end users, or other persons whose data appears in submitted materials. Categories of personal data may include contact details, identifiers, technical metadata, and user-provided content included in submitted URLs or uploaded documentation.
You are responsible for ensuring that personal data submitted to the service is adequate, relevant, and limited to what is necessary for your purposes.
4. Roles and documented instructions
As between the parties, Controller determines the purposes and means of processing. Processor processes personal data only on documented instructions from Controller, including instructions reflected in the Terms of Service, this DPA, and your configured use of the service, unless otherwise required by applicable law.
5. Confidentiality
Processor ensures that persons authorized to process personal data are bound by confidentiality obligations (contractual or statutory) and receive access only to the extent necessary for performance of their duties.
6. Security of processing
Processor implements appropriate technical and organizational measures under Article 32 GDPR to protect personal data, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing. Additional security information is available on our Security page.
7. Subprocessors
Controller authorizes Processor to engage subprocessors as reasonably necessary to provide the service. Current subprocessors are listed in the Privacy Policy. Processor will impose data protection obligations on subprocessors that are substantially equivalent to those set out in this DPA.
Where required by applicable law, Controller may object to a new subprocessor on reasonable data protection grounds. If the parties cannot resolve the objection, either party may terminate affected services without penalty for the unresolved portion.
8. Assistance with data subject rights
Taking into account the nature of processing, Processor will provide reasonable assistance to Controller through appropriate technical and organizational measures to enable Controller to respond to requests to exercise data subject rights under Chapter III GDPR.
9. Incident support and breach notifications
Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Controller data and will provide available information reasonably necessary for Controller to meet its notification and documentation obligations.
10. DPIA and prior consultation assistance
Processor will provide reasonable assistance to Controller with data protection impact assessments and consultations with supervisory authorities where required under Articles 35 and 36 GDPR, taking into account the nature of processing and information available to Processor.
11. Return and deletion of personal data
Upon termination of the relevant services, Processor will, at Controller's choice and subject to technical feasibility, legal retention obligations, and backup cycles, delete or return personal data processed on behalf of Controller. Processor may retain data only where and for as long as required by applicable law.
12. Audit and information rights
Processor will make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. Where such information is insufficient and required by applicable law, Controller may request a reasonable audit no more than once per year (or more frequently if required by law) upon prior written notice, during normal business hours, and subject to confidentiality and security safeguards.
13. International data transfers
If personal data is transferred outside the EEA/UK/Switzerland, Processor will ensure an appropriate transfer mechanism under applicable law, such as adequacy decisions or Standard Contractual Clauses (including supplementary measures where required).
14. Liability and order of precedence
Liability between the parties under this DPA is subject to the liability framework and limitations set out in the Terms of Service, except where mandatory data protection law provides otherwise. In the event of conflict between this DPA and the Terms of Service regarding processing of personal data, this DPA prevails for that subject matter.
15. Incorporation and updates
This DPA is incorporated by reference into the Terms of Service for applicable Controller-Processor processing activities. We may update this DPA from time to time to reflect legal, technical, or operational developments. The published "Last updated" date indicates the current version.