Compliance.

All clients processing personal data through the platform are covered by our standard Data Processing Agreement (DPA), which meets GDPR Article 28 requirements. Enterprise clients may request a custom DPA. DPAs are executed automatically during account setup for applicable account types.

We maintain a current list of all sub-processors (third-party services with access to client or specialist data). This list is updated within 30 days of any change and is available to all registered clients on request. Clients may object to new sub-processors within 14 days of notification.

By default, all platform data is stored in EU-West (Dublin) and US-East (Virginia) data centres. Enterprise clients may elect single-region data residency in EU, US, APAC, or MENA regions. Data residency elections are binding for the duration of the contract and are documented in the DPA addendum.

Where data is transferred outside the EEA, transfers are governed by EU Standard Contractual Clauses (SCCs) updated per the 2021 European Commission implementing decision. Transfer Impact Assessments (TIAs) are available for enterprise clients operating in jurisdictions with heightened transfer risk.

Enterprise clients with active contracts may request a compliance audit once per calendar year. Audits may be conducted via questionnaire, document review, or (with 30 days notice) on-site inspection. We share our most recent SOC 2 and ISO 27001 audit reports under NDA.

In the event of a data breach affecting your data, we will notify you within 72 hours of becoming aware, in line with GDPR Article 33. Notifications will include the nature of the incident, categories and approximate number of records affected, likely consequences, and remediation measures taken.