Legal

Data Processing Agreement

Last updated: April 2026·Version v1.0

This Data Processing Agreement (“DPA”) forms part of the agreement between Pericls Ltd (“Processor”) and the customer (“Controller”) for the provision of the Pericls Regulatory Compliance Intelligence Platform (the “Service”). This DPA applies where and to the extent Pericls processes personal data on behalf of the Controller in accordance with the General Data Protection Regulation (“GDPR”).

1. Definitions

Terms not defined in this DPA have the meanings ascribed to them in the GDPR or the main service agreement. Key terms:

“Personal Data”: — Any information relating to an identified or identifiable natural person processed under this DPA.
“Processing”: — Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
“Sub-processor”: — A third party engaged by the Processor to process personal data on behalf of the Controller.
“Data Breach”: — A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data.

2. Scope & Purpose of Processing

The Processor shall process personal data solely for the purpose of providing the Service as described in the main agreement and as further specified in Annex A below.

Detail	Description
Subject matter	Provision of the Pericls regulatory compliance platform
Duration	For the term of the service agreement plus the data retention period
Nature of processing	Storage, analysis, transformation, and display of regulatory data
Categories of data subjects	Employees, administrators, and end users of the Controller
Categories of personal data	Name, email, role, organization, usage data, uploaded content

3. Obligations of the Processor

The Processor shall:

Process personal data only on documented instructions from the Controller, unless required by law
Ensure that persons authorized to process personal data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures (see Section 5)
Assist the Controller in responding to data subject requests
Assist the Controller in meeting its obligations regarding data breach notification, impact assessments, and prior consultation
At the Controller's choice, delete or return all personal data upon termination of the service agreement
Make available all information necessary to demonstrate compliance and allow for audits

4. Sub-processors

The Controller authorizes the Processor to engage sub-processors. A current list is maintained at our Sub-Processors page.

The Processor shall: (a) notify the Controller at least 30 days before engaging a new sub-processor; (b) impose equivalent data protection obligations on each sub-processor; and (c) remain fully liable for the acts and omissions of its sub-processors.

The Controller may object to a new sub-processor within 14 days of notification. If the objection is not resolved, the Controller may terminate the affected services without penalty.

5. Security Measures

The Processor shall implement and maintain technical and organizational measures appropriate to the risk, including:

Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
Regular testing and evaluation of security measures
Access controls and authentication requirements
Logging and monitoring of data access
Incident response and business continuity procedures
Employee training on data protection

6. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. The notification shall include:

Nature of the breach, including categories and approximate number of data subjects affected
Contact details of the DPO or other point of contact
Likely consequences of the breach
Measures taken or proposed to address the breach

7. International Transfers

The Processor shall not transfer personal data outside the EEA/UK without ensuring adequate safeguards as required by Chapter V of the GDPR. The Standard Contractual Clauses (Module Two: Controller to Processor) as adopted by the European Commission Decision 2021/914 are incorporated into this DPA by reference and apply to any such transfers.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject rights requests, including access, rectification, erasure, restriction, portability, and objection. The Processor shall promptly forward any data subject request it receives directly to the Controller.

9. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

10. Term & Termination

This DPA takes effect on the date the Controller begins using the Service and continues until the service agreement terminates or expires. Upon termination, the Processor shall, at the Controller's choice, delete or return all personal data within 30 days, unless retention is required by applicable law.

11. Governing Law

This DPA is governed by the laws applicable to the main service agreement, except where data protection law mandates otherwise. For EU Controllers, the GDPR and applicable EU Member State law shall apply to any data protection matters.

Contact

To request a signed copy of this DPA or for any data protection inquiries, contact:

Pericls Ltd
Email: privacy@pericls.com
DPO: dpo@pericls.com