Procurement pack

What's in the pack

• Data Processing Agreement (DPA)

  The legal frame between you as data controller and komplai as data processor.

  Covers

  Nature and purpose of processing, duration, security measures, instruction level, GDPR art. 28 obligations, sub-processors, breach notification, deletion at termination.

  Doesn't cover

  Specific technical controls (those are in the ISAE 3402 report). Product licence terms (those are in Terms).

  Format

  .docx — Datatilsynet's standard template with komplai's annexes, version 1.0

  Download .docx DRAFT v0.1

• Data Protection Impact Assessment (DPIA)

  A template DPIA your DPO completes for the processing activities you use komplai for.

  Covers

  Risk assessment for high-risk processing, purpose analysis, legal basis, data subject rights, mitigations.

  Doesn't cover

  Your specific use cases — the DPIA is filled in per tenant, together with your DPO.

  Format

  .docx — fillable template, version 1.0

  Download .docx DRAFT v0.1

• Transfer Impact Assessment (TIA)

  Assessment of third-country transfers. Only relevant if you choose an AI profile with a provider outside the EU.

  Covers

  Conflict-of-laws analysis (FISA 702, Cloud Act, etc.), supplementary measures, encryption posture.

  Doesn't cover

  The local AI profile (Ollama on Hetzner Falkenstein) keeps data in the EU; the TIA isn't relevant for that profile.

  Format

  .docx, version 1.0

  Download .docx DRAFT v0.1

• Risk assessment

  Threat model and controls mapped to ISO 27001 Annex A.

  Covers

  Threat identification, likelihood/impact, controls, residual risk, management sign-off.

  Doesn't cover

  Risks inside your own organisation outside the komplai platform.

  Format

  .docx, version 1.0

  Download .docx DRAFT v0.1

• Sub-processor list

  Current list of every data processor komplai uses — vendor, purpose, location, DPA link.

  Covers

  Hetzner (hosting) and any AI providers you've chosen to route data to.

  Doesn't cover

  Vendors you contract with directly (e.g. your own Microsoft tenant). The list is updated on every change; notification via the DPA annex.

  Format

  .pdf — versioned, updated on changes

  Download .docx DRAFT v0.1

• ISAE 3402 Type II

  Auditor-attested report on controls at komplai over an audit period.

  Covers

  Access control, change management, backup, incident handling, physical security (Hetzner Falkenstein).

  Doesn't cover

  Periods before the first audit cycle. First report planned for Q4 2026.

  Format

  Auditor report per audit period

  Download .docx DRAFT v0.1

These 6 documents are placeholders while our lawyers finish drafting the final text (expected 2026-05-27). The files can be downloaded to show your procurement team what the package contains, but must not be used as final exhibits. Email komplai@komplai.dk for the final version.