Data Processing Agreement
Last updated: 28 May 2026
This Data Processing Agreement ("DPA") describes how Intrazero UG ("ConforAI", "Processor") processes personal data on behalf of a customer ("Controller") when providing the ConforAI service. It is designed to meet Article 28 of the GDPR and forms part of the customer agreement.
1. Parties and roles
The Controller is the customer organisation that determines the purposes and means of processing. The Processor is Intrazero UG, c/o Signature Jungfernstieg, Große Bleichen 1-3, Office No. 203 (ResCo-work06), 20354 Hamburg, Germany (HRB 189387, Amtsgericht Hamburg). The Processor processes personal data only on the documented instructions of the Controller.
2. Subject matter, nature and purpose
Subject matter: processing carried out to provide the ConforAI AI-literacy training and compliance-evidence platform (mapped to the EU AI Act, ISO/IEC 42001 or the NIST AI RMF). Duration: for the term of the customer agreement. Nature and purpose: hosting, generating, and managing role-based training content, completion records, and audit-evidence packs, and related support.
3. Categories of data and data subjects
| Data subjects | Types of personal data |
|---|---|
| Controller's staff, contractors, and other learners in scope of AI literacy | Identifiers (name, work email), job role/department, training assignments, completion status and timestamps, assessment outcomes, sign-off records |
| Controller's administrators | Account identifiers, contact details, authentication metadata |
The Controller must not provide special-category data (Art. 9 GDPR) unless expressly agreed; the service is not designed to process it.
4. Processor obligations
- Process personal data only on the Controller's documented instructions, including for international transfers, unless required by law (in which case we inform the Controller unless legally prohibited).
- Ensure persons authorised to process data are bound by confidentiality.
- Implement appropriate technical and organisational measures (Section 6).
- Assist the Controller, by appropriate measures, in responding to data-subject rights requests and in meeting its obligations under Articles 32–36 (security, breach notification, impact assessments, prior consultation).
- At the Controller's choice, delete or return all personal data at the end of the services and delete existing copies, unless storage is required by law.
- Make available information necessary to demonstrate compliance and allow for and contribute to audits (Section 7).
5. Sub-processors
The Controller provides general authorisation for the Processor to engage sub-processors, subject to equivalent data-protection obligations by contract. We will inform the Controller of intended changes and allow a reasonable period to object. Current sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud hosting provider (AWS) | Application and database hosting | Region selected by Controller: EU / US / UK / Canada / APAC |
| Cloudflare | CDN, DNS, security/proxy | Global (EU edge; SCCs) |
| Email provider | Transactional and support email | EU / SCC-covered |
6. Technical and organisational measures
- Encryption in transit (TLS/HTTPS) and at rest where supported.
- Access control on a least-privilege basis with authentication; administrative access restricted and logged.
- Network and application security controls, and regular patching.
- Backups and resilience appropriate to the service.
- Audit logging of material changes to support tamper-evident evidence packs.
7. Breach notification and audits
The Processor will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data, with information reasonably available to support the Controller's own notification duties. On reasonable notice, the Processor will make available information needed to demonstrate compliance and support audits, including via up-to-date documentation and third-party reports where available.
8. Data residency and international transfers
Personal data is hosted in the region selected by the Controller (EU, US, UK, Canada or Asia-Pacific) and does not leave that region without the Controller’s instruction. Where any cross-border transfer occurs, it is protected by the European Commission's EU/UK Standard Contractual Clauses (and the EU–Canada GDPR adequacy decision for transfers to Canada), together with supplementary measures as required.
9. Governing law
This DPA is governed by the law of the Federal Republic of Germany and, where applicable, the GDPR. If any conflict arises between this DPA and the customer agreement on data-protection matters, this DPA prevails.
This page summarises ConforAI's standard DPA for transparency. The binding version is the document executed between the parties. To request it: [email protected].