Data Processing Agreement.

This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Confir Terms and Conditions (the “Agreement”) between Confir OÜ and the Customer. It governs the Processing of Personal Data by Confir OÜ on behalf of the Customer in connection with the Service. Capitalised terms not defined here have the meaning given in the Agreement.

This DPA reflects the requirements of Article 28 of the GDPR. By accepting the Agreement, the Customer also accepts this DPA on behalf of itself and, where applicable, the controllers it represents.

1. Definitions

1.1 In this DPA:

• “Confir,” “we,” “us,” “our” means Confir OÜ, registry code [Registry code], registered office [Registered address], Estonia, acting as Processor.
• “Customer,” “you,” “your” means the entity that has entered into the Agreement, acting as Controller (or, where Section 2.3 applies, as Processor on behalf of a third-party Controller).
• “Customer Personal Data” means the Personal Data contained within Customer Data that Confir Processes on the Customer's behalf under the Agreement, as further described in Annex I.
• “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the GDPR, the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), and the EU ePrivacy rules, in each case as amended or replaced from time to time.
• “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).
• “Restricted Transfer” means a transfer of Customer Personal Data from Confir (or a Sub-processor) to a country or recipient outside the European Economic Area (EEA) that is not subject to an adequacy decision under Article 45 GDPR.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced.
• “Sub-processor” means any third party engaged by Confir to Process Customer Personal Data.
• “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processing,” “Special Categories of Personal Data,” and “Supervisory Authority” have the meanings given in the GDPR.

2. Roles and scope of Processing

2.1 Roles. As between the parties, the Customer is the Controller and Confir is the Processor of Customer Personal Data. Confir will Process Customer Personal Data only as a Processor acting on the Customer's behalf.

2.2 Subject matter and details. The subject matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.

2.3 Customer acting as a Processor. Where the Customer is itself a Processor acting on behalf of a third-party Controller, Confir acts as a Sub-processor. In that case, the Customer warrants that it has the third-party Controller's authority to engage Confir on the terms of this DPA and to give the instructions set out herein, and that it will pass on to the third-party Controller any notices or information Confir provides under this DPA.

2.4 Customer responsibilities as Controller. The Customer is responsible for the lawfulness of the Processing, including establishing a valid legal basis, providing any required notices to Data Subjects, and ensuring it has the right to transfer Customer Personal Data to Confir for Processing. The Customer must not instruct Confir to Process Personal Data in breach of Data Protection Laws.

2.5 No Special Categories by default. The Service is not designed to Process Special Categories of Personal Data. The Customer must not submit Special Categories of Personal Data through the Service unless expressly agreed in writing and supported by appropriate safeguards.

3. Processing on documented instructions

3.1 Instructions. Confir will Process Customer Personal Data only on the Customer's documented instructions, including with regard to Restricted Transfers, unless required to do otherwise by EU or EU Member State law to which Confir is subject. Where such a legal requirement applies, Confir will inform the Customer of that requirement before Processing, unless the law prohibits this on important grounds of public interest.

3.2 Scope of instructions. The Customer's complete and documented instructions are: (a) the Agreement and this DPA; (b) the Customer's configuration and use of the Service in line with the Documentation; and (c) any further written instructions agreed by the parties. Additional instructions outside this scope require prior written agreement and may be subject to fees.

3.3 Unlawful instructions. Confir will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws. Confir is not obliged to perform a legal review of the lawfulness of the Customer's instructions.

4. Confidentiality

Confir will ensure that persons authorised to Process Customer Personal Data are bound by appropriate obligations of confidentiality (whether contractual or statutory), are informed of the confidential nature of the data, and Process it only as necessary to provide the Service.

5. Security of Processing

5.1 Security measures. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risks to Data Subjects, Confir will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex II.

5.2 Updates. Confir may update its security measures from time to time, provided that the updates do not materially reduce the overall level of protection of Customer Personal Data.

5.3 Customer's role. The Customer is responsible for assessing whether the measures in Annex II meet its requirements and for securing its own systems, credentials, and configuration choices within the Service.

