Loading…
This Data Processing Addendum ("DPA") is entered into between RegulatoryBridge Global Ltd. ("Processor" or "RegulatoryBridge") and the customer that accepts the Terms of Service or executes an Order Form ("Controller" or "Customer").
The DPA applies to RegulatoryBridge's processing of personal data on Customer's behalf in connection with the Services. Customer is the controller (or, where applicable, a processor acting on behalf of its own customer-controllers). RegulatoryBridge is the processor (or, as applicable, a sub-processor). Where personal data is processed by both parties for joint purposes, the parties will execute a separate joint-controller arrangement under Art. 26 GDPR.
"Applicable Data Protection Law" means the GDPR; UK GDPR + Data Protection Act 2018; California CCPA/CPRA; Brazil LGPD; India DPDPA; Singapore PDPA; Japan APPI; Swiss FADP; and any other privacy law applicable to the processing under this DPA.
Capitalised terms used but not defined have the meanings in the Terms of Service or the Applicable Data Protection Law (whichever applies to the specific term).
The subject matter, nature, purpose, duration, categories of data subjects, and categories of personal data are set out in Annex A.
RegulatoryBridge will process personal data only on Customer's documented instructions, as specified in (a) the Order Form, (b) this DPA, and (c) any additional written instructions accepted by RegulatoryBridge. We will notify Customer if, in our opinion, an instruction violates Applicable Data Protection Law, and we may pause processing pending a Customer decision.
All RegulatoryBridge personnel and contractors with access to personal data are bound by written confidentiality obligations or are under an appropriate statutory duty of confidentiality, and receive regular data-protection and security training.
We will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. The current measures are described in Annex B and aligned with ISO/IEC 27001:2022 and SOC 2 Type II control families.
Customer authorises RegulatoryBridge to engage the sub-processors listed on the Sub-processors page (and reflected in Annex C). Each sub-processor is bound by written terms providing data-protection obligations at least as protective as those in this DPA. We will provide at least 30 days' prior notice of new sub-processors. Customer may object on reasonable grounds within that window, and the parties will negotiate in good faith; if no resolution is reached, Customer may terminate the affected Service.
Taking into account the nature of the processing, RegulatoryBridge will provide reasonable assistance through appropriate technical and organisational measures to enable Customer to fulfil its obligation to respond to requests by data subjects exercising their rights. Where a data subject contacts RegulatoryBridge directly with a request relating to Customer's data, we will promptly forward the request to Customer.
RegulatoryBridge will notify Customer without undue delay — and in any event within 48 hours of becoming aware — of any personal data breach affecting Customer's personal data. The notification will include the information specified in Article 33(3) GDPR (or equivalent under other Applicable Data Protection Law) to the extent then known. We will provide reasonable assistance to Customer in meeting its own notification obligations to supervisory authorities and data subjects.
Where personal data is transferred from the EEA / UK / Switzerland to a third country not benefiting from an adequacy decision, the parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller → Processor) or Module 3 (Processor → Processor) as applicable, together with the UK International Data Transfer Addendum for UK transfers, and the Swiss FDPIC-recognised adaptations for Swiss transfers.
For transfers from India (DPDPA), Brazil (LGPD), Japan (APPI), and Singapore (PDPA), the parties will rely on the mechanisms recognised under the relevant law (consent, adequacy, contractual safeguards) and on country-specific addenda available on request.
RegulatoryBridge will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. To minimise duplication and operational disruption:
At Customer's choice, on termination of the Services, RegulatoryBridge will return all personal data to Customer or delete it, including from backups, within 90 days, unless retention is required by Applicable Data Protection Law. Customer may export Customer Content during the Subscription Term using the standard export tools described in the Documentation.
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except as required to be uncapped by Applicable Data Protection Law.
This DPA is effective from the effective date set out above and remains in force for as long as RegulatoryBridge processes personal data on Customer's behalf. Sections that by their nature should survive termination (security, confidentiality, audit, breach notification of pre-termination events) will so survive.
This DPA is governed by the law of Ireland, without prejudice to mandatory law of the data subject's habitual residence. Disputes are resolved in accordance with the Terms of Service.
Subject matter: Provision of the Services described in the Order Form, including regulatory representation, DPO services, breach response, and related software.
Duration: The Subscription Term plus the retention period set out in Section 12 of this DPA.
Nature & purpose of processing: Storing, accessing, organising, structuring, transmitting, and otherwise processing personal data to provide the Services.
Categories of data subjects: Customer's end users, employees, contractors, prospects, vendors, and any other natural persons whose personal data is included in Customer Content.
Categories of personal data: Contact identifiers (name, business email, role); behavioural data (interactions with the Services); compliance artefacts (DSAR records, breach incidents, consent records); content uploaded by Customer (which may include other categories, depending on Customer's configuration).
Special-category data: Generally none. If Customer chooses to upload special-category or sensitive personal data, Customer is responsible for ensuring an appropriate lawful condition under Article 9 GDPR or equivalent.
Frequency of processing: Continuous, for the duration of the Subscription Term.
The current list of authorised sub-processors is published and maintained at /sub-processors. The list at Order Form acceptance is incorporated here by reference. Updates are communicated as set out in Section 7.
src/lib/legal-entity.ts.