Data Processing Agreement (DPA)
Last updated: 1 March 2026
1. Parties and Subject Matter
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller: the user or organisation accessing the COGNIQUITY Service ("Customer")
- Data Processor: COGNIQUITY ("Provider")
The DPA governs the processing of personal data carried out by the Provider on behalf of the Customer in connection with the delivery of the Service, in accordance with Regulation (EU) 2016/679 ("GDPR") and applicable law.
2. Processing Instructions
The Provider shall process personal data solely in accordance with the Customer's documented instructions, which include:
- Processing necessary for Service delivery as described in the Terms of Service
- Processing required by applicable law (the Provider shall promptly inform the Customer unless legally prohibited)
3. Security Measures
The Provider implements appropriate technical and organisational measures to protect personal data, including:
| Measure | Detail |
|---|---|
| Encryption in transit | TLS 1.2+ on all connections |
| Encryption at rest | AES-256 for stored data |
| Access control | Multi-factor authentication for administrators |
| Logging | Audit logs of data access |
| Backups | Daily backups with 30-day retention |
4. Sub-processors
The Customer authorises the Provider to engage the following sub-processors:
| Sub-processor | Service | Location |
|---|---|---|
| Supabase Inc. | Database and authentication | USA (SCCs applicable) |
| Anthropic PBC | AI processing | USA (SCCs applicable) |
| Vercel Inc. | Hosting and CDN | USA (SCCs applicable) |
The Provider will notify the Customer of any planned changes to sub-processors with at least 30 days' notice, allowing the Customer to object.
5. International Transfers
Transfers of data to third countries take place on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission, or another GDPR-compliant transfer mechanism.
6. Data Subject Rights
The Provider assists the Customer in fulfilling its obligations relating to data subject rights (access, rectification, erasure, portability, objection) within the timeframes required by law. Requests should be directed to rolando@cogniquity.com.
7. Breach Notification
The Provider will notify the Customer of any personal data breach within 72 hours of becoming aware of it, providing the information necessary for any notification to the supervisory authority.
8. Data Deletion
Upon termination of the contractual relationship or at the Customer's request, the Provider will delete or return all personal data within 30 days, unless a legal retention obligation applies.
9. Audits and Inspections
The Customer has the right to carry out audits or inspections (including via third parties) to verify the Provider's compliance with this DPA, with at least 30 days' notice and at mutually agreed times.
10. Duration
This DPA is in force for the entire duration of the contractual relationship between the Customer and the Provider and terminates automatically upon its conclusion.
11. DPO Contact
For matters relating to data processing, contact: rolando@cogniquity.com