Version 1.0 — Effective 2026-04-21
This Data Processing Agreement ("DPA") governs the processing of personal data by Parallax Technologies GmbH in Gründung ("Witness", "Processor") on behalf of the customer ("Controller") in connection with the Witness services. It is drafted to satisfy Article 28(3) of Regulation (EU) 2016/679 ("GDPR").
Controller: the customer organisation that opens a Witness account and determines the purposes and means of processing personal data through the service. Processor: Parallax Technologies GmbH in Gründung, a company in formation under Austrian law, with its registered seat in Vienna, Austria, operating the Witness platform at witness-compliance.eu. Contact: legal@witness-compliance.eu. The Controller and the Processor are individually a "Party" and collectively the "Parties".
Subject matter: processing of personal data necessary to provide the Witness service, including classification of AI systems, generation and storage of compliance artifacts (Annex IV technical documentation, Article 9 risk management records, Article 27 fundamental rights impact assessments, Article 4 AI literacy records), obligation tracking, audit trail maintenance, and account administration. Duration: for the term of the Controller's subscription to the Witness service and, where expressly requested in writing by the Controller, during a wind-down period of up to thirty (30) days thereafter to permit export. Nature and purpose: the Processor processes personal data solely on documented instructions from the Controller in order to deliver the contractually agreed Witness service and to comply with its obligations under the Terms of Service and this DPA.
Categories of personal data processed on behalf of the Controller may include: account identifiers (name, business email address, job role); authentication data (hashed credentials, session tokens); organisation data (company name, legal entity information); content submitted by the Controller's users into compliance artifacts (which may reference employees, customers, or third parties named by the Controller); usage metadata (log entries, timestamps, IP addresses); and support communications. Categories of data subjects: the Controller's employees, contractors, and authorised users of the Witness platform; any natural persons referenced by the Controller in the content of compliance artifacts (e.g. named affected persons in a fundamental rights impact assessment). The Controller shall not submit special categories of personal data within the meaning of Article 9 GDPR into free-text fields unless strictly necessary and lawful under the Controller's own legal basis.
The Processor shall: (a) process personal data only on documented instructions from the Controller, including with regard to transfers to a third country or an international organisation, unless required to do so by Union or Member State law; (b) ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) take all measures required pursuant to Article 32 GDPR, including pseudonymisation and encryption of personal data in transit and at rest, ongoing confidentiality, integrity, availability, and resilience of processing systems, the ability to restore availability and access in a timely manner, and a process for regularly testing and evaluating the effectiveness of those measures; (d) respect the conditions for engaging another processor set out in Section 5; (e) taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III GDPR; (f) assist the Controller in ensuring compliance with Articles 32 to 36 GDPR taking into account the nature of processing and the information available to the Processor; (g) notify the Controller without undue delay after becoming aware of a personal data breach; (h) at the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage; (i) make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to Section 7 of this DPA.
The Controller provides general written authorisation for the engagement of the sub-processors listed in the sub-processor section of this DPA. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors by updating the published list at least fourteen (14) days before the change takes effect, thereby giving the Controller the opportunity to object on reasonable data-protection grounds. Where the Processor engages a sub-processor, it shall impose the same data protection obligations as set out in this DPA by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that sub-processor's obligations.
The Processor primarily hosts personal data inside the European Economic Area (EEA). Where personal data is transferred to a third country or an international organisation, the Processor shall ensure that such transfer is covered by an appropriate transfer mechanism under Chapter V GDPR, including in particular the Standard Contractual Clauses approved by the European Commission (Decision 2021/914/EU), supplemented by any additional measures necessary under applicable guidance. Paddle.com Market Ltd processes payment data in the United Kingdom. The United Kingdom benefits from a European Commission adequacy decision (Commission Implementing Decision (EU) 2021/1772 of 28 June 2021), providing an essentially equivalent level of data protection under Article 45 GDPR. The Processor monitors the ongoing validity of this adequacy decision and will put additional safeguards in place if the decision is suspended, repealed, or allowed to lapse. For AI features provided through Anthropic, the Processor uses the EU data-residency configuration offered by the sub-processor; any residual transfers outside the EEA are covered by the Standard Contractual Clauses concluded between the Processor and the relevant sub-processor.
The Processor shall make available to the Controller, upon reasonable written request and no more than once per calendar year (save in the event of a documented suspected breach), information reasonably necessary to demonstrate compliance with this DPA and with Article 28 GDPR. Where the Controller requires further evidence, the Parties shall cooperate in good faith to arrange an audit, which may take the form of: (a) an audit report (e.g. ISO 27001, SOC 2) where available; or (b) a written questionnaire; or (c) an on-site inspection by the Controller or an independent auditor bound by confidentiality, conducted during regular business hours with at least thirty (30) days' prior written notice and in a manner that does not disrupt the Processor's operations or security obligations to other customers. The Controller shall bear the costs of any such audit.
The liability of each Party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Witness Terms of Service, except that nothing in the Terms of Service or this DPA shall limit either Party's liability to data subjects under Article 82 GDPR or where liability cannot be limited under applicable mandatory law. This DPA shall automatically terminate upon termination or expiry of the Terms of Service. Upon termination, the Processor shall, at the Controller's choice, delete or return all personal data processed on behalf of the Controller, and delete existing copies, unless Union or Member State law requires continued storage.
This DPA enters into force on 21 April 2026 and supersedes any prior data processing terms between the Parties for the Witness service. This DPA is governed by the laws of the Republic of Austria, excluding its conflict-of-laws rules and the UN Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction for any dispute arising out of or in connection with this DPA is the competent court in Vienna, Austria, to the extent permitted by mandatory consumer protection law.
The following sub-processors are authorised to process personal data on behalf of the Controller in connection with the Witness service. The Processor will update this list at least fourteen (14) days before any material change.
Railway Corp.
Application hosting and managed PostgreSQL — EU-West (Amsterdam)
Serves the Witness web application and stores production data inside the EEA. Covered by Standard Contractual Clauses where any residual transfer outside the EEA occurs.
Paddle.com Market Ltd.
Merchant of Record, billing, VAT and tax administration — United Kingdom (Commission adequacy decision (EU) 2021/1772)
Processes payment data, invoicing, and tax for subscriptions and one-time purchases. Paddle acts as independent controller for tax-law purposes and as processor for other billing data. Transfers to the United Kingdom are covered by the European Commission adequacy decision for the United Kingdom (Commission Implementing Decision (EU) 2021/1772 of 28 June 2021).
Resend, Inc.
Transactional email delivery
Sends transactional emails (magic-link sign-in, account notifications, receipts). Processes recipient email address and message metadata only.
Anthropic PBC
AI-assisted form guidance and prefill — EU data-residency configuration
Processes user-submitted text when the Controller invokes the AI assistant. Configured to use Anthropic's EU data-residency option. Inputs are not used to train Anthropic models.
Functional Software, Inc. (Sentry)
Error and performance monitoring — EU ingest
Receives runtime error reports and performance traces from the Witness application. Configured to use the EU ingest endpoint. Personally identifiable fields are scrubbed at source where technically feasible.
Umami (self-hosted)
Privacy-friendly product analytics
Self-hosted by the Processor on EU infrastructure. Captures aggregated product usage without cookies and without storing IP addresses in plain form.
A downloadable PDF version of this DPA will be published at /legal/witness-dpa-v1.pdf shortly after launch. Customers requiring a counter-signed copy on company letterhead or with negotiated terms may contact legal@witness-compliance.eu — Team-tier and enterprise customers receive a signed version on request.