Data Processing Agreement

Version 2026-05. Last updated: 20 May 2026.

This Data Processing Agreement ("DPA") is incorporated by reference into the Confidly Terms of Service and applies to every Customer whose use of the Confidly platform involves the processing of personal data subject to Regulation (EU) 2016/679 ("GDPR"), the UK Data Protection Act 2018, or the Swiss Federal Act on Data Protection ("FADP"). It also serves as the Module Two ("Controller to Processor") Standard Contractual Clauses ("SCCs", Commission Implementing Decision (EU) 2021/914) for transfers governed by Chapter V GDPR, where required.

If the Customer requires a signed PDF, write to [email protected] with the legal entity name, registry number, and signatory details. A counter-signed copy is returned within five business days at no charge.

1. Definitions

"Applicable Data Protection Law" means the GDPR, the UK GDPR, the Swiss FADP, and any binding national implementing legislation. Terms used here without definition (Personal Data, Processing, Controller, Processor, Data Subject, Sub-processor, Supervisory Authority) have the meanings given in Article 4 GDPR.

2. Roles and scope

The Customer is the Controller. Confidly is the Processor. Where the Customer is itself a processor for a further controller, this DPA constitutes a sub-processor agreement and Confidly will follow the same instructions as if Customer were the Controller.

This DPA governs Processing performed in connection with the Customer's use of the Confidly platform under the Terms of Service. It does not apply to personal data of the Customer's account-administrators that Confidly processes as a Controller (covered by the Privacy Policy).

3. Subject matter, duration, nature, and purpose (Art. 28(3))

• Subject matter: receiving, storing, and managing whistleblower reports, attachments, follow-up communications, and case workflow data, plus identity, role, and audit data for Customer's staff.
• Duration: from the effective date of the Terms of Service until the later of (a) the deletion of all Customer Data or (b) the end of any extension granted under section 10 of this DPA.
• Nature of processing: collection, storage, structuring, consultation, retrieval, disclosure to authorised Customer staff, restriction, and deletion, performed automatically by the platform with limited manual operations for support.
• Purpose: enabling the Customer to operate an internal reporting channel that complies with Directive (EU) 2019/1937 and equivalent national laws, and to investigate the reports received.

4. Categories of Personal Data (Annex I.B)

• Identifiers of authorised users (email, name, role, organisation membership)
• Free-text report content submitted by reporters
• Attachments uploaded with reports (documents, audio, images, video)
• Optional pseudonyms chosen by reporters
• Case metadata (case code, status, category, severity, assigned investigator, timestamps)
• Messages exchanged inside the case thread
• Audit log entries (user ID, action, IP address, user-agent, timestamp)
• Special categories (Art. 9) only to the extent voluntarily included by reporters in the free-text report or attachments. Confidly does not solicit special categories but cannot prevent reporters from disclosing them. These are treated with the additional safeguards in section 8.

5. Categories of Data Subjects

• Customer's staff users (employees of the Controller)
• Reporters: typically the Controller's employees, former employees, contractors, suppliers, shareholders, board members, job applicants, volunteers, and trainees, as defined in Art. 4 of Directive (EU) 2019/1937
• Third parties named within report content

6. Customer instructions (Art. 28(3)(a))

Confidly processes Personal Data only on the Customer's documented instructions, including the Terms of Service, the platform configuration the Customer sets in the admin console, and any further written instructions reasonably agreed in writing. Confidly notifies the Customer (typically within 5 business days) if an instruction infringes Applicable Data Protection Law, before performing the processing.

7. Confidentiality (Art. 28(3)(b))

All Confidly personnel with access to Customer Data are bound by a written confidentiality undertaking that survives termination. Background checks are run on personnel with production access. Access to Customer Data is on a need-to-know basis and is logged.

8. Technical and organisational measures (Art. 28(3)(c), Art. 32, Annex II)

Confidly maintains the following measures. The complete current statement is published at /trust; this DPA incorporates it by reference. The measures will not be materially weakened during the term.

8.1 Encryption

• TLS 1.3 for all data in transit. HSTS preload enabled on all customer-facing domains.
• AES-256 at rest for application databases and object storage.
• Per-object encryption keys for reporter attachments; keys held in a separate KMS.
• Bcrypt cost factor 12 for reporter secrets; Argon2id for staff where the identity provider supports it.

8.2 Confidentiality, integrity, availability, resilience (Art. 32(1)(b))

• Production environment isolated from development and staging by separate VPCs and IAM roles.
• Workload runs behind WAF and DDoS protection at the edge.
• SAST and dependency scanning on every commit; quarterly third-party penetration test.
• Daily encrypted backups with a separate KMS key, retained 30 days; restore drill at least monthly.
• RTO 4 hours, RPO 1 hour for production database.
• Multi-AZ database with synchronous replica in the EU.

8.3 Pseudonymisation and data minimisation (Art. 32(1)(a), Art. 5(1)(c))

• Reporters are never asked for identifying information; IP addresses are stripped at ingress.
• EXIF metadata is removed from uploaded images on ingest.
• Free-text fields are not indexed for search outside the customer's tenant.
• AI summarisation runs on a per-request basis with no retention by the sub-processor.