6. Sub-processors

6.1 General authorisation. The Customer grants Confir general authorisation to engage Sub-processors to Process Customer Personal Data, subject to this Section. The Sub-processors engaged as at the effective date are listed in Annex III (and at confir.eu/legal/subprocessors).

6.2 Flow-down obligations. Confir will impose on each Sub-processor, by written contract, data protection obligations that are no less protective than those in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Confir remains fully liable to the Customer for the performance of each Sub-processor's obligations.

6.3 Changes and objection. Confir will give the Customer at least thirty (30) days' prior notice (by email or via the Service, or by updating the list referenced in Annex III with a notification mechanism) of the addition or replacement of any Sub-processor, giving the Customer a reasonable opportunity within that period to object on reasonable, data-protection-related grounds. If the Customer reasonably objects and the parties cannot agree a resolution, the Customer may, as its sole and exclusive remedy, terminate the affected part of the Service by written notice, and Confir will refund any prepaid fees for the unused remainder of the then-current period.

7. Assistance to the Customer

7.1 Data Subject requests. Taking into account the nature of the Processing, Confir will assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to requests by Data Subjects exercising their rights under Chapter III of the GDPR. If Confir receives a request from a Data Subject relating to Customer Personal Data, it will, where lawful, promptly forward the request to the Customer and will not respond directly except on the Customer's documented instructions.

7.2 Compliance assistance. Taking into account the nature of Processing and the information available to Confir, Confir will assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR, namely security of Processing, notification of Personal Data Breaches, communication of breaches to Data Subjects, data protection impact assessments, and prior consultation with a Supervisory Authority.

7.3 Costs. Confir will provide reasonable assistance under this Section. Confir may charge a reasonable fee for assistance that exceeds the standard functionality of the Service or that requires material effort, having first notified the Customer.

8. Personal Data Breach

8.1 Notification. Confir will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

8.2 Information. The notification will include, to the extent known and as it becomes available, a description of the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, the measures taken or proposed, and a contact point for further information.

8.3 No admission. Confir's notification of, or response to, a Personal Data Breach is not an acknowledgement of fault or liability. The Customer is responsible for any notifications to Supervisory Authorities or Data Subjects required of it as Controller.

9. International transfers

9.1 Default location. Confir will Process Customer Personal Data within the EEA except as set out in Annex III or as otherwise agreed.

9.2 Restricted Transfers. To the extent Confir or a Sub-processor makes a Restricted Transfer of Customer Personal Data, it will ensure an appropriate transfer mechanism under Chapter V of the GDPR applies, which may be: (a) an adequacy decision; (b) the EU-U.S. Data Privacy Framework, where the importer is certified and the transfer falls within its scope; or (c) the Standard Contractual Clauses.

9.3 Incorporation of the SCCs. Where the SCCs apply to a Restricted Transfer between the Customer (as data exporter) and Confir (as data importer), the SCCs are hereby incorporated into this DPA by reference and completed as follows: (a) Module Two (Controller to Processor) applies where the Customer is a Controller, and Module Three (Processor to Processor) applies where the Customer acts as a Processor under Section 2.3; (b) in Clause 7, the optional docking clause applies; (c) in Clause 9, Option 2 (general written authorisation) applies, with the notice period specified in Section 6.3; (d) in Clause 11, the optional independent-dispute-resolution language does not apply; (e) in Clause 17, the SCCs are governed by the law of Estonia; (f) in Clause 18, disputes will be resolved before the courts of Estonia; and (g) Annexes I, II and III of this DPA populate the corresponding Annexes of the SCCs. Where Confir transfers data to a Sub-processor that is an importer, Confir will ensure the appropriate module of the SCCs (or another valid mechanism) is in place with that Sub-processor.

9.4 Conflict. In the event of any conflict between the SCCs and the rest of this DPA or the Agreement in respect of a Restricted Transfer, the SCCs prevail.

