This Data Processing Agreement ("DPA") governs the processing of Personal Data by CPD Registry in the course of providing Services to the Subscriber (the "Agreement"). This DPA forms an integral part of the Agreement between CPD Registry and the Subscriber.
1. Scope, Roles, and Interpretations
1.1. This DPA applies when CPD Registry processes Personal Data on behalf of the Subscriber in its capacity as a Data Processor, and the Subscriber acts as the Data Controller (or as a processor on behalf of a third-party controller) under Applicable Data Protection Laws.
1.2. Terms such as "personal data", "processing", "data controller", and "data processor" shall have the meanings set forth in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
1.3. In the event of any conflict between the Agreement and this DPA, the terms of this DPA shall prevail regarding data protection obligations.
2. Processing of Personal Data & Instructions
2.1. CPD Registry undertakes to process Personal Data only on behalf of and in accordance with the Subscriber's documented written instructions, unless required to do otherwise by Union or Member State law to which CPD Registry is subject. The Subscriber's instructions are set out in Schedule 1 (Specification of Processing).
2.2. CPD Registry shall immediately inform the Subscriber if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
2.3. CPD Registry certifies and warrants that it will not:
- (a) Retain, use, or disclose Personal Data outside the direct business relationship with the Subscriber;
- (b) Sell, rent, or share Personal Data with third parties for commercial gain; or
- (c) Use any Personal Data, including uploaded certificates, logs, or metadata, to train, fine-tune, or develop artificial intelligence (AI), machine learning, or large language models (LLMs).
Clause 2.3(c) is a binding contractual obligation. We do not use subscriber data — including training logs, certificates, or metadata — to train or fine-tune any AI or machine learning model.
3. Obligations of the Subscriber (Data Controller)
3.1. The Subscriber shall comply with all Applicable Data Protection Laws in its capacity as Data Controller, including ensuring it has a valid legal basis to provide the Personal Data to CPD Registry.
3.2. The Subscriber shall limit the personal data provided to CPD Registry strictly to what is necessary for the performance of the training-tracking Services.
4. Sub-Processors
4.1. The Subscriber hereby grants a general written authorization to CPD Registry to engage sub-processors to perform infrastructure, file storage, and transactional communication services. Our current pre-approved sub-processors are:
EU-central Database Hosting
Primary database, real-time queries, and file storage infrastructure.
EU-central R2 File Storage
Certificate file storage in EU-based R2 buckets.
Transactional Email Routing
Delivery of magic links, billing receipts, and compliance reminders.
4.2. CPD Registry shall inform the Subscriber in writing of any intended changes concerning the addition or replacement of sub-processors at least thirty (30) days in advance, giving the Subscriber the opportunity to object to such changes on reasonable, data-protection-related grounds.
5. Absolute EU Data Residency & International Transfers
5.1. CPD Registry shall store and process all Personal Data strictly within the European Union (EU) or European Economic Area (EEA).
5.2. CPD Registry shall not transfer, store, or allow remote access to Personal Data outside the EU/EEA without the prior explicit written consent of the Subscriber, and only if such transfer complies with Chapter V of the GDPR (e.g., using Standard Contractual Clauses or Adequacy Decisions).
6. Information Security and Confidentiality
6.1. CPD Registry shall implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR. These measures include:
- The encryption of all Personal Data and uploaded files in transit and at rest.
- Strict logical separation of customer data (multi-tenancy isolation).
- Passwordless, single-time password (OTP) authentication structures.
6.2. CPD Registry shall ensure that only personnel who require access to Personal Data to fulfill our obligations under the Agreement are granted access, and that all such personnel are bound by strict contractual or statutory confidentiality obligations.
7. Personal Data Breach Notifications
7.1. CPD Registry shall notify the Subscriber in writing without undue delay, and in any event no later than thirty-six (36) hours, after becoming aware of a confirmed security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed under this DPA (a "Personal Data Breach").
7.2. The notification shall, at a minimum, describe the nature of the breach, the categories of data affected, and the mitigation measures taken or planned.
8. Audits
8.1. The Subscriber has the right to conduct an audit or inspection of CPD Registry's compliance with this DPA once per twelve (12) month period.
8.2. Audits shall be performed during regular business hours, with at least fourteen (14) business days' prior written notice, and must not unreasonably disrupt CPD Registry's operations.
8.3. The Subscriber shall bear all costs associated with such audits, unless the audit reveals a material breach of this DPA by CPD Registry, in which case CPD Registry shall cover the reasonable and verified costs of the audit.
9. Term, Termination, and Deletion of Data
9.1. This DPA shall remain in force for as long as CPD Registry processes Personal Data on behalf of the Subscriber.
9.2. Upon termination of the Agreement, CPD Registry shall, at the choice of the Subscriber, permanently delete or return all Personal Data (including database records and uploaded certificates) in our possession, unless EU or Swedish law requires continued storage of such data.
9.3. If the Subscriber chooses deletion, CPD Registry shall completely purge the data from its active servers within thirty (30) days, and ensure secure overwrite on backup archives within ninety (90) days.
10. Governing Law and Dispute Resolution
10.1. This DPA shall be governed by, and construed in accordance with, Swedish Law.
10.2. Any dispute, controversy, or claim arising out of or in connection with this DPA shall be finally settled by the Stockholm District Court (Stockholms tingsrätt) as the court of first instance.
Annex
Schedule 1: Specification of Data Processing
Last updated: May 24, 2026
1. Subject Matter and Purposes of the Processing
CPD Registry provides a cloud-based software-as-a-service (SaaS) platform designed for continuing professional development (CPD) tracking, verification, and audit-ready reporting.