8.4 Access control and audit

• Customer-side access enforced by Clerk SSO with mandatory MFA option (admin-enforceable).
• Role-based access: admin, manager, investigator, auditor.
• Append-only audit log of every read, write, and download action.
• Daily audit-log export to a WORM (write-once-read-many) bucket retained 7 years.
• Quarterly access review documented in the change-management system.

8.5 Personnel security

• Background checks for all production-access personnel.
• Annual security and privacy training; refresher within 30 days of any policy change.
• Hardware MFA for all engineering and support staff with production access.
• Bring-your-own-device prohibited for production access; managed devices only.

8.6 Incident response

• 24/7 paging for security alerts.
• Documented playbooks for personal data breach, account takeover, and ransomware.
• Breach notification to controllers within 24 hours of confirmation, with the information set out in Art. 33(3).
• Annual tabletop exercise covering at least one personal-data scenario.

9. Sub-processors (Art. 28(2), (4))

The Customer grants general authorisation to engage the sub-processors listed at /trust as of the effective date. Confidly will:

• Give the Customer at least 30 days' prior notice of any intended addition or replacement, by email to the billing contact and by update to /trust.
• Impose data-protection obligations on each sub-processor that are no less protective than this DPA.
• Remain fully liable to the Customer for each sub-processor's performance.

The Customer may object on reasonable data-protection grounds within the notice period. Confidly will work in good faith to address the objection. If no reasonable resolution is found, the Customer may terminate the affected subscription with a pro-rata refund of prepaid fees for the unused term.

10. International transfers (Chapter V)

Personal Data is stored in the European Union. Where transfer to a third country is necessary (specifically: Clerk and Anthropic in the United States), Confidly relies on the SCCs and supplementary measures as follows:

• Clerk: EU SCCs (Module Two), data residency option enabled to keep auth data inside the EU where supported, EU-US Data Privacy Framework as secondary safeguard.
• Anthropic: EU SCCs (Module Three for processor-to-processor), Zero Data Retention contractual term, ephemeral processing only, no use for model training.

A transfer impact assessment is on file and available to Customers under NDA.

11. Assistance to the Controller (Art. 28(3)(e), (f))

Confidly assists the Customer in meeting its GDPR obligations by:

• Providing tools in the admin console to identify, export, correct, and delete data relating to specific data subjects (within the limits of anonymity guarantees owed to reporters).
• Responding within 10 business days to written requests from the Customer for assistance with Articles 32-36 (security, breach notification, DPIA, prior consultation).
• Making available a Transfer Impact Assessment and Penetration Test Summary under NDA on request.

12. Personal data breach (Art. 33)

Confidly notifies the Customer without undue delay and in any case within 24 hours of becoming aware of a confirmed personal data breach affecting the Customer's data. The notification will include the information required by Art. 33(3): the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

13. Audits (Art. 28(3)(h))

Confidly makes available to the Customer the information necessary to demonstrate compliance: the published TOMs, the Penetration Test Summary, the SOC 2 Type II report (when issued, expected Q4 2026), and the current sub-processor list. Where these documents do not suffice, the Customer may request an audit:

• Once per calendar year, with 30 days' prior written notice.
• Conducted by the Customer or a qualified independent auditor under NDA.
• During Confidly's normal business hours, in a way that does not unreasonably interfere with operations.
• At the Customer's expense, except where the audit reveals material non-compliance attributable to Confidly.

A supervisory authority may audit on its own initiative; Confidly will cooperate fully and at no charge.

14. Return or deletion (Art. 28(3)(g))

On termination of the Terms of Service, Customer may export Customer Data via the admin console for 30 days. After 30 days, Confidly deletes Customer Data from active systems within a further 30 days and from backups within 90 days. Audit-log stubs (timestamps and event types, no content) are retained 7 years to demonstrate compliance with Art. 18 of Directive (EU) 2019/1937 and equivalent national rules.

15. Liability

The liability of each party under this DPA is subject to the limitations in the Terms of Service. Nothing in this DPA limits a data subject's rights under Art. 82 or a party's liability for fines under Arts. 83-84.

16. Conflicts

In case of conflict between this DPA and the Terms of Service, this DPA prevails for matters of personal data protection. In case of conflict with the SCCs as incorporated, the SCCs prevail.

17. Governing law and venue

Governing law and venue follow the Terms of Service, except that the SCCs are governed by the law of an EU Member State that allows third-party-beneficiary rights for data subjects (Ireland by default).

Annex III: Sub-processors (current)

The authoritative, dated list lives at /trust. Snapshot at the version date of this DPA:

• Hetzner Online GmbH (DE), hosting
• Cloudflare Ireland Ltd (IE/global), edge network, WAF, DDoS
• Clerk, Inc. (US), staff identity provider; SCCs + DPF
• Anthropic, PBC (US), AI inference; SCCs + Zero Data Retention
• Stripe Payments Europe Ltd (IE), billing
• Amazon Web Services EMEA SARL, eu-central-1 (DE), transactional email (SES)
• Sentry GmbH (DE), error monitoring; report content is scrubbed before transmission