This Data Processing Addendum ("DPA") describes how ContractBot TrustLayer processes personal data when providing EUDI readiness, compliance engineering, report generation, and related digital services.
For customer-submitted business information and contact data, the customer is generally the controller and ContractBot acts as processor where processing is performed on customer instructions. For account administration, billing records, security logs, and service improvement, ContractBot may act as an independent controller.
Processing relates to creation, payment, delivery, verification, support, and monitoring of TrustLayer reports and related services. Processing continues for the duration of the service relationship and any retention period needed for audit, security, billing, dispute handling, or legal obligations.
| Category | Examples |
|---|---|
| Business identity data | Company name, country, website, business type, cross-border flow, use case. |
| Contact data | Name if submitted, email address, organization context. |
| Operational data | Case ID, credential ID, report metadata, payment metadata, delivery status, logs. |
| Generated data | Readiness score, risk zones, recommendations, PDF/HTML report outputs. |
ContractBot processes personal data to provide the service, generate reports, send delivery emails, operate payment and webhook flows, maintain audit logs, monitor service health, prevent abuse, and provide support. ContractBot will not sell customer personal data.
The service may use infrastructure and service providers including Cloudflare, Stripe, Resend, PDF rendering providers, GitHub, and related hosting, logging, security, and email providers. These providers may process data only as needed to deliver the service.
ContractBot uses reasonable technical and organizational measures, including access control, secret separation, token-protected admin endpoints, HTTPS, audit logging, environment separation, idempotency protections, and operational monitoring. No system can be guaranteed completely secure.
Where data is processed outside the EEA, ContractBot relies on appropriate safeguards made available by its providers, such as standard contractual clauses, data processing terms, or equivalent transfer mechanisms where applicable.
On request, ContractBot will delete or return customer personal data where technically feasible and legally permissible. Some records may be retained for security, billing, audit, dispute handling, fraud prevention, or legal compliance.
ContractBot will provide reasonable assistance for data subject requests, security inquiries, and documentation requests related to the service, taking into account the nature of the processing and available information.
For privacy or DPA requests, contact legal@contractbot.dk.