This Data Processing Agreement (DPA) forms part of the agreement between Regwolf and the customer and governs Regwolf's processing of personal data on the customer's behalf under Article 28 GDPR.
For Customer Data, the customer is the controller and Regwolf is the processor. Where the customer is itself a processor for its own customers, Regwolf is a sub-processor. Regwolf processes personal data only on documented instructions from the customer.
"Personal data", "processing", "controller", "processor" and "data subject" have the meanings in the GDPR. "Customer Data" means personal data Regwolf processes on the customer's behalf via the service.
| Item | Detail |
|---|---|
| Subject matter | Provision of the Regwolf compliance-automation platform |
| Duration | For the term of the agreement |
| Nature & purpose | Collecting, storing and presenting compliance evidence |
| Data subjects | Customer personnel, contractors and connected-system users |
| Data categories | Identifiers, account & access data, system and evidence metadata |
Regwolf will:
The controller is responsible for the lawfulness of the data it provides and its instructions.
The customer authorises Regwolf to engage the sub-processors listed in the Trust Center. Regwolf imposes equivalent data-protection obligations on each, remains liable for their performance, and will give prior notice of changes with a right to object.
Customer Data is hosted in the EU. Any transfer outside the EEA relies on an adequacy decision or the Standard Contractual Clauses, with supplementary measures as required by Chapter V GDPR.
Regwolf maintains technical and organisational measures including:
Regwolf will promptly notify the controller of any data-subject request it receives and provide reasonable assistance, taking into account the nature of processing, to help the controller respond and meet its obligations under Articles 32–36 GDPR.
Regwolf will notify the controller without undue delay, and in any case within 48 hours, after becoming aware of a personal-data breach affecting Customer Data, with the information the controller needs to meet its own 72-hour notification duty.
Regwolf will make available the information necessary to demonstrate compliance and allow for audits, including by providing current certifications and reports, and — on reasonable notice and subject to confidentiality — supporting controller audits.
On termination, Regwolf will, at the controller's choice, delete or return Customer Data within 30 days and delete existing copies, except where storage is required by law.
Data-protection matters under this DPA: dpo@regwolf.com. For a signed counterpart, include your legal entity details.
Email dpo@regwolf.com with your entity details and we'll return a countersigned copy.