Terms of Service & Data Processing Agreement

Last updated: March 18, 2025

1. Overview

Welcome to ComplyLab! These Terms of Service (“Terms”) govern your access to and use of ComplyLab's Compliance Automation Platform (“Service”). ComplyLab enables organizations to automate compliance checks, assess controls, orchestrate evidence workflows, centralize policies, manage risks, and generate audit-ready documentation.

By accessing the Service, signing an order form, or using ComplyLab in any capacity, you acknowledge that you are authorized to represent your organization (“Customer”) and agree to be bound by these Terms.

2. Agreement Structure

  • These Terms, together with any order form, enterprise agreement, or online subscription (“Service Agreement”), form the full agreement between Customer and ComplyLab.
  • The Service Agreement defines your selected modules (e.g., frameworks, controls testing, evidence automation), usage limits, billing rules, and term length.
  • In case of conflict, the Service Agreement prevails.

3. License & Intellectual Property

  • ComplyLab grants Customer a limited, non-exclusive, non-transferable license to use the Service to run automated compliance operations: including controls checks, evidence workflows, governance automation, framework configuration, and reporting.
  • Customer is responsible for the actions of all assigned users, including internal employees, consultants, auditors, or third-party assessors invited into the platform.
  • All intellectual property, including compliance automation engines, control testing logic, templates, workflows, and UI/UX design, remains exclusively owned by ComplyLab.
  • Customer may not reproduce, reverse-engineer, or repurpose the Service beyond the permissions granted in these Terms.

4. Hosting, Infrastructure & Security

  • ComplyLab is delivered as a cloud-hosted SaaS platform operated on secure enterprise-grade infrastructure managed by ComplyLab or approved subprocessors.
  • On-premise deployment is only available under a separate Enterprise On-Premise Agreement.
  • All communication with the Service is encrypted via TLS, and all access requires authenticated sessions.
  • Customer is responsible for secure identity access management within their organization, including SSO, MFA, and user lifecycle governance.

5. User, Workspace & Compliance Management

  • Customer manages its own compliance workspaces, frameworks, users, roles, and evidence reviewers.
  • ComplyLab provides administrative tooling, activity logs, and permission logic but does not manage internal approval flows or oversight responsibilities.
  • Customer is solely responsible for the accuracy of input data, evidence uploads, assessments, risk ratings, and compliance conclusions.

6. Updates, Automation Engine Enhancements & Maintenance

  • ComplyLab updates its control automation engine, evidence ingestion workflows, rulesets, and framework libraries on a continuous basis.
  • Updates may include new compliance frameworks (e.g., SOC2, ISO 27001, GDPR, NIST), automation capabilities, or security improvements.
  • Updates may require short maintenance windows, communicated in accordance with the Hosting Service Description.

7. Restricted Use

Customer may not:

  • Reverse-engineer or copy the compliance automation logic.
  • Use the platform to generate falsified or intentionally misleading compliance evidence.
  • Modify or tamper with system safeguards, audit logs, or usage tracking.
  • Share access with unapproved third parties or re-sell the Service.
  • Upload malware, malicious scripts, or any harmful content.

8. Indemnity

ComplyLab indemnifies Customer from third-party IP infringement claims arising from authorized use of the Service, provided Customer:

  • Notifies ComplyLab promptly,
  • Allows ComplyLab full control over defense actions, and
  • Provides reasonable cooperation.

Indemnity does not apply if claims result from unauthorized modifications, misuse, or combination with external systems not approved by ComplyLab.

9. Customer Data, Evidence Data & Privacy

  • Customer retains full ownership of all compliance-related data including controls, evidence files, audit communications, risk registers, and generated reports (“Customer Data”).
  • ComplyLab collects operational metadata (“Account Data”) for security, audit logs, and product improvement.
  • Data is processed exclusively in accordance with GDPR and Appendix 1 (Data Processing Agreement).

