BondGovernance — Infrastructure for Secured Bonds

§ Legal · Data Processing Agreement

Data Processing Agreement

Minimal Article 28 GDPR template between OmhuAI AB (processor) and the customer (controller) for the BondGovernance service. The binding instrument is the signed DPA referenced in the order form.

§ 01

Purpose and parties

This Data Processing Agreement ("DPA") is entered into between the customer (the "Controller") and OmhuAI AB, Swedish corp. reg. no. 559XXX-XXXX, Stockholm ("BondGovernance", the "Processor"), and forms an integral part of the main subscription agreement between the parties.

The DPA governs the Processor's processing of personal data on behalf of the Controller in connection with the provision of the BondGovernance governance-infrastructure service (the "Service") and implements the requirements of Article 28 of Regulation (EU) 2016/679 ("GDPR").

This page reproduces a minimal template. The binding instrument is the signed DPA referenced in the order form. In the event of conflict, the signed instrument prevails.

§ 02

Subject-matter and nature of processing

Subject-matter. Provision of governance-infrastructure for secured bond surveillance, including covenant monitoring, collateral analytics, document ingestion and alerting.

Nature and purpose. Storage, structured extraction, deterministic computation and presentation of bond-related information.

Duration. Term of the main agreement, plus a 30-day return/deletion window.

Categories of data subjects. Authorised users of the Controller (named contacts at issuers, agents, investors and advisers).

Categories of personal data. Business contact data (name, work email, work phone, role, employer), authentication identifiers, audit-log metadata. No special categories under Art. 9 GDPR. No payment data. No data of children.

§ 03

Processor obligations

  • Process personal data only on documented instructions from the Controller.
  • Ensure personnel are subject to a duty of confidentiality.
  • Implement the security measures set out in § 06.
  • Engage sub-processors only under the conditions in § 04.
  • Assist the Controller in responding to data-subject requests and DPIAs.
  • Notify the Controller without undue delay (within 72 hours) of a personal-data breach.
  • At the choice of the Controller, return or delete all personal data at end of service.
  • Make available all information necessary to demonstrate compliance with Art. 28 GDPR.
§ 04

Sub-processors

The Controller provides a general authorisation for the engagement of sub-processors. The current sub-processors are:

Sub-processorPurposeLocation
Supabase (database, auth, storage)Application data storeEU (Frankfurt)
CloudflareEdge runtime, CDN, DDoS protectionEU edge nodes (global anycast)
Google (Gemini API via gateway)Document extraction inferenceEU region

The Processor shall notify the Controller of any intended change of sub-processor at least 30 days in advance. The Controller may object on reasonable grounds.

§ 05

International transfers

Personal data is stored and processed within the European Union / European Economic Area. Where any transfer to a third country occurs (e.g. provider support access), the parties rely on the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, Module Two (controller-to-processor), incorporated by reference into this DPA, together with supplementary measures where required following a transfer impact assessment.

§ 06

Technical and organisational measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Row-Level Security on all tenant-scoped tables; least-privilege service-role access.
  • Authentication via Supabase Auth; MFA available; SAML SSO available on request.
  • Append-only audit log for authentication events, role changes and privileged actions.
  • Daily encrypted backups; documented restore procedure; point-in-time recovery.
  • Segregated production and preview environments.
  • Deterministic pipelines — no model-derived business decisions persisted without provenance.
  • Vulnerability scanning of dependencies; security review on each release.
  • Incident response plan with named owner and 72-hour breach-notification SLA.
§ 07

Audit rights

The Processor shall make available to the Controller, on reasonable request and no more than once per twelve-month period, sufficient information to demonstrate compliance with Art. 28 GDPR. This includes the current sub-processor list, the most recent penetration-test summary (see /security), and answers to a standard security questionnaire. On-site audits may be agreed where required by mandatory law.

§ 08

Liability and term

Each party's liability under this DPA is subject to the limitations of liability set out in the main agreement. This DPA enters into force on the effective date of the main agreement and remains in force for as long as the Processor processes personal data on behalf of the Controller.

§ 09

Contact

Data-protection enquiries: dpo@bondgovernance.com. Postal address: OmhuAI AB, Stockholm, Sweden.