CPD Registry shall process Personal Data on behalf of the Subscriber for the following specific purposes:
- To establish and manage individual user accounts for the Subscriber's employees, associates, and partners.
- To record, categorize, and calculate continuing professional education hours against regional bar association requirements (e.g., Sveriges Advokatsamfund §36 rules).
- To securely store and display uploaded training completion certificates.
- To generate compiled, formatted PDF compliance reports with bundled certificates on behalf of the data subjects for regulatory audits.
2. Categories of Data Subjects
The personal data processed under this Agreement belongs to employees, contractors, associates, and partners of the Subscriber who are registered to use the CPD Registry platform to track their continuing professional development obligations.
Unlike enterprise legal AI workspaces, CPD Registry does not process, ingest, or store any third-party client data, case files, or litigation documents.
3. Categories of Personal Data
CPD Registry shall process the following categories of Personal Data:
Full name, corporate email address, and professional title (e.g., Advokat, Biträdande jurist, Auktoriserad revisor).
Bar association/regulatory body membership year and registration metadata.
Course/seminar titles, educational providers, dates of training, training durations (hours), and training categories (Teacher-led or E-learning).
Uploaded digital files (PDF, JPG, PNG) containing official completion certificates, course programs, or attendance confirmations.
4. Duration of the Processing
The processing of Personal Data on behalf of the Subscriber shall commence on the Effective Date of the Agreement and shall continue until the expiration or termination of the subscription Agreement, followed by a mandatory thirty (30) day soft-delete holding period, after which all active database records and Cloudflare R2 certificate files are permanently and irreversibly purged from our infrastructure.
Annex
Appendix 2: Technical and Organizational Security Measures
Last updated: May 24, 2026
This document describes the technical and organizational security measures and controls implemented by CPD Registry to protect Personal Data, prevent unauthorized access, and ensure the ongoing confidentiality, integrity, and availability of our Services.
1. Platform Infrastructure & Hosting Architecture
CPD Registry is an EU-native, multi-tenant cloud application. We partner with industry-leading infrastructure providers to deliver a secure, resilient platform:
- Application & Database Layer: Powered by Convex, utilizing Amazon Web Services (AWS) Frankfurt (eu-central-1) data centers.
- Object Storage Layer: Powered by Cloudflare R2, with all certificate files stored in Western Europe (WEUR) data centers.
- Physical Security: Our hosting providers maintain physical security controls that meet or exceed industry standards, including 24/7/365 armed surveillance, biometric access gates, and N+1 redundancy for power and cooling. Both Convex (AWS) and Cloudflare maintain active SOC 2 Type II and ISO/IEC 27001 certifications.
2. Access Control & User Authentication
To prevent unauthorized access to customer data, CPD Registry implements the following application-level access controls:
- Passwordless Authentication (OTP): We do not store raw or hashed user passwords, eliminating the risk of credential database leaks. Users authenticate strictly via cryptographically secure, time-limited, six-digit One-Time Passwords (OTPs) sent directly to their verified email addresses via secure APIs.
- Access Privilege Control: Within our team, we enforce the principle of least privilege. CPD Registry personnel have no default access to production databases. Access is restricted strictly to senior engineering staff and only when required to resolve specific, documented subscriber support requests.
- Session Management: Authenticated user sessions are cryptographically signed and set to automatically expire after thirty (30) days.
3. Transmission and Storage Security (Data Protection)
We ensure that Personal Data is protected against interception, alteration, or unauthorized extraction during transmission and storage:
- Encryption in Transit: All communication between the user's browser and our servers is encrypted using Transport Layer Security (TLS) 1.2 or higher (HTTPS).
- Encryption at Rest: All database records, user profiles, and logs are encrypted at rest using AES-256.
- Secure Certificate Storage (Cloudflare R2): Every completion certificate uploaded by a user is stored in private, non-publicly accessible Cloudflare R2 buckets. Files are never exposed via public URLs. When a user views their dashboard or exports an audit report, CPD Registry generates a temporary, cryptographically signed URL with a strict one-hour expiration window. Once expired, the URL is completely invalid.
- File Upload Validation: Our backend validates the MIME type (file signature) of every uploaded certificate file, ensuring that malicious executable scripts or unauthorized file formats are blocked from entering our storage bucket.
4. Multi-Tenant Data Isolation
To prevent accidental data exposure or unauthorized cross-tenant access:
- Cryptographic Session Binding: CPD Registry enforces strict logical multi-tenancy. Every database query and mutation automatically extracts the authenticated user's ID directly from the secure session token.
- No Raw SQL Queries: By utilizing Convex's reactive relational queries, we eliminate the risk of SQL injection attacks, ensuring that no user can bypass logical data boundaries.
5. Business Continuity & Disaster Recovery
To protect Personal Data against accidental destruction or data loss:
- Continuous Replication: Our primary database is continuously replicated across multiple physically independent availability zones in the EU-central region.
- Point-in-Time Recovery (PITR): Primary databases support point-in-time recovery, allowing engineers to roll back database states in the event of major data corruption or infrastructure anomalies.
- Daily Backups: Encrypted backups of our active database are generated daily and stored in secure, geographically isolated storage locations.
6. Vulnerability Management & Auditing
- Continuous Dependency Auditing: We perform automated vulnerability scanning across our codebase and dependencies on every deployment, patching any critical risks immediately.
- Centralized Security Logging: Critical actions, including system authentication, certificate uploads, and report exports, are captured in secure, tamper-proof system logs retained for a minimum of twelve (12) months.
7. Zero AI Training Covenant
CPD Registry formally guarantees that no personal data, training logs, or uploaded documents processed on behalf of the Subscriber will be utilized to train, test, or validate machine learning models, artificial intelligence, or large language models (LLMs).