Data Processing Agreement
under Art. 28 GDPR – between the Controller and AX1S / AIGOY (Processor)
Controller
[Company / Name][Street, No.]
[Postcode, City], [Country]
represented by: [Name]
“Controller”
Processor
Thomas Brandt, sole proprietortrading under the brand AX1S / AIGOY
AX1S c/o Clevver, Winterhuder Weg 29
22085 Hamburg, Germany
“Processor”
§ 1 Subject matter and duration
Processing of personal data by the Processor on behalf of the Controller in the context of providing the AIGOY platform (AI Governance, Risk & Compliance). The term matches the main agreement and ends upon its termination.
§ 2 Nature, scope and purpose
Provision of the AIGOY platform and its modules (AI inventory, Risk Management, Policy Management, Compliance Reporting, Board Portal, Training Hub, Whistleblowing) and AI-assisted preparation of policies and risk assessments by the Compliance CoWorker “Felix” on the four-eyes principle. Processing solely to provide the services and on the Controller’s documented instructions.
§ 3 Types of data and categories of data subjects
Types of personal data (typical):
- Master/contact data (name, business email, department, role)
- Authentication data (hashed password, login timestamp, session token)
- Usage and log data of the platform (incl. audit trail)
- Training/competence data (module progress, certificates)
- Content data entered by the Controller (e.g. policies, risks, reports)
Categories of data subjects: the Controller’s employees, executives and officers, platform users, and where applicable third parties whose data the Controller enters as part of its compliance processes.
Special categories (Art. 9 GDPR) are not part of the intended use; entering them is the Controller’s sole responsibility and should be avoided.
§ 4 Obligations of the Processor
Pursuant to Art. 28(3) GDPR the Processor undertakes in particular to:
- process data only on the Controller’s documented instructions (incl. third-country transfers, unless legally required).
- ensure persons authorised to process are committed to confidentiality.
- implement the technical and organisational measures required under Art. 32 GDPR (Annex 1).
- comply with the conditions for engaging further processors (Art. 28(2) and (4)) (§ 6, Annex 2).
- assist the Controller in fulfilling data subject rights (Art. 12–23).
- assist the Controller with obligations under Art. 32–36 (security, breach notification, DPIA).
- delete or return personal data after processing ends, at the Controller’s choice (§ 10).
- provide evidence of compliance and allow audits (§ 9).
§ 5 Technical and organisational measures (TOMs)
The TOMs in Annex 1 (Art. 32 GDPR) apply. Measures may be adapted to technical progress provided the level of protection is not reduced.
§ 6 Sub-processors
The Controller grants general authorisation for the sub-processors listed in Annex 2. The Processor concludes Art. 28 GDPR agreements with them imposing equivalent obligations. Changes are notified in advance; the Controller may object on important data-protection grounds. For third-country transfers, appropriate safeguards apply (Standard Contractual Clauses under Art. 46(2)(c) GDPR or the EU-U.S. Data Privacy Framework).
§ 7 Data subject rights
The Processor supports the Controller in responding to data subject requests and forwards any requests addressed directly to it without undue delay.
§ 8 Notification of personal data breaches
The Processor notifies the Controller without undue delay after becoming aware of a personal data breach, with the information required under Art. 33 GDPR, so the Controller can meet its obligations under Art. 33, 34 GDPR.
§ 9 Audit and evidence rights
Evidence is provided primarily through suitable documentation (e.g. SOC 2 Type II of the infrastructure used, audit reports, TOM documentation). Where necessary, the Processor enables audits with reasonable notice and without disproportionate disruption.
§ 10 Deletion and return
After processing ends, the Processor deletes or returns all personal data at the Controller’s choice and destroys copies, unless a statutory retention obligation applies. Deletion is confirmed on request.
§ 11 Liability
Liability is governed by Art. 82 GDPR and the main agreement.
§ 12 Final provisions
Amendments require text form. In case of conflict, the data-protection provisions of this agreement prevail over the main agreement. German law applies.
Name / function
Thomas Brandt
Annex 1 – Technical & organisational measures (Art. 32 GDPR)
AIGOY is developed in Germany, hosted in Germany and supported from Germany.
| Objective | Measure |
|---|---|
| Confidentiality | Encryption in transit (TLS 1.2+) and at rest (AES-256); Row Level Security (RLS); role-based, least-privilege access. |
| Integrity | INSERT-only audit trail; four-eyes approval cockpit – every write action by Felix takes effect only after approval. |
| Availability & resilience | Regular backups within the EU region; hardened infrastructure (Supabase / AWS eu-central-1 Frankfurt, SOC 2 Type II). |
| Data residency | Processing/storage in the EU (Frankfurt/Germany). AI inference: no training on the data; EU inference (AWS Bedrock Frankfurt) in preparation. |
| Separation | Logical tenant separation (tenant_id) enforced via RLS. |
| Engagement control | Art. 28 DPAs with all sub-processors; SCC/DPF for third-country transfers. |
Annex 2 – Approved sub-processors
| Sub-processor | Location | Service / purpose | Note |
|---|---|---|---|
| IONOS SE | Montabaur, Germany 🇩🇪 | Web hosting | Art. 28 DPA |
| Supabase Inc. | AWS eu-central-1, Frankfurt 🇩🇪 (EU) | Backend, database, auth, Edge Functions | Art. 28 DPA; SOC 2 Type II |
| Anthropic PBC | USA 🇺🇸 | AI service (Claude model) for analyses / CoWorker Felix | No training on data; SCC + EU-U.S. DPF; Art. 28 DPA |
| Stripe Payments Europe, Ltd. | Dublin, Ireland 🇮🇪 (EU) | Payment processing | Business / Enterprise plans only |
Last updated: May 2026. This template is a starting point and does not constitute legal advice. Please adapt it to the specific case and have it legally reviewed before use. A current sub-processor list is published on the Trust & Security page.