Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service between you (the "Customer") and Vyzor (KvK: 99170353), Amsterdam, The Netherlands ("Processor"), and governs the processing of personal data by the Processor on behalf of the Customer in connection with the provision of the financialregulations.eu platform (the "Service").

This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and reflects the parties' agreement with regard to the processing of personal data.

1. Roles and Definitions

2. Purpose and Scope of Processing

The Processor processes personal data on behalf of the Customer solely for the purpose of providing regulatory intelligence analysis services through the financialregulations.eu platform. Processing activities include account management, authentication, regulatory document analysis, AI-powered query processing, and the generation of regulatory reports.

3. Categories of Data and Data Subjects

3.1 Categories of Personal Data

• Account data (name, email address, company name)
• Regulatory queries submitted to the Service
• Uploaded documents for regulatory analysis
• AI-generated analysis results and reports
• Usage data (query counts, timestamps, interaction logs)

3.2 Data Subjects

The data subjects are the Customer's authorised users of the Service. Uploaded documents may also contain personal data of third parties referenced in regulatory documents (e.g., names, signatures, or other identifying information).

4. Processing Location

All personal data is processed within the European Union. Infrastructure is hosted on AWS eu-central-1 (Frankfurt) for backend processing and AI analysis via AWS Bedrock, and on Supabase EU for database and authentication services. AI processing via AWS Bedrock contractually guarantees that customer data is not used for model training or improvement.

5. Sub-processors

The Processor engages third-party sub-processors to assist in the delivery of the Service. The current list of sub-processors, including their purposes and processing locations, is maintained in the Privacy Policy (Section 5: Sub-processors).

The Processor shall notify the Customer of any intended changes to the list of sub-processors, giving the Customer the opportunity to object to such changes. If the Customer objects on reasonable grounds relating to data protection, the parties shall discuss the matter in good faith to find a resolution.

6. Security Measures

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data at rest and in transit (TLS)
• Strict access controls on a need-to-know basis
• Row-Level Security (RLS) enforced at the database level to ensure data isolation between customers
• Regular security reviews and assessments of systems, infrastructure, and sub-processors
• Secure development practices, including code reviews and vulnerability testing

7. Data Retention

Personal data is retained in accordance with the retention periods set out in the Privacy Policy (Section 6: Data Retention). In summary:

• Regulatory reports and AI-generated outputs: 12 months from date of generation
• All personal data upon account closure: deleted within 30 days from active systems
• Residual copies in encrypted backups: overwritten within 90 days of account closure

Upon termination of the Service agreement, or upon written request from the Customer, the Processor shall delete all personal data processed on behalf of the Customer, except where retention is required by applicable law.

8. Data Subject Rights

The Processor assists the Customer in fulfilling data subject requests under Chapter III of the GDPR, including rights of access, rectification, erasure, data portability, restriction of processing, and objection. Data subjects may exercise their rights via self-service functionality in the platform or by contacting privacy@financialregulations.eu.

9. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Customer without undue delay and in any case within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. The notification shall include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

The Processor shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach, and in any notifications required to be made to supervisory authorities or data subjects.

10. Audits and Inspections

The Processor shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Any audit shall be conducted with reasonable notice and during normal business hours, and shall not unreasonably disrupt the Processor's operations.

11. Contact

For all matters relating to this DPA, including requests for a signed copy, please contact: