cmpliancethe agentic workforce

Legal

Data processing agreement

Last updated: 28 May 2026

1. Purpose

This page summarises the standard data-processing position for cmpliance.ai customer agreements. It is intended to support launch-stage review, procurement, and pilot discussions.

Production or pilot processing of real customer personal data requires appropriate written terms between the customer and paterhn GmbH, including data-processing terms. Synthetic demos are separate.

This page is not a standalone executed DPA unless it is expressly incorporated into a signed customer agreement, order form, or accepted customer order flow. If a signed customer agreement, order form, or separately executed DPA applies, that signed agreement controls.

2. Roles

For customer-submitted personal data processed through the Service:

  • The customer is the controller.
  • paterhn GmbH acts as processor.
  • cmpliance.ai processes personal data on documented customer instructions.

If a use case requires a different role allocation, it must be documented in the applicable customer agreement.

3. Processing details

Subject matter

Provision of the cmpliance.ai Service, including compliance workflow support, KYC/AML workflow support, EU AI Act documentation support, evidence pack preparation, workflow orchestration, platform security, support, and auditability.

Duration

For the term of the applicable customer agreement and any deletion, return, retention, audit, backup, dispute, or legal-hold period stated in that agreement.

Nature and purpose

The Service may receive, organise, extract, classify, summarise, route, store, and present customer-submitted data to support compliance workflows and customer-controlled human review.

Data subjects

Depending on customer configuration, data subjects may include:

  • Customer account users and administrators
  • Customer employees and contractors
  • Clients, counterparties, and applicants
  • Beneficial owners, directors, signatories, and related parties
  • Individuals named in customer-uploaded evidence, screening results, or workflow records

Data categories

Depending on customer configuration, Customer Personal Data may include:

  • Business contact data
  • Identity and verification data
  • Company, registry, ownership, and relationship data
  • KYC/AML diligence information
  • Screening, sanctions, PEP, adverse-media, and risk signals
  • Uploaded documents and extracted facts
  • Workflow metadata, reviewer notes, audit records, and evidence pack data

Customers must not upload sensitive production data, special-category data, criminal-offence-related data, or regulated KYC/AML production data unless applicable written terms are in place and the customer has confirmed the legal basis and safeguards for that processing.

4. Demo and production-data boundary

Synthetic, sandbox, pre-production, or evaluation workspaces are intended for synthetic or non-production data only unless we expressly enable real production personal-data processing under a written customer agreement and applicable data-processing terms.

For production or pilot processing of real customer personal data, the applicable agreement should define the approved processing scope, data categories, subprocessors, transfer safeguards, retention, deletion, audit, and security commitments.

5. Customer obligations

The customer is responsible for:

  • Determining the purposes and means of processing
  • Having a lawful basis for processing
  • Providing required notices to data subjects
  • Ensuring submitted data is lawful, accurate, and appropriate for the configured workflow
  • Configuring human review, access controls, retention, and workflow settings
  • Deciding whether outputs can be used in a specific business or regulatory process

6. Processor obligations

paterhn GmbH will:

  • Process Customer Personal Data only on documented customer instructions, unless required by law
  • Ensure personnel with access are subject to confidentiality obligations
  • Apply technical and organisational measures appropriate to the Service
  • Assist the customer with data subject requests where required and reasonably possible
  • Assist with security, breach, deletion, and audit obligations as set out in the applicable agreement
  • Use subprocessors under written terms designed to protect Customer Personal Data
  • Delete or return Customer Personal Data according to the applicable agreement

7. AI-assisted processing

The Service may use AI-assisted systems to extract, classify, summarise, organise, or generate decision-support outputs.

cmpliance.ai does not use Customer Personal Data to train public or foundation AI models.

Customers remain responsible for appropriate human review before using outputs for legal, regulatory, financial, onboarding, rejection, employment, credit, or similarly significant decisions.

8. Security measures

Our current technical and organisational measures are summarised in the Technical and Organisational Measures and Security pages. Measures may vary by plan, configuration, deployment model, and signed customer agreement.

9. Subprocessors

The customer gives general authorisation for subprocessors needed to provide, secure, support, and improve the Service, unless the signed customer agreement states otherwise.

A public summary is available on the Subprocessors page. Subprocessor notice, objection rights, transfer safeguards, and update mechanisms are governed by the applicable customer agreement.

10. International transfers

Where Customer Personal Data is transferred outside Switzerland, the EEA, or another adequate jurisdiction, we use appropriate safeguards such as Standard Contractual Clauses or equivalent protections under applicable data protection law.

Specific transfer commitments may depend on region, provider, feature, customer configuration, and signed agreement.

11. Data subject requests

If we receive a request from a data subject whose personal data is processed on behalf of a customer, we will direct the requester to the customer where appropriate. We will assist the customer with responding where required by the applicable agreement.

12. Security incidents

If we become aware of a security incident affecting Customer Personal Data, we will notify affected customers without undue delay where notification obligations are triggered and provide information reasonably needed to assess the incident.

13. Audit and information

We will make reasonable information available to demonstrate compliance with applicable processor obligations. The form, frequency, and scope of audits or security reviews are governed by the applicable customer agreement.

14. Contact

For data-processing questions or to request the current customer DPA package:

cmp@cmpliance.ai paterhn GmbH, Gotthardstrasse 26, 6300 Zug, Switzerland