Security, Privacy & Legal
Everything you need to verify C2 meets your data protection requirements before you sign. Transparent by design.
Legal Documents
Download & Review Our Legal Agreements
All documents are available for download and review before you commit. No request required.
Data Processing Agreement
Our Art. 28 GDPR-compliant DPA: how C2 processes personal data on your behalf, covering ROPA, DSARs, breach notification, sub-processors, and data deletion. Accepted automatically on signing your subscription.
Terms and Conditions
The master subscription agreement governing your use of C2: licence grant, fees, warranties, limitation of liability, and governing law (Netherlands).
Privacy Policy
How Agile Futurist collects and processes personal data as a controller for website visitors, prospects, and contacts (separate from customer tenant data).
Sub-processor Register
Third Parties We Use to Deliver the Platform
In line with Art. 28(3)(d) GDPR, we maintain a public register of all sub-processors. You will receive at least 30 days advance notice of any additions or changes.
| Sub-processor | Purpose | Processing Location | Transfer Mechanism | DPA Status |
|---|---|---|---|---|
| Amazon Web Services (AWS) Cloud Infrastructure & Storage (S3) |
Primary compute, object storage (Amazon S3), networking and databases underpinning the platform. | EU (Ireland, eu-west-1) | N/A (EEA) | Signed, Art. 28 |
| Amazon Web Services (SES) Email Delivery |
Transactional and notification emails: DSAR alerts, onboarding flows, system notifications. | EU (Ireland, eu-west-1) | N/A (EEA) | Signed, Art. 28 |
| OpenAI AI Language Model (default) |
Language model inference for the AI HR Assistant. Receives query text and relevant knowledge-base excerpts only. No personal employee data (names, records, payroll, performance data) is ever transmitted. Knowledge retrieval uses a self-hosted Qdrant vector database on EU (Ireland) infrastructure. No training on or retention of customer data. EU-hosted or self-hosted LLM alternatives available for Enterprise customers on request. | United States | SCC Module 2 | Signed, Art. 28 + AI Act |
| Amazon Web Services (CloudWatch) Platform Monitoring & Observability |
Application performance monitoring, logging and alerting via AWS CloudWatch. Covered by the same AWS DPA as core infrastructure. Pseudonymised data only. | EU (Ireland, eu-west-1) | N/A (EEA) | Signed, Art. 28 |
| Frappe HelpDesk (self-hosted) Customer Support Ticketing |
Management of support tickets raised by your users. Self-hosted on EU (Ireland, AWS eu-west-1) infrastructure; Frappe Ltd does not process any personal data. Access restricted to authorised support personnel only. | EU (Ireland, eu-west-1) | N/A (EEA, self-hosted) | Self-hosted; N/A |
Last updated: July 2026. To receive sub-processor change notifications by email, contact dpo@cognitis.cloud with subject “Sub-processor notifications”.
Security Measures
Technical & Organisational Measures (TOMs)
A summary of our security measures as defined in Schedule 2 of the DPA. The full Schedule is available in the downloadable DPA above.
Access Control
- Role-based access (RBAC), least privilege
- MFA enforced for admin accounts
- Session timeout, unique credentials
- Privileged access management
Encryption
- In transit: TLS 1.2+ (TLS 1.3 preferred)
- At rest: AES-256
- Database-level encryption
- Annual key rotation
Tenant Isolation
- Strict logical separation between tenants
- Tenant identity enforcement at ORM layer
- Automated isolation tests on every deployment
Infrastructure
- EU-only hosting (ISO 27001 data centres)
- Network segmentation, IDS/IPS, WAF
- DDoS mitigation in place
Vulnerability Management
- Third-party penetration test planned for H2 2026; continuous automated dependency scanning and SAST in place
- Automated dependency scanning (CI/CD)
- Critical patches within 72 hours
Availability & Recovery
- 99.5% uptime SLA
- Daily backups, 30-day retention
- Quarterly DR testing
Incident Response
- 72-hour breach notification to controller
- Documented incident response plan
- Real-time SIEM alerting
- Art. 33(5) breach register maintained
Privacy by Design
- Data minimisation in all features
- DPIA required before high-risk deployments
- Automated retention enforcement
Compliance & Certifications
Our Certification Roadmap
We are transparent about where we are on the path to independent verification. Track our progress here.
Full DPA published, sub-processor register maintained, DPO designated. All processing on documented controller instructions only.
All HR and employee data is stored and processed exclusively in EU (Ireland, AWS eu-west-1). The AI assistant uses a self-hosted Qdrant vector database on EU infrastructure for knowledge retrieval; no personal data is indexed. AI language model inference (OpenAI) receives only query text and knowledge-base excerpts under SCC Module 2. No personal employee data ever leaves the EU.
Internal review of NIS 2 obligations applicable to C2 as a digital service provider. Policy updates underway.
Independent third-party penetration test commencing in 2026. Executive summary available to Enterprise tier customers under NDA on request.
ISO 27001 gap assessment commencing in 2026. Target certification within 18 months. The recognised standard for information security management, mapping directly to GDPR Art. 32.
The privacy management extension to ISO 27001, directly mapping to GDPR obligations. Targeted following ISO 27001 certification. C2 will be among the first SME HRIS platforms in Europe to hold this certification.
Tracking accredited Art. 42 GDPR certification schemes in the Netherlands and EU (including EuroPriSe). Will pursue once a mature scheme for SaaS processors is established.
Document History
Legal Document Change Log
Material changes are communicated to existing customers at least 30 days before they take effect.
To receive legal update notifications, email dpo@cognitis.cloud with subject “Legal update notifications”.
Data Protection
Contact Our Data Protection Team
For questions about data protection, GDPR compliance, the DPA, or to exercise data subject rights.
Data Protection Officer
Security & Incidents
Legal & Contractual
Ready to see the HRIS built specifically for European SMEs: transparent, GDPR-compliant and verifiable?
Book Your Free 30-Min Demo →