← Back to Home
Data Processing Addendum

Last updated: April 4, 2026

This Data Processing Addendum ("DPA") applies to Enterprise customers and supplements the Terms of Service and Privacy Policy.

1. Definitions

  • "Controller" means the organization that determines the purposes and means of processing personal data.
  • "Processor" means Regula, which processes personal data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on personal data, including collection, storage, and analysis.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.

2. Scope and Application

This DPA applies when Regula processes Personal Data on behalf of Enterprise customers in connection with the Service. The customer acts as the Controller, and Regula acts as the Processor.

3. Processing Details

3.1 Subject Matter

The subject matter of processing is the provision of regulatory monitoring and compliance intelligence services.

3.2 Duration

Processing continues for the duration of the Service agreement, plus any retention period required by law or specified in the agreement.

3.3 Nature and Purpose

Processing includes:

  • Storage and management of user account data
  • Monitoring and crawling of regulatory websites
  • Content analysis and change detection
  • Alert generation and delivery
  • Analytics and service improvement

3.4 Types of Personal Data

We may process:

  • User account information (name, email)
  • Organization information
  • Usage data and preferences
  • Monitoring configuration data

3.5 Categories of Data Subjects

Data subjects include:

  • Your organization's employees and authorized users
  • Organization members and administrators

4. Processor Obligations

Regula agrees to:

  • Process Personal Data only in accordance with your documented instructions
  • Implement appropriate technical and organizational measures to ensure security
  • Maintain confidentiality of Personal Data
  • Assist you in responding to data subject requests
  • Notify you promptly of any data breaches
  • Assist with data protection impact assessments when required
  • Return or delete Personal Data upon termination of the agreement

5. Security Measures

Regula implements the following security measures:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of data at rest
  • Access controls and authentication
  • Regular security audits and assessments
  • Employee training on data protection
  • Incident response procedures
  • Regular backups and disaster recovery plans

6. Sub-Processors

Regula may engage sub-processors to provide the Service. We will:

  • Maintain a list of sub-processors
  • Ensure sub-processors are bound by equivalent data protection obligations
  • Notify you of any new sub-processors (with opportunity to object)
  • Remain liable for sub-processor compliance

Current sub-processors include: Vercel (hosting), Neon (database), Stripe (payments), Resend (email), Crawl4AI (web crawling), and Google (AI services).

7. Data Subject Rights

Regula will assist you in responding to data subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object

We will respond to your requests within 30 days, or as required by applicable law.

8. Data Breach Notification

In the event of a personal data breach, Regula will:

  • Notify you without undue delay (within 72 hours where feasible)
  • Provide details of the breach, including nature, scope, and impact
  • Describe measures taken or proposed to address the breach
  • Assist you in meeting your breach notification obligations

9. International Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). Regula ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Other appropriate safeguards as required by law

10. Data Retention and Deletion

Personal Data will be retained in accordance with:

  • Your subscription plan's retention period
  • Your documented instructions
  • Applicable legal requirements

Upon termination of the agreement, Regula will delete or return all Personal Data within 30 days, unless retention is required by law.

11. Audits and Compliance

Regula will:

  • Make available information necessary to demonstrate compliance
  • Allow for audits by you or your authorized representatives (with reasonable notice)
  • Maintain records of processing activities
  • Cooperate with supervisory authorities

12. Liability and Indemnification

Each party's liability for data protection breaches is governed by the Terms of Service. Regula is liable for damages caused by processing only where it has not complied with obligations specifically directed to processors under GDPR.

13. Governing Law

This DPA is governed by the laws of the jurisdiction specified in the Terms of Service, with due regard to applicable data protection laws.

14. Contact Information

For questions about this DPA or to exercise data protection rights:

Email: privacy@regula.mushoodhanif.com

Data Protection Officer: dpo@regula.mushoodhanif.com