10. Disclaimer & Limitation of Liability

  • The Service is provided “as is” except where explicit guarantees are made.
  • ComplyLab does not guarantee the success of audits, certification outcomes, or regulatory approvals.
  • ComplyLab is not liable for indirect, incidental, or consequential damages.
  • Total liability is limited to subscription fees paid in the 6 months preceding the incident.
  • Liability for gross negligence or intentional misconduct cannot be excluded.

11. Termination

  • Rolling-term subscriptions require 90 days’ written notice for cancellation.
  • Fixed-term subscriptions run until their stated end unless terminated per contract terms.
  • ComplyLab may suspend or terminate access for:
    • Material breach
    • Illegal use
    • Persistent non-payment
  • No refunds are issued for unused time.

12. Pricing Changes

  • Customers may upgrade modules or frameworks at any time.
  • Downgrades require 90 days’ notice.
  • ComplyLab may update pricing with 90 days’ prior written notice.

13. Legal Provisions

  • Governing Law: US law.
  • Dispute Resolution: Binding arbitration in San Fransisco, conducted in English.
  • Confidentiality: Both parties agree to preserve confidentiality regarding sensitive or proprietary information.
  • Severability: Invalid provisions do not impact remaining terms.
  • Assignment: Customer may not assign rights without consent; ComplyLab may assign rights in cases of merger, acquisition, or corporate restructuring.

Appendix 1: Data Processing Agreement

1. Purpose

This DPA outlines ComplyLab’s obligations when processing Personal Data on behalf of Customer in providing automated compliance monitoring, evidence workflows, and governance features. ComplyLab acts as a Data Processor.

2. Definitions

  • Personal Data: Information relating to an identifiable natural person.
  • Processing: Any operation applied to Personal Data.
  • Controller: Customer.
  • Processor: ComplyLab.

3. ComplyLab Responsibilities

  • Process data solely under Customer instructions.
  • Maintain confidentiality and enforce employee access controls.
  • Implement industry-standard security measures including encryption, audit logs, and access controls.
  • Assist Customer with data subject requests, DPIAs, and regulatory compliance obligations.
  • Notify Customer of regulatory requests related to their data.
  • Provide documentation demonstrating GDPR compliance.

4. Customer Responsibilities

  • Ensure lawful basis for collecting Personal Data.
  • Provide accurate data and obtain necessary consents.
  • Avoid uploading Personal Data that Customer is not legally permitted to share.

5. Subprocessors

  • Customer authorizes ComplyLab to use subprocessors for hosting, automation execution, monitoring, and customer support.
  • A current list is provided in Schedule B.
  • Customer may object to new subprocessors on legitimate privacy grounds.

6. Audits

Customer may conduct or commission audits of ComplyLab’s data protection measures. ComplyLab will cooperate and remediate identified issues.

7. International Transfers

  • Personal Data may be transferred outside the EEA under approved safeguards.
  • ComplyLab relies on Standard Contractual Clauses (SCCs) or equivalent mechanisms.
  • Transfer mechanisms will be updated in accordance with regulatory changes.

8. Data Breach

ComplyLab will notify Customer within 36 hours of a confirmed Personal Data Breach and assist with investigation, remediation, and reporting duties.

9. Data Deletion

At termination, Personal Data will be securely deleted or returned unless legal retention requirements apply.

10. Liability

Each party is responsible for damages caused by its own processing activities as governed by GDPR Article 82.

Schedule A: Summary of Processing

Nature & Purpose
Operation of a Compliance Automation Platform enabling automated controls testing, evidence workflows, risk management, and audit reporting.

Data Subjects

  • Internal administrators
  • Authorized users
  • External auditors, assessors, and invited reviewers

Types of Personal Data

  • Names, emails, optional profile info
  • IP addresses, device information, and login metadata
  • Workspace activity logs
  • Evidence file metadata

Duration
Data is processed and retained for the duration of the Service Agreement unless otherwise required by law.

Schedule B: Subprocessors

  1. AWS EMEA SARL – Secure hosting & compute (Luxembourg)
  2. Intercom R&D – Customer support operations (Ireland)
  3. (Optional Enterprise Add‑Ons) Additional subprocessors for automation scanning or long-term log storage, if purchased.