10. Audits and records

10.1 Demonstrating compliance. Confir will make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 of the GDPR and this DPA. Confir may satisfy this obligation by providing summaries of policies, security documentation, or third-party audit reports or certifications where available.

10.2 Audits. Confir will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to the following: (a) the Customer gives at least thirty (30) days' prior written notice; (b) audits occur no more than once per twelve (12) months, except where required by a Supervisory Authority or following a Personal Data Breach; (c) audits take place during business hours, with minimal disruption, and the auditor is bound by confidentiality; (d) the Customer bears its own and Confir's reasonable costs of the audit; and (e) the audit does not require Confir to disclose information that would compromise the security or confidentiality of other customers or third parties.

10.3 Records. Each party will maintain records of Processing as required by Article 30 of the GDPR.

11. Return and deletion of Customer Personal Data

11.1 On termination. On expiry or termination of the Agreement, Confir will, at the Customer's choice, delete or return all Customer Personal Data and delete existing copies, unless EU or EU Member State law requires storage.

11.2 Export window. During the Subscription Term and for thirty (30) days after termination, the Customer may export Customer Data using the Service's functionality. After that period, Confir may delete Customer Personal Data in the ordinary course.

11.3 Retained data. Confir may retain Customer Personal Data to the extent and for the period required by law, or where retained in routine backups, in which case it remains subject to the confidentiality and security obligations of this DPA and will be deleted in the ordinary backup-rotation cycle.

12. Liability

12.1 Cap and exclusions. Each party's liability arising out of or relating to this DPA, whether in contract, tort, or otherwise, is subject to the exclusions and limitations of liability set out in the Agreement (including the aggregate liability cap). Any reference in the Agreement to a party's liability “under the Agreement” includes liability under this DPA.

12.2 No effect on data subject rights. Nothing in this DPA or the Agreement limits any liability that cannot be limited under Data Protection Laws, including liability to Data Subjects under Article 82 of the GDPR.

13. Term, precedence, and general

13.1 Term. This DPA takes effect on the effective date and continues for as long as Confir Processes Customer Personal Data under the Agreement. Provisions that by their nature should survive termination will survive.

13.2 Precedence. In the event of a conflict regarding the Processing of Personal Data, the following order of precedence applies: (a) the SCCs (for Restricted Transfers); (b) this DPA; and (c) the remainder of the Agreement.

13.3 Governing law and jurisdiction. This DPA is governed by the laws of the Republic of Estonia, and the courts of Estonia (the Harju County Court, Harju Maakohus, as court of first instance) have jurisdiction, consistent with the Agreement, save where the SCCs provide otherwise for a Restricted Transfer.

13.4 Changes. Confir may amend this DPA where required to reflect changes in Data Protection Laws, guidance from a Supervisory Authority, or the SCCs, on reasonable notice, provided the amendment does not materially reduce the protection of Customer Personal Data.

13.5 Severability. If any provision of this DPA is held invalid or unenforceable, the remainder continues in effect, and the invalid provision will be modified to the minimum extent necessary to make it valid and enforceable while preserving its intent.

Annex I — Description of the Processing

A. List of parties

Data exporter / Controller: The Customer, as identified in the Agreement and at checkout. Contact: the account administrator's details provided in the account. Role: Controller (or Processor where Section 2.3 applies).

Data importer / Processor: Confir OÜ, registry code [Registry code], [Registered address], Estonia. Contact for data protection matters: privacy@confir.eu. Role: Processor.

B. Description of Processing

Categories of Data Subjects:

• The Customer's Authorised Users and personnel (e.g., employees, contractors) who access or are referenced in the Service;
• Any individuals whose Personal Data the Customer chooses to include in Customer Data (for example, personnel named in the Customer's AI-system documentation or compliance records).

Categories of Personal Data:

• Account and identity data: name, business email address, job title, and similar professional contact details;
• Authentication and usage data: login credentials, IP address, device and log data, and records of activity within the Service;
• Content data: any Personal Data the Customer includes within the information it submits about its AI systems, products, processes, organisation, and compliance documentation.

