CerynixGovernance · Evidence · Resilience
Platform Pricing Security Sign in

Legal

Data Processing Agreement

Version 0.1 (draft) · GDPR Article 28 · Last updated [DATE].

⚠️ Draft template — not legal advice. This is a starting point for a GDPR Article 28 processing agreement. Complete the [placeholders] — especially the sub-processor list and Annexes — and have qualified counsel review it before executing it with customers.

This Data Processing Agreement ("DPA") forms part of the agreement between the customer organisation ("Controller", "you") and Cerynix, operated by [Andrejs Sevcenko / legal entity name] ("Processor", "we"), for the processing of personal data in the Service. Where you self-host Cerynix, you act as controller and (technical) processor of your own data and this DPA applies only to any personal data we process on your behalf.

1. Roles & scope

You are the controller of the personal data contained in the Service content you upload; we process it only as a processor, on your documented instructions, to provide the Service.

2. Subject matter & duration

Subject matter: provision of the Cerynix GRC platform. Duration: for the term of your agreement plus any deletion/return period. Nature & purpose: hosting, storage and processing of compliance, risk, asset and evidence data. Data subjects: your personnel and any individuals referenced in your content. Categories: contact and account data, and any personal data present in evidence or connector data you choose to load. See Annex I.

3. Processor obligations

  • Process personal data only on your documented instructions, including for transfers, unless required by law.
  • Ensure persons authorised to process are bound by confidentiality.
  • Implement appropriate technical and organisational measures (Section 6 / Annex II).
  • Assist you, taking account of the nature of processing, with data-subject requests and with your obligations under Articles 32–36 GDPR.
  • Make available information needed to demonstrate compliance and allow for reasonable audits (Section 7).

4. Sub-processors

You authorise us to engage sub-processors under written terms imposing equivalent obligations. We will inform you of intended changes and give you the opportunity to object. Current sub-processors:

  • [Hosting / IaaS provider] — infrastructure hosting — [region].
  • [CDN / edge provider] — content delivery & edge security — [region].
  • [Email provider] — transactional email — [region].
  • [Add or remove as applicable].

Self-hosted deployments typically involve no Cerynix sub-processors for your Service content.

5. International transfers

Where personal data is transferred outside the EEA, the parties rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, which are incorporated by reference. An EU data-residency option is available.

6. Security measures

  • Multi-tenant isolation via PostgreSQL Row-Level Security (forced on tenant tables).
  • Role-based access control on every route; audit logging of sensitive actions.
  • Encryption of connector secrets at rest; write-only secret handling.
  • Hardened network edge (security headers, rate limiting, closed internal endpoints).
  • Backups and, where enabled, off-site backup copies.

7. Audit

We will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable notice and subject to confidentiality, allow for audits or inspections conducted by you or a mandated auditor.

8. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide information to help you meet your notification obligations.

9. Return & deletion

On termination, at your choice, we will delete or return your personal data and delete existing copies, unless retention is required by law.

10. Annexes

Annex I — details of processing (categories, data subjects, purposes). Annex II — technical and organisational measures. Annex III — approved sub-processors. [Complete before execution.]

© 2026 Cerynix. All rights reserved. HomePricingPrivacyTermsDPAContact

Cerynix supports your NIS2, ISO/IEC 27001 and GDPR readiness. It is not legal advice and does not guarantee compliance or certification. This page is a draft template pending review by qualified counsel.