Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is between OrganiGo Ltd (the "Processor", operating Compliance Hub) and the customer organization registered through the Compliance Hub signup flow (the "Controller").

2. Subject matter

The Processor processes Controller-provided personal data and compliance evidence solely to provide the Compliance Hub service: storing checklist state, audit logs, ledger entries, and references to Google Drive folders the Controller owns.

3. Categories of data

• Workspace members' names, work emails, role assignments.
• IP addresses associated with security-relevant actions (purged after 12 months).
• Compliance metadata: checklist toggles, evidence URLs, ledger transactions.
• Google Drive folder links pasted by Controller's admins.

The Processor does not read, copy, or scan the contents of files inside the Controller's Drive folder.

4. Processor obligations

• Process data only on documented instructions from the Controller (this DPA + use of the product).
• Ensure access is limited to authorised personnel bound by confidentiality.
• Implement appropriate technical and organisational measures (row-level security, encrypted transit and verifiable audit logging).
• Assist the Controller with data subject requests and breach notifications without undue delay.

5. Sub-processors

The Processor uses Lovable Cloud (Supabase) for database, auth, and storage hosting in EU regions. Updates to sub-processors will be communicated to the Controller in advance.

6. Retention & deletion

On termination, workspace data will be deleted within 30 days unless legal retention applies. IP addresses in audit logs are automatically nulled after 12 months.

7. Contact

Data Protection contact: maire@compliancehub.ie

This DPA is a plain-language summary. A countersigned version is available on request for enterprise customers.