Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between:

• Processor: KI·SUM·AI - Kisum GmbH, Sonnwendjochstr. 6, 81825 München, Germany (HRB 199159 München, VAT DE 284483293) — the legal entity operating the ComplianceLint service.
• Controller: the legal entity that has signed up to or otherwise uses the ComplianceLint service (“Customer”).

The Processor and Controller are individually a “Party” and collectively the “Parties”.

Capitalised terms used in this DPA have the meanings given in Regulation (EU) 2016/679 (the “GDPR”) unless otherwise defined here. In particular:

• “Personal Data”, “Processing”, “Controller”, “Processor”, “Sub-processor”, “Data Subject”, “Personal Data Breach”, and “Supervisory Authority” have the meanings given in Art. 4 GDPR.
• “Service” means the ComplianceLint SaaS dashboard and IDE-attached scanner operated by the Processor at compliancelint.com / compliancelint.dev and ancillary domains.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as adopted by Commission Implementing Decision (EU) 2021/914.
• “Sub-processor List” means the current list of sub-processors maintained at /legal/sub-processors.

The Customer is the Controller of the Personal Data processed by the Service in connection with the Customer's use of the Service. The Processor processes Personal Data on behalf of the Customer in accordance with this DPA, the Service order or terms of service, and the Customer's documented instructions.

This DPA applies to the extent that the Processor processes Personal Data on behalf of the Customer that is subject to the GDPR or to equivalent data-protection legislation of EU/EEA Member States, the United Kingdom, or Switzerland.

Subject matter. The Processor processes Personal Data only to provide, secure, support, bill for, and improve the Service in accordance with the terms of service and the Customer's documented instructions.

Duration. This DPA remains in force for as long as the Processor processes Personal Data on behalf of the Customer pursuant to the terms of service, and survives termination of the terms of service to the extent the Processor continues to hold Personal Data of the Customer (e.g. during the wind-down and deletion period defined in §13).

Purpose. The specific purposes of Processing are: account creation and authentication; performing automated and human-assisted compliance assessments on metadata describing the Customer's software project; storing and presenting the resulting findings; managing team membership and permissions; sending transactional emails; processing payments; and operating, securing, and supporting the Service.

Categories of Data Subjects: the Customer's personnel, contractors, team members, and authorised representatives who use the Service on behalf of the Customer; and individuals whose personal data may be incidentally referenced in compliance findings (e.g. project owners listed in metadata).

Categories of Personal Data:

• Account identifiers: email address, name, optional profile data
• Authentication artefacts: hashed session tokens, magic-link tokens (short-lived), API keys (hashed)
• Usage metadata: IP address (truncated to /24 prefix in logs), user-agent, timestamps, page visits
• Service content: compliance findings (JSON classifications — never source code), repository metadata, evidence references
• Billing data: subscription tier, plan history, billing-event identifiers (full payment data is processed by the payment-services sub-processor and is not retained by the Processor)
• Operational logs: error events, audit-log entries, diagnostic metadata as described in the privacy policy §6a

The Processor does not knowingly process special categories of Personal Data within the meaning of Art. 9 GDPR, criminal conviction data within the meaning of Art. 10 GDPR, or personal data of children within the meaning of Art. 8 GDPR.

In addition to the obligations imposed on the Processor by the GDPR and other applicable data protection law, the Processor agrees that it shall:

• (a) Documented instructions. Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member-State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
• (b) Confidentiality. Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• (c) Security. Take all measures required pursuant to Art. 32 GDPR (security of processing) — see §7 below.
• (d) Sub-processors. Respect the conditions set out in Art. 28(2) and Art. 28(4) GDPR for engaging Sub-processors — see §8 below.
• (e) Data Subject rights assistance. Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights laid down in Chapter III GDPR.
• (f) Compliance assistance. Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of Processing and the information available to the Processor.
• (g) Return / deletion. At the choice of the Controller, delete or return all Personal Data after the end of the provision of services relating to Processing, and delete existing copies unless Union or Member-State law requires storage of the Personal Data — see §13 below.
• (h) Audit information. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller — see §11 below.

The Processor maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, where appropriate:

• Encryption in transit via TLS 1.2+ (HTTPS) for all customer-facing endpoints and inter-service traffic
• Encryption at rest of the application database via LUKS2 (cipher AES-XTS-Plain64, 512-bit key) on the production server. Master passphrase is held by the controller-side founder only and is not auto-loaded at boot
• Access control including authenticated sessions, role-based access to administrative functions, and audit logging of all state-changing operations
• Pseudonymisation of identifying metadata in operational logs (truncated IP prefixes /24, salted SHA-256 hashes for consent records, never full plaintext IP)
• Network isolation of production systems from development environments
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures

A current detailed description of the Processor's technical and organisational measures is maintained internally and is available on written request to info@compliancelint.com from the Controller's authorised representative. The Processor may update its technical and organisational measures from time to time, provided that any update does not materially diminish the level of protection of Personal Data.

The Customer grants the Processor a general written authorisation to engage Sub-processors to assist in the provision of the Service, subject to this §8.

The current list of Sub-processors is maintained at /legal/sub-processors and forms part of this DPA. The Processor will notify the Customer in writing — either by email to the address on the Customer's account or by an in-product announcement that requires acknowledgement — of any intended addition or replacement of a Sub-processor at least 14 days in advance, except where the change is required by an urgent security or regulatory necessity, in which case the Processor shall give such notice as is reasonably practicable in the circumstances.

The Customer may object to the engagement of a new Sub-processor on reasonable data-protection grounds within the notice period. If the Parties cannot agree on reasonable accommodation, the Customer's sole remedy is to terminate the affected portion of the Service in accordance with the terms of service, with a pro-rated refund where contractually applicable.

The Processor shall ensure that each Sub-processor is engaged under a written contract that imposes data-protection obligations equivalent to those set out in this DPA, and shall remain fully liable to the Customer for the performance of each Sub-processor's obligations.

Where the Processor or any Sub-processor transfers Personal Data outside the European Economic Area, the United Kingdom, or Switzerland to a country that has not been the subject of an adequacy decision under Art. 45 GDPR (or its UK / CH equivalent), the Processor shall ensure such transfer is made subject to an appropriate Art. 46 GDPR transfer mechanism, including (as applicable) the Standard Contractual Clauses, the EU–U.S. Data Privacy Framework certification (where the recipient is certified), the UK International Data Transfer Addendum, and supplementary technical and organisational safeguards.

The Customer authorises the Processor to enter into the relevant transfer mechanism on behalf of the Customer where necessary to permit the use of Sub-processors listed at /legal/sub-processors.

Taking into account the nature of the Processing and the information available to the Processor, the Processor shall assist the Customer by appropriate technical and organisational measures in:

• Responding to requests from Data Subjects exercising their rights under Chapter III GDPR (in particular, the Customer's administrators may use the in-product data-export and account-deletion functions to satisfy requests under Art. 15 / Art. 17 / Art. 20 GDPR for the Customer's own end users)
• Ensuring compliance with Art. 32 (security), Art. 33 / 34 (breach notification), Art. 35 (data protection impact assessment), and Art. 36 (prior consultation) GDPR, where applicable

The Processor may charge a reasonable fee for assistance that is materially beyond the standard product-functionality channels and that is requested as a bespoke engagement. Standard product-functionality channels (in-product export, deletion, data subject communication) are provided at no additional charge.

The Processor will provide the Customer with information reasonably necessary to demonstrate compliance with this DPA and Art. 28 GDPR, in the following forms (in order of preference):

• Written responses to a reasonable audit questionnaire submitted by the Customer or its auditor
• Up-to-date copies of the Processor's information security documentation, technical and organisational measures, sub-processor list, and applicable certifications
• Where the foregoing is reasonably insufficient and audit obligations under Art. 28(3)(h) GDPR remain unsatisfied, an on-site audit by a mutually agreed third-party auditor under reasonable confidentiality terms, at the Customer's expense, conducted no more frequently than once per twelve-month period and on at least 30 days' written notice (except in the event of a confirmed material Personal Data Breach concerning the Customer's data, in which case the notice period may be shortened by mutual agreement)

The Processor shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer's Personal Data. The notification shall describe, to the extent then known: the nature of the breach, including categories and approximate numbers of Data Subjects and records concerned; the likely consequences of the breach; and the measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects.

The Processor maintains a documented breach-notification procedure aligned to Art. 33 GDPR; further detail is available on written request to info@compliancelint.com.

Upon termination of the terms of service, the Customer may request the return or deletion of its Personal Data processed by the Service. The Customer can self-serve such return / deletion using the in-product data-export (/api/v1/user/export or equivalent UI control) and account-deletion (/api/v1/user/delete or equivalent UI control) functions.

In the absence of a specific instruction, the Processor will delete Personal Data on the schedule described in the privacy policy at /legal/privacy (in particular §6a Retention) or, where Personal Data forms part of records the Processor is required to retain under Union or Member-State law (including § 257 HGB, § 147 AO, § 14b UStG), the Processor shall continue to store such Personal Data in pseudonymised form for the duration of the statutory retention period as permitted by Art. 17(3)(b) GDPR.

Each Party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the terms of service. In no event shall the limitations of liability in the terms of service be interpreted to limit (i) any party's liability for fines imposed by a Supervisory Authority directly on that party, (ii) liability that cannot be excluded under applicable law, or (iii) liability for breach of obligations under Art. 82 GDPR.

This DPA enters into force when the Customer first signs up to the Service or, for existing customers, on the effective date stated above. It terminates automatically when the underlying terms of service terminate, except that §7 (Security), §12 (Personal Data Breach), §13 (Return and Deletion), and §14 (Liability) survive for so long as the Processor continues to hold the Customer's Personal Data.

This DPA is governed by the laws of the Federal Republic of Germany, excluding its conflict-of-laws rules and the United Nations Convention on Contracts for the International Sale of Goods. Exclusive jurisdiction lies with the courts of München, Germany, to the extent permitted by applicable law.

Where the underlying terms of service specify a different governing law and jurisdiction, the data-protection obligations under the GDPR continue to apply independently of that choice of law to the extent required by Art. 3 GDPR.

In the event of any conflict between this DPA, the terms of service, and any annex, the order of precedence is: (i) any explicit Standard Contractual Clauses or other statutorily-prescribed clauses adopted by the Parties for international transfers; (ii) this DPA; (iii) the terms of service.

The Processor pre-executes this DPA on its own behalf as of the version date stated above. The Customer is deemed to have entered into and accepted this DPA on behalf of itself and its authorised affiliates by signing up to or continuing to use the Service.

The Customer may request a counter-signed PDF copy by emailing info@compliancelint.com with the Customer's legal name, registered address, and authorised signatory.

Pre-executed by Processor:
KI·SUM·AI - Kisum GmbH
Sonnwendjochstr. 6, 81825 München, Germany
Authorised signatory: the managing director (Geschäftsführer) of KI·SUM·AI - Kisum GmbH
Effective date: April 2026 (Version 1.0)

For questions about this DPA, requests for a counter-signed copy, or requests for additional documentation, please contact info@compliancelint.com with the subject line “DPA inquiry”.