EffortlessRisk
Get Started
Back to Trust Center

Data Processing Agreement

Standard DPA for customers processing personal data through EffortlessRisk.

Request Signed DPA

How to execute this DPA: If your organization requires a signed DPA, email legal@effortlessrisk.com with your organization name and signatory contact. We'll counter-sign and return within 1 business day. Use of EffortlessRisk by EU/UK customers is covered by this DPA whether or not it is countersigned.

1. Background and Definitions

This Data Processing Agreement ("DPA") forms part of the agreement between EffortlessRisk ("Processor") and the customer ("Controller") for use of the EffortlessRisk platform (the "Service"). It governs the processing of Personal Data by EffortlessRisk on the Controller's behalf.

Capitalized terms used but not defined herein shall have the meanings ascribed in the GDPR (Regulation (EU) 2016/679).

2. Subject Matter and Duration

The Processor processes Personal Data only on documented instructions from the Controller, for the duration of the customer's active subscription to the Service plus any retention period agreed in writing.

3. Nature and Purpose of Processing

The Processor processes Personal Data for the sole purpose of providing third-party risk management services, including: vendor record management, risk assessment generation, sanctions screening, adverse media research, questionnaire workflows, and audit logging.

4. Categories of Data Subjects

  • Controller's employees and authorized users of the Service
  • Officers, directors, and beneficial owners of vendors entered into the Service
  • Vendor primary contacts and respondents to questionnaires
  • Subjects of sanctions/PEP screening conducted via the Service

5. Categories of Personal Data

  • Identity data: name, role, nationality, date of birth (partial)
  • Contact data: email address, phone number, business address
  • Account data: login credentials (hashed), authentication tokens
  • Activity data: actions performed within the Service, timestamps, IP address
  • Public business data ingested for risk analysis

The Processor does not intentionally process special category data (Article 9 GDPR). Controllers must not submit special category data to the Service.

6. Processor Obligations

The Processor shall:

  1. Process Personal Data only on the Controller's documented instructions, including with regard to international transfers, except where required by EU or Member State law;
  2. Ensure persons authorized to process Personal Data are bound by appropriate confidentiality obligations;
  3. Implement appropriate technical and organizational measures (see Section 9);
  4. Engage subprocessors only with the Controller's prior general authorization (see Section 8);
  5. Assist the Controller in responding to data subject rights requests (Articles 15–22 GDPR);
  6. Assist the Controller in ensuring compliance with Articles 32–36 GDPR;
  7. Delete or return all Personal Data after termination of services, at the Controller's choice;
  8. Make available all information necessary to demonstrate compliance and allow for audits.

7. Controller Responsibilities

The Controller represents and warrants that it has obtained and shall maintain a valid lawful basis for the processing of Personal Data submitted to the Service, and shall comply with all applicable data protection laws when using the Service.

8. Subprocessors

The Controller authorizes the Processor to engage the subprocessors listed at effortlessrisk.com/subprocessors. The Processor will notify the Controller at least 30 days before adding or replacing any subprocessor. The Controller may object to such changes by terminating the agreement on written notice within that period.

The Processor shall impose data protection terms on each subprocessor that are no less protective than those in this DPA.

9. Security Measures (Article 32)

The Processor implements appropriate technical and organizational measures including:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and multi-tenant isolation
  • Secure authentication with optional multi-factor authentication
  • Comprehensive audit logging
  • Daily backups with point-in-time recovery
  • Security monitoring and incident response procedures
  • Regular review of subprocessors' security certifications

Full details: effortlessrisk.com/trust

10. International Data Transfers

Where Personal Data is transferred from the EU/EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate by reference the EU Standard Contractual Clauses (Module 2: Controller to Processor) issued by Commission Implementing Decision (EU) 2021/914, and the UK International Data Transfer Addendum where applicable. The Processor acts as data importer; the Controller acts as data exporter.

11. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller's data. Notifications shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

12. Audits

The Processor shall make available, upon written request and subject to confidentiality obligations, information necessary to demonstrate compliance with this DPA. Where the Controller wishes to conduct an audit, this shall be conducted at the Controller's expense, with reasonable advance notice (no less than 30 days), no more than once per calendar year, and during normal business hours.

13. Return or Deletion of Data

Upon termination of the Service, the Controller may export all Personal Data via the Service's data export functionality. The Processor will delete remaining Personal Data within 90 days of termination, except where retention is required by law.

14. Governing Law and Order of Precedence

This DPA is governed by the same law as the principal services agreement between the parties. In the event of conflict between this DPA and the principal agreement, this DPA shall prevail with respect to data protection matters.

15. Contact

Data protection inquiries: privacy@effortlessrisk.com

Security incidents: security@effortlessrisk.com

DPA execution / legal: legal@effortlessrisk.com

Last updated: April 2026. EffortlessRisk reserves the right to update this DPA to reflect changes in law or platform capabilities. Material changes will be communicated to active customers with at least 30 days' notice.