Data Processing Agreement (DPA)

1. Definitions

For the purposes of this Agreement:

2. Scope of Processing

ControlBox processes Personal Data solely for the purpose of providing the Complii platform services, including:

• sanctions screening
• watchlist matching
• customer risk scoring
• transaction monitoring
• compliance case management
• audit logging and reporting
• API-based compliance workflows

Processing activities may include storage, analysis, comparison against screening datasets, and generation of compliance alerts.

ControlBox will process Personal Data only on documented instructions from the Customer, unless required to do so by law.

3. Nature and Purpose of Processing

The purpose of the processing is to assist Customers in performing regulatory compliance activities including:

• anti-money laundering (AML)
• sanctions screening
• politically exposed person (PEP) detection
• fraud risk monitoring
• compliance case management

ControlBox does not determine the purposes for which Personal Data is processed.

4. Categories of Data Subjects

Personal Data processed under this Agreement may include data relating to:

• customers of the Customer
• senders or receivers of financial transactions
• beneficial owners
• company directors
• compliance case participants
• other individuals screened for compliance purposes

5. Types of Personal Data

Personal Data processed may include, but is not limited to:

• full name
• date of birth
• nationality
• identification numbers
• government ID numbers
• passport numbers
• addresses
• phone numbers
• email addresses
• transaction information
• risk scoring indicators
• screening match results

Customers are responsible for ensuring that only necessary Personal Data is submitted to the Platform.

6. Obligations of the Controller

The Customer agrees that:

1. it has a lawful basis for processing Personal Data
2. it has obtained necessary permissions or legal authority to process such data
3. it will comply with all applicable data protection laws
4. it will provide required notices to Data Subjects when necessary

The Customer remains responsible for determining the lawful basis for processing.

7. Obligations of the Processor

ControlBox shall:

• process Personal Data only on documented instructions from the Customer
• ensure personnel processing Personal Data are bound by confidentiality obligations
• implement appropriate technical and organizational security measures
• assist the Customer in responding to Data Subject requests where feasible
• notify the Customer of any legally binding request for disclosure of Personal Data unless prohibited by law

8. Security Measures

ControlBox implements commercially reasonable technical and organizational measures designed to protect Personal Data against:

• unauthorized access
• loss or destruction
• alteration
• disclosure

Complii infrastructure operates within secure hosting environments aligned with internationally recognized security standards including:

• SOC 2 security controls
• ISO 27001 information security frameworks
• ISO 9001 quality management systems

Security controls include:

• encrypted data transmission (TLS)
• secure infrastructure access controls
• authentication and authorization controls
• logging and monitoring systems
• infrastructure isolation and protection

9. Subprocessors

ControlBox may engage third-party subprocessors to support the delivery of the Complii service, including cloud infrastructure providers and data processing services.

ControlBox will ensure that any subprocessors:

• are bound by data protection obligations consistent with this Agreement
• provide appropriate security measures

Customers may request a list of subprocessors used by the Platform.

10. International Data Transfers

Personal Data may be transferred outside the European Economic Area where necessary for service delivery.

Where such transfers occur, ControlBox will implement appropriate safeguards, which may include:

• Standard Contractual Clauses (SCCs)
• other lawful transfer mechanisms under applicable data protection law

11. Data Subject Rights

ControlBox shall provide reasonable assistance to the Customer to enable the Customer to respond to requests from Data Subjects including:

• access requests
• rectification requests
• deletion requests
• restriction of processing
• data portability requests

Where a Data Subject contacts ControlBox directly, ControlBox will direct the request to the Customer where appropriate.

12. Data Breach Notification

In the event of a Personal Data breach affecting Customer data, ControlBox will notify the Customer without undue delay after becoming aware of the breach.

Such notification will include:

• description of the breach
• categories of data affected
• likely consequences
• measures taken or proposed to mitigate the breach

13. Data Retention and Deletion

ControlBox will retain Personal Data only for as long as necessary to provide the Platform services.

Upon termination of the service:

• the Customer may request export of its data
• ControlBox will delete or anonymize Personal Data within a reasonable period unless retention is required by law

Customers may request data export at any time during the service period.

14. Audit Rights

Upon reasonable request, ControlBox may provide documentation demonstrating compliance with this Agreement.

Audits shall be conducted in a manner that does not disrupt normal business operations and may be subject to confidentiality obligations.

15. Liability

Liability under this DPA shall be subject to the limitations set forth in the main Terms of Service or Master Services Agreement between the parties.

16. Governing Law

This Agreement shall be governed by the laws of the State of Florida, United States, unless otherwise agreed in writing between the parties.

17. Contact for Data Protection Matters

Questions regarding this Data Processing Agreement or data protection matters may be directed to: