Data Processing Addendum

Prototype / Pilot Stage · Last updated: March 2026

This addendum is a draft framework applicable to prototype and pilot contexts. It becomes legally binding only when incorporated into a signed agreement by the formally registered operating entity.

Parties

Controller / Customer: [Customer legal name, address, registration number — completed at signing]

Processor / Service Provider: DueDiligence.one (company in formation)
Contact: hello@duediligence.one

Purpose and role

This addendum reflects processor obligations consistent with Article 28 GDPR. The Customer acts as Controller. DueDiligence.one acts as Processor, processing personal data only on documented instructions from the Customer.

What we process

Processing covers the operation of the prototype or pilot for:

  • sanctions screening and ownership analysis
  • due diligence support and report generation
  • audit log maintenance and security

Personal data processed may include: names, aliases, company identifiers, beneficial ownership chains, uploaded documents, and technical metadata.

Processor commitments

The Processor will:

  • process data only on Customer's documented instructions
  • ensure authorised personnel maintain confidentiality
  • implement appropriate security measures (TLS 1.3, AES-256, AWS KMS, access controls, audit logging, RFC 3161 timestamping)
  • assist with data subject rights, breach handling, and DPIA where applicable
  • delete or return personal data after services end, unless law requires retention
  • make compliance information available and support reasonable audit requests

Sub-processors

Sub-processors will only be engaged with Customer authorisation and under equivalent data protection obligations. At prototype stage, the sub-processor list is provisional pending incorporation and production infrastructure finalisation.

International transfers

No Customer personal data will be transferred internationally except on Customer instructions, legal obligation, or under a valid transfer mechanism. Primary infrastructure is targeted at AWS eu-central-1 (Frankfurt).

Prototype restrictions

Until incorporation and production contracts are in place:

  • this is a draft pilot-stage addendum only
  • the prototype is not a production commercial service
  • the Customer must not use the prototype for operational decisions or adverse action

Governing law

To be completed at signing.

Request a signed DPA

hello@duediligence.one — Subject: DPA Request

Back to Disclaimer