Data Processing Agreement (DPA)

PropComply - Last updated: 1 September 2025

This Data Processing Agreement governs processing of personal data by AI Risk Intelligence AS on behalf of customers using the PropComply platform.

1. Parties

Processor: AI Risk Intelligence AS

Controller: The customer using PropComply.

2. Subject Matter

The processor provides a compliance technology platform enabling controller users to collect, organize, and manage AML and KYC compliance documentation.

3. Nature of Processing

Processing activities may include:

  • collection of client information
  • storage of compliance documentation
  • sanctions and PEP screening workflows
  • document verification workflows
  • sharing compliance information between authorized parties

4. Categories of Data Subjects

  • real estate buyers
  • real estate sellers
  • investors
  • beneficial owners
  • representatives of legal entities

5. Types of Personal Data

  • identity documents
  • personal identification data
  • compliance documentation
  • screening and verification results

6. Processor Obligations

AI Risk Intelligence AS shall:

  • process personal data only on documented instructions
  • ensure confidentiality of personnel
  • implement appropriate security measures
  • assist the controller with GDPR compliance where reasonably required

7. Subprocessors

The processor may engage subprocessors for services including hosting infrastructure, identity verification, sanctions screening, and messaging services. A subprocessor list may be provided upon request.

8. Security Measures

  • encryption of data in transit
  • authentication controls
  • role-based access management
  • secure cloud infrastructure

9. Data Breach Notification

In the event of a personal data breach affecting controller data, AI Risk Intelligence AS shall notify the controller without undue delay and provide reasonably available details.

10. International Data Transfers

Where personal data is transferred outside the EEA, appropriate safeguards will be implemented in accordance with GDPR, including adequacy decisions or Standard Contractual Clauses as applicable.

11. Return and Deletion

Upon end of services, personal data shall be returned or deleted in accordance with contractual terms and applicable legal retention obligations.

12. Governing Law and Contact

This DPA follows governing law and jurisdiction set out in the applicable service terms, with courts in Oslo, Norway unless mandatory law requires otherwise.

Contact: admin@propcomply.com