Legal
Data Processing Agreement
This DPA forms part of the agreement (the "Principal Agreement" / Terms of Service) between the customer organisation ("Controller", "you") and Andrejs Sevcenko, an individual established in Latvia [address ___] ("Processor", "we"), for the processing of personal data in the Service. Self-hosted deployments: where you run Cerynix in your own environment, you are controller and operator of your own data and we typically process no personal data on your behalf; this DPA then applies only to any personal data we actually process (e.g. support data).
1. Roles & scope
You are the controller of the personal data contained in Customer Content; we process it only as a processor, on your documented instructions, to provide the Service. Each party complies with its own obligations under the GDPR (Regulation (EU) 2016/679) and applicable Latvian data-protection law.
2. Subject matter & duration [Art. 28(3) chapeau]
- Subject matter: provision of the Cerynix GRC platform (managed).
- Duration: the term of the Principal Agreement plus the return / deletion period in §10.
- Nature & purpose: hosting, storage and processing of compliance, risk, asset, evidence, incident and connector data to deliver the Service.
- Categories of data & data subjects: see Annex I.
3. Processor obligations [Art. 28(3)(a)–(h)]
We will:
- (a) process personal data only on your documented instructions (incl. for transfers), unless required by EU / Member-State law, in which case we inform you unless the law prohibits it;
- (b) ensure persons authorised to process are bound by confidentiality;
- (c) take all security measures required by Art. 32 (see §6 / Annex II);
- (d) respect the conditions in §4 for engaging sub-processors;
- (e) assist you, by appropriate technical and organisational measures, insofar as possible, to respond to data-subject rights requests (Ch. III GDPR);
- (f) assist you in ensuring compliance with Arts. 32–36 (security, breach notification, DPIA, prior consultation), taking account of the nature of processing and the information available to us;
- (g) at your choice, delete or return personal data on end of provision (§10);
- (h) make available information necessary to demonstrate compliance and allow for and contribute to audits (§7). We will inform you if, in our opinion, an instruction infringes the GDPR.
4. Sub-processors [Art. 28(2), (4)]
You give general written authorisation for us to engage sub-processors. We impose data-protection obligations equivalent to this DPA on each sub-processor by written contract, and remain liable for their performance. We maintain the current list in Annex III / our Sub-processors page and will notify you of intended additions or replacements at least [30] days in advance, giving you the opportunity to object on reasonable data-protection grounds; if an objection cannot be resolved, you may terminate the affected Service.
5. International transfers [Ch. V]
Primary hosting is in the EU (Germany — Hetzner), so Customer Content is stored in the EEA by default. Where a sub-processor entails a transfer outside the EEA (e.g. edge / CDN via Cloudflare, a US company), the transfer relies on an appropriate Art. 46 safeguard — the European Commission's Standard Contractual Clauses and/or an adequacy mechanism (e.g. EU–US Data Privacy Framework), with any supplementary measures required — incorporated by reference. See our Sub-processors page.
6. Security measures [Art. 32]
We implement technical and organisational measures appropriate to the risk, summarised in Annex II. We do not claim any certification (e.g. ISO 27001, SOC 2) that we do not hold.
7. Audit [Art. 28(3)(h)]
We make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior notice, no more than [once per year] (or after a breach), subject to confidentiality, allow for audits / inspections by you or a mandated independent auditor.
8. Personal data breaches [Art. 33(2)]
We notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information available to help you meet your own notification obligations, per our internal breach-response procedure.
9. Assistance with data-subject rights & DPIAs
Taking account of the nature of processing, we provide reasonable assistance for data-subject requests (access, rectification, erasure, restriction, portability, objection) and for your DPIAs and prior consultations under Arts. 35–36.
10. Return & deletion [Art. 28(3)(g)]
On termination or expiry, at your choice, we delete or return your personal data and delete existing copies within [30] days, unless EU / Member-State law requires retention. Backups are overwritten on their normal rotation.
11. Liability & precedence
Liability under this DPA is subject to the limitations in the Principal Agreement, except where the GDPR mandates otherwise. In case of conflict on data-protection matters, this DPA prevails.
Annex I — Details of processing
| Categories of data subjects | Customer's personnel / users; individuals referenced in Customer Content (e.g. named in evidence, incidents, connector data). |
|---|---|
| Categories of personal data | Account & contact data (name, work email, org, role); authentication data; any personal data present in evidence, asset / incident records or connector data the Customer chooses to load; usage / technical data (IP, logs, audit events). |
| Special categories | Not intended / required by the Service; the Customer should avoid loading Art. 9 data. |
| Nature of processing | Storage, organisation, retrieval, display, export, deletion; automated readiness scoring; optional AI-assisted analysis with PII / secret masking before any external LLM call. |
| Purpose | Providing the GRC readiness / evidence-management Service. |
| Duration | Term of the Principal Agreement + deletion / return period (§10). |
Annex II — Technical & organisational measures
- Multi-tenant isolation:
organization_id+workspace_idfilter on every query; optional PostgreSQL Row-Level Security forced on tenant tables (deploy-time). - Access control: RBAC on every route; least-privilege system roles.
- Authentication: bcrypt password hashing, short-lived signed JWTs, account lockout, auth + write rate limiting.
- Audit logging: append-only, hash-chained (tamper-evident) audit ledger of sensitive actions.
- Secrets: no hardcoded secrets; connector credentials encrypted at rest (Fernet), never returned by the API.
- Transport / edge: TLS in transit; security headers; internal datastores bound to loopback behind host firewall; interactive API docs disabled in production.
- Backups: nightly backups; off-site backup copy [enabled where configured].
- Personal-data handling: per-tenant retention setting; PII / secret masking before external LLM calls.
Annex III — Approved sub-processors
See our Sub-processors page (incorporated by reference). Complete before execution.