Data Processing Agreement

Last updated: 14 May 2026 · Version 1.2

This DPA governs Raize's processing of personal data on behalf of Customer in connection with the Raize Orion Compliance platform. It supplements (and where applicable supersedes) the Master Services Agreement.

1. Definitions

Terms not defined here have the meaning given in UK GDPR (Data Protection Act 2018) or, where applicable, EU GDPR (Regulation 2016/679). “Processor” means Raize Technology Ltd; “Controller” means the Customer organisation; “Sub-processor” means any third party engaged by Raize to process personal data on Customer's behalf, listed at /privacy.

2. Subject matter and duration

Raize processes personal data uploaded by Customer to the platform (compliance evidence, control owners, risk register, audit findings, vendor records) for the duration of Customer's active subscription plus a 90-day read-only window after cancellation, then deletion within 30 days of the read-only window closing.

3. Nature and purpose of processing

• Storing controls, evidence, risks, audit findings, policies, and vendor records uploaded by Customer.
• Generating reports (PDF / CSV / DOCX) at Customer's explicit request.
• Sending transactional emails (sign-in notifications, MFA enrolment, deadline reminders).
• AI-assisted drafting + scoring (control mapping, policy gap analysis, evidence quality) where Customer enables those features.

4. Categories of data subject + personal data

Categories of data subject:

• Customer's employees and contractors who use the platform
• Customer's vendors named in vendor risk records
• Auditors invited via the auditor portal
• Trust Center visitors (if Customer publishes one)

Categories of personal data:

• Identity: name, work email, role, organisation
• Authentication: hashed password, MFA enrolment metadata, sign-in IP + user-agent + timestamp
• Operational: actions taken in-app (audit log, retained for the lifetime of Customer's active subscription plus 30 days post-termination; Customer can self-serve export at any time via Dashboard → Admin → Audit Log → Export CSV; quarterly off-site encrypted snapshots retained 7 years for regulatory floor)
• Special category data: none processed by default. If Customer chooses to upload PHI / health records into a HIPAA workspace, separate BAA applies (see §10).

5. Customer instructions

Raize processes personal data only on documented instructions from Customer, including for international transfers. The instructions are: (a) the published platform features, (b) Customer's configuration settings, and (c) any specific written instruction Customer gives via support@raizehq.dev. Raize will notify Customer if it cannot comply with an instruction (e.g. legally restricted).

6. Security measures (Art. 32 GDPR)

• Encryption in transit: TLS 1.2+ enforced; TLS 1.0/1.1 rejected. HSTS preload.
• Encryption at rest: AES-256 (Supabase Postgres + Vercel CDN + Resend SMTP all encrypt at rest).
• Access control: row-level security on every Postgres table, scoped by org_id. MFA enforced on every user role.
• Auditing: immutable per-row audit log capturing INSERT / UPDATE / DELETE with old + new payloads, retained for the lifetime of the subscription + 30 days; Customer self-service CSV export available at any time; sign-in geolocation; tamper-evident control checks.
• Resilience: daily Supabase point-in-time backups (7-day retention default; 28-day on enterprise); cross-region replication available on request.
• Vendor management: all sub-processors bound by DPA at least as protective as this one. Annual security review.

7. Sub-processors

Current sub-processor list at /privacy §5. Customer authorises Raize to engage the listed sub-processors. Raize will notify Customer at least 30 days before adding or replacing a sub-processor; Customer may object on reasonable data-protection grounds, in which case Raize will work in good faith to find an alternative.

8. International transfers

Primary processing in Ireland (Supabase eu-west-1). Marketing assets served from Vercel global edge (CDN cache only — no personal data persisted at the edge). Limited transfers to the US for Sentry (error monitoring) and Voyage AI (control-text embeddings) are governed by the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) incorporated by reference here, plus UK ICO Addendum where UK GDPR applies.

9. Data subject rights

Raize provides Customer with the technical means to fulfil data subject rights requests (Art. 15-22 GDPR) directly via the platform's DSR fulfillment workflow (Customer self-serve). For requests Customer cannot fulfil within the platform, Raize will assist within 5 working days of a written request to privacy@raizehq.dev.

10. HIPAA Business Associate Agreement

If Customer processes Protected Health Information (PHI) within a HIPAA-enabled workspace, a separate Business Associate Agreement applies, available on request. The BAA covers HIPAA Security Rule §164.308–318, Privacy Rule §164.500–534, and Breach Rule §164.400–414.

11. Personal data breach notification

Raize will notify Customer without undue delay (target: within 24 hours) of becoming aware of a personal data breach affecting Customer's data. The notification will include nature of the breach, approximate number of data subjects affected, likely consequences, and measures taken or proposed.

12. Audits

Customer may audit Raize's compliance with this DPA once per calendar year, with 30 days' written notice, at Customer's expense. In lieu of an on-site audit, Raize provides its current SOC 2 Type II report (under NDA) and ISO 27001 certificate.

13. Return or deletion of data

On termination, Customer can export all data via the in-app Export Suite (CSV / JSON / PDF) within the 90-day read-only window. After 120 days from cancellation, all Customer personal data is permanently deleted from Raize systems and sub-processors, except where Raize is legally required to retain (e.g. invoicing data — 6 years per UK HMRC obligation).

14. Liability + governing law

Liability for processing under this DPA is governed by the limits set out in the Master Services Agreement. This DPA is governed by the laws of England and Wales. Disputes go to the courts of England and Wales, save where the GDPR mandates a different jurisdiction.

15. Counterparts + signature

For a counter-signed PDF copy of this DPA, email legal@raizehq.dev with your registered organisation name and registered address. Standard turnaround: 1 working day. Custom redlines available for Enterprise tier customers.