Data Processing Agreement

1. Definitions

• "Controller" means you, the customer, who determines the purposes and means of processing personal data.
• "Processor" means Relay Labs Ltd, trading as AIComply, who processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, whether automated or not.
• "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).

2. Subject Matter and Duration

This DPA governs the processing of personal data by AIComply on behalf of the Controller in connection with the provision of the AIComply compliance management platform (the "Services").

The duration of processing shall be for the term of the Services agreement plus any legally required retention period.

3. Nature and Purpose of Processing

AIComply processes personal data for the following purposes:

• Providing and maintaining the EU AI Act compliance management platform
• Processing user account information and authentication
• Storing and managing AI system documentation submitted by the Controller
• Generating compliance reports and assessments using AI assistance
• Providing customer support and communication
• Processing billing and payment information

4. Types of Personal Data and Data Subjects

5. Obligations of the Processor

AIComply shall:

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorised to process data are subject to confidentiality obligations
• Implement appropriate technical and organisational security measures
• Engage sub-processors only with Controller's authorisation and under written contract
• Assist the Controller in responding to data subject requests
• Assist with data protection impact assessments and consultations with supervisory authorities
• Delete or return all personal data upon termination, as instructed
• Make available all information necessary to demonstrate compliance

6. Sub-Processors

The Controller authorises AIComply to engage the following sub-processors:

7. Data Transfer Safeguards

All personal data is processed within the European Union (Ireland). Where transfers outside the EU/EEA are necessary (e.g., Stripe), appropriate safeguards are in place including:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable
• Supplementary measures including encryption and access controls

8. Data Breach Notification

AIComply shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification shall include, where possible, the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

9. Data Deletion and Return

Upon termination of the Services, AIComply shall, at the Controller's choice, delete or return all personal data within 30 days, unless EU or Member State law requires retention. A certificate of destruction may be provided upon request.

10. Governing Law and Supervision

This DPA is governed by the laws of Ireland. The lead supervisory authority is the Irish Data Protection Commission (DPC).

11. Contact

For questions about this DPA or to exercise your rights: