Legal
Data Processing Agreement
Version 1.0 — May 2026
1. Parties and scope
This Data Processing Agreement (“DPA”) is entered into between Insaights B.V., a company incorporated under the laws of the Netherlands (“Processor”), and the client organisation that has entered into a subscription agreement for the VERDIX platform (“Controller”). This DPA forms part of and is incorporated by reference into the subscription agreement. In case of conflict, this DPA prevails on matters of data protection.
This DPA applies where Insaights processes personal data on behalf of the Controller in connection with the provision of the VERDIX AI Governance Platform.
2. Definitions
- “GDPR” — EU Regulation 2016/679 (General Data Protection Regulation)
- “Personal Data” — any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller
- “Processing” — any operation performed on Personal Data as defined in Article 4(2) GDPR
- “Data Subject” — the natural person to whom Personal Data relates
- “Sub-processor” — any third party engaged by Insaights to process Personal Data on behalf of the Controller
3. Nature and purpose of processing
The Processor processes Personal Data solely for the purpose of providing the VERDIX platform services described in the subscription agreement, including:
- Storing and managing AI initiative records entered by the Controller’s users
- Facilitating governance workflows (scoring, council voting, evidence submission)
- Delivering platform notifications and email communications
- Providing AI-assisted features (Felix advisor, document extraction, narrative generation)
- Generating reports and exporting board packs
4. Types of personal data and data subjects
The categories of Personal Data processed and the Data Subjects concerned are:
- Platform users (employees and contractors of the Controller): name, email address, workspace role, session data, and activity logs within VERDIX.
- Initiative data: names and contact details of AI initiative sponsors, council members, and reviewers mentioned in governance records.
- AI feature usage: content submitted to AI processing features (documents, initiative descriptions) may incidentally contain personal data.
5. Processor obligations
In accordance with Article 28 GDPR, the Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers outside the EEA, unless required by EU or Member State law to do otherwise
- Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations
- Implement technical and organisational measures to ensure appropriate security of Personal Data (see Section 8)
- Not engage Sub-processors without prior written consent of the Controller (general written authorisation with notification of intended changes is acceptable under Article 28(2) GDPR)
- Assist the Controller in fulfilling Data Subject rights requests, taking into account the nature of processing
- Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, impact assessments) given the nature of processing and information available
- At the choice of the Controller, delete or return all Personal Data on termination of the agreement
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits and inspections
6. Sub-processors
The Controller provides general written authorisation for the Processor to engage the following Sub-processors. The Processor will notify the Controller of any intended addition or replacement of Sub-processors with at least 30 days’ notice, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, edge functions hosting | EU (eu-central-1) |
| Vercel Inc. | Web application hosting and CDN | EU edge nodes |
| Anthropic PBC | AI processing (Felix advisor, document extraction, narrative generation) | USA (SCCs in place) |
| Resend Inc. | Transactional email delivery | EU |
For Enterprise and Enterprise+ tiers where the Controller operates their own Supabase instance, Supabase processes data in the Controller’s chosen region under the Controller’s own Supabase agreement, not this DPA.
7. Data subject rights
The Controller remains responsible for responding to Data Subject rights requests. The Processor will, taking into account the nature of the processing, assist the Controller in fulfilling such requests by providing relevant data extracts, deletion confirmations, or other necessary information within 5 business days of a written request from the Controller.
8. Security measures
The Processor implements the following technical and organisational measures:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row-Level Security (RLS) enforcing strict multi-tenant data isolation at the database level
- Role-based access control with least-privilege principles
- Supabase Auth for identity management with MFA support
- Automated backups with point-in-time recovery
- Regular security testing including adversarial test suite
- Access to production systems restricted to authorised Insaights personnel
9. Personal data breach notification
The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data breach affecting Personal Data processed under this DPA. Notification will include, to the extent known at the time: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
10. International transfers
Where Personal Data is transferred to Sub-processors outside the EEA (currently: Anthropic, USA), such transfers are subject to Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46(2)(c) GDPR. The Processor will make copies of applicable SCCs available to the Controller on request.
11. Audit rights
The Controller may, on reasonable written notice (minimum 30 days), conduct or commission an audit of the Processor’s data processing practices relevant to this DPA, at the Controller’s cost. The Processor may satisfy this obligation by providing relevant third-party audit reports (SOC 2, ISO 27001 or equivalent) in lieu of a direct audit, where such reports adequately cover the relevant processing activities.
12. Duration and deletion
This DPA remains in force for the duration of the subscription agreement. On termination or expiry, the Processor will, at the Controller’s written election made within 30 days: (a) return all Personal Data to the Controller in a standard format (JSON or CSV); or (b) securely delete all Personal Data. The Processor will provide written confirmation of deletion within 30 days of receiving the election. Copies retained for legal or regulatory purposes are handled under applicable law.
13. Governing law
This DPA is governed by the laws of the Netherlands. Any disputes relating to this DPA are subject to the exclusive jurisdiction of the courts of Amsterdam.
14. Contact
For questions about this DPA or to exercise Controller rights: privacy@insaights.co
Insaights B.V., the Netherlands