Legal

Data Processing Agreement

This Data Processing Agreement (DPA) forms part of the agreement between Regwolf and the customer and governs Regwolf's processing of personal data on the customer's behalf under Article 28 GDPR.

Last updated 7 June 2026Version 2.0Effective 7 June 2026
How to use this DPA. It applies automatically to every paying customer as part of our Terms. If you need a countersigned copy, email dpo@regwolf.com.

01 Scope & roles

For Customer Data, the customer is the controller and Regwolf is the processor. Where the customer is itself a processor for its own customers, Regwolf is a sub-processor. Regwolf processes personal data only on documented instructions from the customer.

02 Definitions

"Personal data", "processing", "controller", "processor" and "data subject" have the meanings in the GDPR. "Customer Data" means personal data Regwolf processes on the customer's behalf via the service.

03 Details of processing (Annex)

ItemDetail
Subject matterProvision of the Regwolf compliance-automation platform
DurationFor the term of the agreement
Nature & purposeCollecting, storing and presenting compliance evidence
Data subjectsCustomer personnel, contractors and connected-system users
Data categoriesIdentifiers, account & access data, system and evidence metadata

04 Controller & processor obligations

Regwolf will:

  • process Customer Data only on the controller's documented instructions;
  • ensure persons authorised to process are bound by confidentiality;
  • implement the security measures in section 07;
  • assist the controller with data-subject requests and compliance duties;
  • make available information needed to demonstrate compliance.

The controller is responsible for the lawfulness of the data it provides and its instructions.

05 Sub-processors

The customer authorises Regwolf to engage the sub-processors listed in the Trust Center. Regwolf imposes equivalent data-protection obligations on each, remains liable for their performance, and will give prior notice of changes with a right to object.

06 International transfers

Customer Data is hosted in the EU. Any transfer outside the EEA relies on an adequacy decision or the Standard Contractual Clauses, with supplementary measures as required by Chapter V GDPR.

07 Security measures

Regwolf maintains technical and organisational measures including:

  • encryption of data in transit and at rest;
  • least-privilege access control and MFA;
  • network segmentation, logging and continuous monitoring;
  • backup, disaster recovery and tested restoration;
  • an ISO 27001-aligned security program with regular testing.

08 Data-subject requests & assistance

Regwolf will promptly notify the controller of any data-subject request it receives and provide reasonable assistance, taking into account the nature of processing, to help the controller respond and meet its obligations under Articles 32–36 GDPR.

09 Personal-data breach notification

Regwolf will notify the controller without undue delay, and in any case within 48 hours, after becoming aware of a personal-data breach affecting Customer Data, with the information the controller needs to meet its own 72-hour notification duty.

10 Audits

Regwolf will make available the information necessary to demonstrate compliance and allow for audits, including by providing current certifications and reports, and — on reasonable notice and subject to confidentiality — supporting controller audits.

11 Deletion & return

On termination, Regwolf will, at the controller's choice, delete or return Customer Data within 30 days and delete existing copies, except where storage is required by law.

12 Contact

Data-protection matters under this DPA: dpo@regwolf.com. For a signed counterpart, include your legal entity details.

Questions?

Need a signed DPA?

Email dpo@regwolf.com with your entity details and we'll return a countersigned copy.