Data Processing Agreement

Version 1.0 · Effective: 14 May 2026 · Based on EU Commission Standard Contractual Clauses (Art.28 GDPR)

Summary: When you activate a live evidence record, IRP Compliance processes personal data on your behalf as a data processor. This agreement sets out how that data is handled, who is responsible, and what rights you have. It is based on the EU Commission's standard Art.28 GDPR template.

1. Parties

Role	Party	Description
Data Controller	Your organisation	The entity that determines the purposes and means of processing personal data, you, the organisation completing the assessment.
Data Processor	Intent Record AB	Processes personal data on behalf of the Controller, solely to provide the EU AI Act Readiness Assessment and evidence record service.
Sub-processor	Supabase Inc (EU region)	Infrastructure provider. Stores assessment data in EU data centres (Frankfurt, Germany). Bound by Supabase's own DPA and EU SCCs.

2. Subject Matter and Duration

This agreement governs the processing of personal data submitted as part of the IRP Compliance EU AI Act Readiness Assessment, including name, email address, company name, role, and assessment responses. Processing begins at submission and continues until the Controller requests deletion or the retention period expires.

3. Nature and Purpose of Processing

Storing your completed assessment record as a live evidence record
Generating and delivering PDF reports to your email address
Enabling ongoing evidence continuity (remediation tracking, version history)
Sending service notifications related to your evidence record

IRP Compliance will not process your data for any other purpose without your explicit instruction.

4. Data Categories

Category	Examples
Contact data	Name, email address, company name, role title
Assessment responses	Answers to EU AI Act readiness questions, scores, maturity level
Organisation context	Revenue band, employee count, AI system type
Usage metadata	Timestamps, language preference, integrator context

No special category data (Art.9 GDPR) is collected. No biometric data is processed by IRP Compliance.

5. Processor Obligations

IRP Compliance commits to:

Process data only on documented instructions from the Controller
Ensure all personnel with access to personal data are bound by confidentiality
Implement appropriate technical and organisational security measures (Art.32 GDPR)
Not engage additional sub-processors without prior written consent from the Controller
Assist the Controller with data subject rights requests (access, rectification, erasure, portability)
Delete or return all personal data at end of service, at the Controller's choice
Provide all information necessary to demonstrate compliance with Art.28 GDPR

6. Security Measures

Data stored in Supabase (EU region, Frankfurt) with AES-256 encryption at rest
TLS 1.2+ encryption in transit
Row-level security (RLS) policies ensure each organisation can only access its own data
Access tokens scoped to individual authenticated sessions via Supabase magic link
No third-party analytics or advertising scripts on assessment pages

7. Sub-processors

Sub-processor	Purpose	Location	Safeguard
Supabase Inc	Database and authentication infrastructure	EU (Frankfurt, DE)	EU SCCs, Supabase DPA
AWS SES (via Supabase)	Transactional email delivery (magic links, reports)	EU	AWS DPA, EU SCCs

IRP Compliance will notify the Controller of any intended changes to sub-processors with reasonable notice, giving the Controller the opportunity to object.

8. Data Subject Rights

To exercise any data subject right (access, rectification, erasure, restriction, portability, or objection), contact: privacy@irp-compliance.xyz. IRP Compliance will respond within 30 days and will assist the Controller in fulfilling rights requests within the timescales required by GDPR.

9. Retention

Free tier (assessment only): data retained for 30 days from completion, then automatically deleted
Activated evidence record: data retained until the Controller requests deletion or exports the record
Controllers may request immediate deletion at any time by emailing privacy@irp-compliance.xyz

10. International Transfers

All data is stored and processed within the EU (Supabase Frankfurt region). No transfers outside the EU/EEA are made by IRP Compliance. Sub-processors operating outside the EU are bound by EU Standard Contractual Clauses.

11. Governing Law

This agreement is governed by EU Regulation 2016/679 (GDPR) and the laws of Sweden. Disputes shall be submitted to the competent supervisory authority in the Controller's member state.

12. Contact

Intent Record AB
privacy@irp-compliance.xyz
For data subject requests, compliance questions, or to request deletion of your evidence record.