Data Processing Addendum (Overview)

Last updated: October 2025

This overview summarizes how ComplySherpa processes personal data on behalf of its customers. It complements our Privacy Policy and forms part of the Terms of Service. A full signed DPA can be provided upon request.

1. Roles

  • Customer — the data controller (determines purpose and means).
  • ComplySherpa — the data processor (processes data on customer’s behalf).

2. Purpose of Processing

To deliver and support compliance-automation services including evidence collection, framework mapping, reporting, notifications, and account management.

3. Categories of Data

Typical data includes user contact details, authentication data, audit evidence files, and platform activity logs. Sensitive categories are not required unless supplied voluntarily by the customer.

4. Sub-Processors

ComplySherpa uses vetted sub-processors for cloud hosting, storage, and analytics (e.g., Microsoft Azure, Amazon Web Services, and Microsoft Clarity). A current list is maintained at /subprocessors.

5. International Transfers

Data may be processed in Canada, the United States, and the European Union. Transfers rely on adequacy decisions or Standard Contractual Clauses (SCCs) as appropriate.

6. Security

ComplySherpa implements technical and organizational measures aligned with ISO 27001 and SOC 2 Type II controls: encryption at rest/in transit, access logging, vulnerability management, and regular penetration testing.

7. Data Subject Rights

Customers can fulfill access, correction, or deletion requests through in-app tools or by contacting privacy@complysherpa.com. ComplySherpa assists customers in meeting their obligations under GDPR Articles 15–22.

8. Retention & Deletion

Customer data is retained for the duration of the subscription and securely deleted or returned within 60 days of termination, unless legal retention obligations require otherwise.

9. Audits & Assurance

Upon reasonable notice, customers may review relevant audit reports (SOC 2 Type II and ISO 27001 certificates) to verify compliance with this DPA.

10. Contact

For privacy or data-protection inquiries, email privacy@complysherpa.com.

This summary is provided for informational purposes only and does not constitute legal advice. The signed DPA governs in the event of inconsistency.