Data Processing Addendum

1. Roles

This Addendum forms part of the agreement between you (the "Controller") and MoAli Nexus (the "Processor"). It applies where ComplyAgent processes personal data on your behalf in providing the service, and reflects the requirements of Article 28 GDPR.

2. Subject matter and duration

The Processor processes personal data for the duration of the agreement to provide AI compliance tooling: discovery, classification, document generation, training records, and audit packs.

3. Nature and purpose

Processing is limited to what is necessary to deliver the service and to follow your documented instructions (including via the product UI and API).

4. Types of data and data subjects

• Data subjects: your staff who use the product; and, to the extent you enter it, individuals referenced in your AI systems (e.g. candidates, customers).
• Categories: identification and contact data, employment/role data, and any content you choose to enter. Avoid entering special-category data unless strictly necessary.

5. Processor obligations

• Process only on documented instructions from the Controller.
• Ensure persons authorised to process are bound by confidentiality.
• Implement appropriate technical and organisational measures (Art. 32).
• Assist with data-subject requests and with Articles 32 to 36 obligations.
• Notify the Controller without undue delay after becoming aware of a personal-data breach.
• Delete or return personal data at the end of the engagement.
• Make available information needed to demonstrate compliance.

6. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed at /legal/subprocessors. The Processor will inform the Controller of intended changes and remains responsible for its sub-processors' performance. Sub-processors are bound by data-protection terms no less protective than this Addendum.

7. International transfers

Primary processing is in the EU (Ireland). Where a sub-processor transfers data outside the EEA, it is done under an adequacy decision or Standard Contractual Clauses with supplementary measures as needed.

8. Security

Encryption in transit and at rest, per-tenant isolation, access controls, and audit logging. Detailed measures are available on request and summarised in our Privacy Policy.

9. Audits

The Processor will make available information reasonably necessary to demonstrate compliance and will contribute to audits, subject to reasonable confidentiality and frequency limits.

10. Deletion and return

On termination, or on your request via Settings, the Processor deletes the Controller's personal data within a commercially reasonable period, save where retention is required by law.

11. Signing

Need a countersigned copy for your records? Email admin@complyagent.eu and we will provide an executable version.