Data Processing Agreement

Last updated June 2026

This is a starter DPA template for convenience, not legal advice. A DPA is a binding contract — have it reviewed by qualified legal counsel and execute a signed version with each customer who requires one. To request a countersigned DPA, email info@regshield.in.

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller" / "Data Fiduciary") and RegShield AI ("Processor" / "Data Processor") for use of the Service. It governs RegShield's processing of personal data on the customer's behalf and is designed to support compliance with the EU/UK GDPR and India's DPDPA, 2023.

Roles

The customer is the controller of the personal data contained in evidence and content it uploads. RegShield acts solely as a processor, processing that data only on the customer's documented instructions (including via the Service's normal operation).

Scope of processing

  • Subject matter: provision of the RegShield AI compliance-mapping platform.
  • Duration: for the term of the customer's subscription.
  • Nature & purpose: storing uploaded evidence and analyzing it against compliance frameworks to generate reports.
  • Data types: as determined by the customer's uploads; may include personal data referenced within policies and evidence.
  • Data subjects: as determined by the customer (e.g. the customer's personnel referenced in documents).

Processor obligations

  • Process personal data only on the controller's documented instructions.
  • Ensure persons authorized to process the data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (see our Security page).
  • Assist the controller with data-subject requests and with security, breach-notification, and impact-assessment obligations.
  • Notify the controller without undue delay on becoming aware of a personal-data breach.
  • Delete or return personal data at the end of the engagement, subject to legal retention requirements.
  • Make available information needed to demonstrate compliance and allow for reasonable audits.

Subprocessors

The customer authorizes RegShield to engage the subprocessors listed on our subprocessors page. RegShield imposes data-protection obligations on each subprocessor and remains responsible for their performance. We will give notice of intended changes so the customer can object.

International transfers

Production data is hosted in India. Where a subprocessor processes data in another country, RegShield relies on appropriate safeguards (such as Standard Contractual Clauses or equivalent mechanisms).

Liability & contact

This DPA is subject to the liability provisions of the main agreement / Terms of Service. To execute a signed DPA or ask questions, contact info@regshield.in.