Legal
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between the customer organisation ("Controller", "you") and Cerynix, operated by [Andrejs Sevcenko / legal entity name] ("Processor", "we"), for the processing of personal data in the Service. Where you self-host Cerynix, you act as controller and (technical) processor of your own data and this DPA applies only to any personal data we process on your behalf.
1. Roles & scope
You are the controller of the personal data contained in the Service content you upload; we process it only as a processor, on your documented instructions, to provide the Service.
2. Subject matter & duration
Subject matter: provision of the Cerynix GRC platform. Duration: for the term of your agreement plus any deletion/return period. Nature & purpose: hosting, storage and processing of compliance, risk, asset and evidence data. Data subjects: your personnel and any individuals referenced in your content. Categories: contact and account data, and any personal data present in evidence or connector data you choose to load. See Annex I.
3. Processor obligations
- Process personal data only on your documented instructions, including for transfers, unless required by law.
- Ensure persons authorised to process are bound by confidentiality.
- Implement appropriate technical and organisational measures (Section 6 / Annex II).
- Assist you, taking account of the nature of processing, with data-subject requests and with your obligations under Articles 32–36 GDPR.
- Make available information needed to demonstrate compliance and allow for reasonable audits (Section 7).
4. Sub-processors
You authorise us to engage sub-processors under written terms imposing equivalent obligations. We will inform you of intended changes and give you the opportunity to object. Current sub-processors:
- [Hosting / IaaS provider] — infrastructure hosting — [region].
- [CDN / edge provider] — content delivery & edge security — [region].
- [Email provider] — transactional email — [region].
- [Add or remove as applicable].
5. International transfers
Where personal data is transferred outside the EEA, the parties rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, which are incorporated by reference. An EU data-residency option is available.
6. Security measures
- Multi-tenant isolation via PostgreSQL Row-Level Security (forced on tenant tables).
- Role-based access control on every route; audit logging of sensitive actions.
- Encryption of connector secrets at rest; write-only secret handling.
- Hardened network edge (security headers, rate limiting, closed internal endpoints).
- Backups and, where enabled, off-site backup copies.
7. Audit
We will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable notice and subject to confidentiality, allow for audits or inspections conducted by you or a mandated auditor.
8. Personal data breaches
We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide information to help you meet your notification obligations.
9. Return & deletion
On termination, at your choice, we will delete or return your personal data and delete existing copies, unless retention is required by law.
10. Annexes
Annex I — details of processing (categories, data subjects, purposes). Annex II — technical and organisational measures. Annex III — approved sub-processors. [Complete before execution.]