Special Categories of Personal Data: None intended (see Section 2.5). The Customer must not submit Special Categories of Personal Data unless expressly agreed in writing.

Nature and purpose of Processing: Hosting, storage, organisation, structuring, retrieval, consultation, use, and deletion of Customer Personal Data as necessary to provide the Service — namely an EU AI Act compliance assessment and documentation platform — including generating Outputs from the inputs provided, providing support, ensuring security, and meeting legal obligations.

Frequency of Processing: Continuous, for the duration of the Subscription Term.

Duration of Processing: For the term of the Agreement, plus the export and deletion periods set out in Section 11.

C. Competent Supervisory Authority

Confir's competent Supervisory Authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI), Tatari 39, 10134 Tallinn, Estonia. Where the SCCs apply, the competent Supervisory Authority is determined in accordance with Clause 13 of the SCCs (generally the authority of the data exporter's place of establishment).

Annex II — Technical and Organisational Measures

• Access control and authentication. Role-based access on a least-privilege basis; unique user accounts; multi-factor authentication for administrative access; prompt revocation of access on role change or departure.
• Encryption. Encryption of Customer Personal Data in transit (e.g., TLS 1.2+) and at rest using industry-standard algorithms.
• Network and infrastructure security. Firewalls and network segmentation; hardened configurations; use of reputable cloud infrastructure providers with recognised certifications (e.g., ISO/IEC 27001) — see Annex III.
• Pseudonymisation and minimisation. Data minimisation in the Service's design; pseudonymisation or aggregation where appropriate, including for analytics.
• Logging and monitoring. Security logging, monitoring, and alerting; retention of logs for a reasonable period.
• Secure development. Secure software development practices; code review; dependency and vulnerability management; separation of production and non-production environments; no use of production Personal Data in test environments without safeguards.
• Resilience and backups. Regular encrypted backups; documented restoration procedures; measures to ensure ongoing confidentiality, integrity, availability, and resilience of systems.
• Personnel. Confidentiality obligations for all personnel; data-protection and security awareness training; background checks where lawful and appropriate.
• Physical security. Physical security of infrastructure delegated to certified hosting providers (see Annex III).
• Incident response. A documented incident-response process, including breach detection, escalation, and notification in line with Section 8.
• Vendor management. Due diligence and contractual safeguards for Sub-processors (see Section 6 and Annex III).
• Deletion. Procedures for secure deletion and return of Customer Personal Data in line with Section 11.

Annex III — Sub-processors

The current Sub-processors authorised to Process Customer Personal Data are maintained, in their authoritative form, at confir.eu/legal/subprocessors, where Customers may subscribe to change notifications. Confir gives at least thirty (30) days' prior notice of any addition or replacement of a Sub-processor (Section 6.3). The core infrastructure Sub-processors are:

Note on US-incorporated Sub-processors. Certain Sub-processors host Customer Personal Data within the EEA but are incorporated in the United States (or have US parent entities) that may, in principle, be subject to foreign access requests. For these, Confir relies on the following safeguards under Chapter V of the GDPR: for Vercel, the EU-U.S. Data Privacy Framework (under which Vercel is actively certified) together with the Standard Contractual Clauses as a fallback; and for Supabase, the Standard Contractual Clauses and UK Addendum incorporated in Supabase's data processing addendum, supported by Supabase's published Transfer Impact Assessment (Supabase is not DPF-certified). Both providers maintain SOC 2 Type 2 and ISO 27001 certifications.

Marketing-website analytics (separate processing). Any analytics used on Confir's public marketing website process website-visitor data (e.g., online identifiers, IP address, usage events) for which Confir is the Controller; this does not process Customer Personal Data within the Service. This processing is disclosed in Confir's Privacy Policy and Cookie Policy and is subject to prior cookie consent.

Acceptance

This DPA is accepted by the Customer on entry into the Agreement (including by completing checkout or starting a trial) and by Confir by making the Service available. No physical signature is required for the DPA to be binding, though the parties may sign a counterpart on request. For data-protection enquiries, write to privacy@confir.eu.