EU AI Act high-risk obligationsapply 2 Dec 2027/Are you using the time?Check readiness →
TRUST CENTRE

Regulator-grade evidence,
by design.

Complira builds EU AI Act compliance infrastructure for regulated organisations. This page explains how we handle your data, where it lives, who has access — and why our own compliance posture is part of the product.

Data residency
Frankfurt · fra1
Lead authority
Irish DPC
Sub-processors
8 · DPAs signed
Reportable incidents (12mo)
0
EU AI Act
Not a Provider
DORA
Vendor-ready
§ 02OUR APPROACH

Three deliberate choices.

Compliance posture starts with how the product is built, not what it claims. These three choices shape everything else on this page.

01

Deterministic logic, not ML

Our compliance dashboard uses regex, keyword matching, and additive scoring — no machine learning. This keeps Complira outside the EU AI Act's Provider obligations and gives regulators code they can audit line-by-line.

02

Frankfurt over US

Audit data lives in Supabase eu-central-1 and Vercel fra1 — physically inside the EU. No CLOUD Act exposure. No transatlantic transfers for customer data.

03

Irish lead authority

Complira is incorporated in Ireland with the Data Protection Commission as lead supervisory authority. Predictable English-language enforcement, tested case law, single point of contact for cross-border cases.

LEGAL ENTITY
Legal name

Complira Ltd

Company number

815262 (Irish CRO)

Jurisdiction

Ireland

Date of incorporation

12 May 2026

Registered office

20 Harcourt Street, Dublin, D02H364, Ireland

§ 03THE FOUR PILLARS

Four questions we answer in detail.

Each card links to a deeper page with the technical specifics your compliance and procurement teams expect.

01

How we protect your data

Encryption at rest and in transit, row-level isolation between customers, MFA enforcement, and append-only audit trails. Infrastructure on Supabase Frankfurt and Vercel fra1.

Security overview →
02

Your data, your rights

Personal data processed only for the purpose you contracted us for. GDPR rights — access, erasure, portability — handled by our Privacy Owner with a 14-day target response.

Privacy policy →
03

Every service we use

Complete list of third-party services involved in delivering Complira, the data each handles, and where they operate. DPAs in place with every one. 30-day advance notice for any changes.

Sub-processor register →
04

Regulatory posture

GDPR-compliant by design. EU AI Act audit trail infrastructure meeting Article 19 requirements. Irish-incorporated, supervised by the Irish DPC.

Compliance statement →
§ 04EU AI ACT POSITION
DELIBERATE DESIGN

Complira is not a Provider of an AI system.

Our compliance dashboard contains no machine learning, no LLM inference, no probabilistic decisioning. Every flag, every score, every alert is the output of deterministic code that a regulator can read.

Why it matters

AI Act Article 3(3) defines a Provider as “a natural or legal person who develops an AI system or has it developed”. A deterministic rule engine isn't an AI system under Article 3(1). That keeps us outside Article 16 Provider obligations entirely.

What it means for you

You're using Complira to comply with your own AI Act obligations as Provider or Deployer of your AI systems. Complira's own service is not a regulatory dependency — it's an evidence layer that sits outside the Provider chain.

Read our full EU AI Act position →
§ 05DORA VENDOR READINESS

Built for regulated finance.

The Digital Operational Resilience Act applies to most of our prospects. Complira's vendor posture is documented against DORA's ICT third-party risk requirements — ready to drop into your vendor onboarding pack.

ICT risk management

Documented risk register covering data classification, access control, vulnerability management, and change management.

Incident reporting

Customer notification within 24 hours of confirmed security incident. GDPR Article 33's 72-hour clock for personal data breaches.

Sub-processor change notification

30-day advance notice before adding or removing any sub-processor. Customer right to object during notice period.

Exit strategy & portability

Documented data portability procedure. Audit logs exportable in standard formats. Termination assistance period codified in MSA.

DORA Vendor Readiness Statement v1.1 available on request — see Documents below.

§ 06SUB-PROCESSORS

The shoulders we stand on.

Eight sub-processors, each with a signed DPA. Customers receive 30 days advance notice before any change. Most are SOC 2 Type II audited — the full register with certifications is at our sub-processor register.

Service
Purpose
Region
Supabase
PostgreSQL · audit logs & org records
eu-central-1 (Frankfurt)
Vercel
Application hosting & serverless
fra1 (Frankfurt)
Clerk
Authentication & identity
EU region
Resend
Transactional email
EU
HubSpot
CRM & sales pipeline
EU region
Microsoft 365
Business email & collaboration
Ireland (EU Data Boundary)
Calendly
Demo & meeting scheduling
US (SCC + DPA)
Stripe
Payments & billing
EU region
§ 07DOCUMENTS

Available on request.

Email privacy@complira.io to request any of the following under NDA. Response commitment: 5 working days.

PRIVACY & DATA PROTECTION
  • Data Processing Agreement
  • Data Flow Mapping
  • Data Retention Policy
  • Lawful Basis for Processing
  • DSAR Process
  • Privacy Owner Designation
SECURITY & OPERATIONS
  • Cybersecurity Posture Statement
  • Encryption & Backup Documentation
  • Incident Response Plan
  • Break-Glass Access Procedure
  • Customer Notification Policy
  • Security questionnaire responses (CAIQ Lite, SIG Lite)
REGULATORY & COMPLIANCE
  • DORA Vendor Readiness Statement v1.1
  • EU AI Act Self-Compliance Analysis
  • Article 14 Roadmap Summary
  • Exit Strategy and Data Portability
  • ICT Risk Management Framework
  • Sub-processor Change Notification Policy
  • DPA Register

Have questions?

Our Privacy Owner handles data protection, security, and compliance inquiries directly. Typical response time: 2 working days.

privacy@complira.io
Complira Ltd · Trust Centre last updated April 2026