Trust Center

Security, Privacy & Legal

Everything you need to verify C2 meets your data protection requirements before you sign. Transparent by design.

GDPR by Design EU Data Residency Dutch Law Governed DPO Designated

Legal Documents

Download & Review Our Legal Agreements

All documents are available for download and review before you commit. No request required.

Data Processing Agreement

Our Art. 28 GDPR-compliant DPA: how C2 processes personal data on your behalf, covering ROPA, DSARs, breach notification, sub-processors, and data deletion. Accepted automatically on signing your subscription.

Version 1.1  ·  July 2026  ·  Dutch law

Terms and Conditions

The master subscription agreement governing your use of C2: licence grant, fees, warranties, limitation of liability, and governing law (Netherlands).

Last updated: May 2025  ·  Dutch law

Privacy Policy

How Agile Futurist collects and processes personal data as a controller for website visitors, prospects, and contacts (separate from customer tenant data).

Last updated: May 2025  · 
Note: Acceptance of the C2 Terms of Service incorporates this DPA by reference. You do not need to sign a separate DPA unless your internal policy requires a countersigned copy. For countersigned DPA requests, contact dpo@cognitis.cloud.

Sub-processor Register

Third Parties We Use to Deliver the Platform

In line with Art. 28(3)(d) GDPR, we maintain a public register of all sub-processors. You will receive at least 30 days advance notice of any additions or changes.

Sub-processor Purpose Processing Location Transfer Mechanism DPA Status
Amazon Web Services (AWS)
Cloud Infrastructure & Storage (S3)
Primary compute, object storage (Amazon S3), networking and databases underpinning the platform. EU (Ireland, eu-west-1) N/A (EEA) Signed, Art. 28
Amazon Web Services (SES)
Email Delivery
Transactional and notification emails: DSAR alerts, onboarding flows, system notifications. EU (Ireland, eu-west-1) N/A (EEA) Signed, Art. 28
OpenAI
AI Language Model (default)
Language model inference for the AI HR Assistant. Receives query text and relevant knowledge-base excerpts only. No personal employee data (names, records, payroll, performance data) is ever transmitted. Knowledge retrieval uses a self-hosted Qdrant vector database on EU (Ireland) infrastructure. No training on or retention of customer data. EU-hosted or self-hosted LLM alternatives available for Enterprise customers on request. United States SCC Module 2 Signed, Art. 28 + AI Act
Amazon Web Services (CloudWatch)
Platform Monitoring & Observability
Application performance monitoring, logging and alerting via AWS CloudWatch. Covered by the same AWS DPA as core infrastructure. Pseudonymised data only. EU (Ireland, eu-west-1) N/A (EEA) Signed, Art. 28
Frappe HelpDesk (self-hosted)
Customer Support Ticketing
Management of support tickets raised by your users. Self-hosted on EU (Ireland, AWS eu-west-1) infrastructure; Frappe Ltd does not process any personal data. Access restricted to authorised support personnel only. EU (Ireland, eu-west-1) N/A (EEA, self-hosted) Self-hosted; N/A

Last updated: July 2026. To receive sub-processor change notifications by email, contact dpo@cognitis.cloud with subject “Sub-processor notifications”.

Security Measures

Technical & Organisational Measures (TOMs)

A summary of our security measures as defined in Schedule 2 of the DPA. The full Schedule is available in the downloadable DPA above.

Access Control

  • Role-based access (RBAC), least privilege
  • MFA enforced for admin accounts
  • Session timeout, unique credentials
  • Privileged access management

Encryption

  • In transit: TLS 1.2+ (TLS 1.3 preferred)
  • At rest: AES-256
  • Database-level encryption
  • Annual key rotation

Tenant Isolation

  • Strict logical separation between tenants
  • Tenant identity enforcement at ORM layer
  • Automated isolation tests on every deployment

Infrastructure

  • EU-only hosting (ISO 27001 data centres)
  • Network segmentation, IDS/IPS, WAF
  • DDoS mitigation in place

Vulnerability Management

  • Third-party penetration test planned for H2 2026; continuous automated dependency scanning and SAST in place
  • Automated dependency scanning (CI/CD)
  • Critical patches within 72 hours

Availability & Recovery

  • 99.5% uptime SLA
  • Daily backups, 30-day retention
  • Quarterly DR testing

Incident Response

  • 72-hour breach notification to controller
  • Documented incident response plan
  • Real-time SIEM alerting
  • Art. 33(5) breach register maintained

Privacy by Design

  • Data minimisation in all features
  • DPIA required before high-risk deployments
  • Automated retention enforcement

Compliance & Certifications

Our Certification Roadmap

We are transparent about where we are on the path to independent verification. Track our progress here.

GDPR Art. 28 Compliance  Live

Full DPA published, sub-processor register maintained, DPO designated. All processing on documented controller instructions only.

EU Data Residency  Live

All HR and employee data is stored and processed exclusively in EU (Ireland, AWS eu-west-1). The AI assistant uses a self-hosted Qdrant vector database on EU infrastructure for knowledge retrieval; no personal data is indexed. AI language model inference (OpenAI) receives only query text and knowledge-base excerpts under SCC Module 2. No personal employee data ever leaves the EU.

NIS 2 Directive Review  In Progress

Internal review of NIS 2 obligations applicable to C2 as a digital service provider. Policy updates underway.

Annual Penetration Test  Planned 2026

Independent third-party penetration test commencing in 2026. Executive summary available to Enterprise tier customers under NDA on request.

ISO 27001 Certification  Gap Assessment 2026

ISO 27001 gap assessment commencing in 2026. Target certification within 18 months. The recognised standard for information security management, mapping directly to GDPR Art. 32.

ISO 27701 Certification  Roadmap

The privacy management extension to ISO 27001, directly mapping to GDPR obligations. Targeted following ISO 27001 certification. C2 will be among the first SME HRIS platforms in Europe to hold this certification.

GDPR Art. 42 Certification  Monitoring

Tracking accredited Art. 42 GDPR certification schemes in the Netherlands and EU (including EuroPriSe). Will pursue once a mature scheme for SaaS processors is established.


Document History

Legal Document Change Log

Material changes are communicated to existing customers at least 30 days before they take effect.

v1.1 July 2026 Current
Sub-processor register updated: vendor names added (AWS eu-west-1, AWS SES, OpenAI), AI data-flow clarified (no personal data transmitted to OpenAI; self-hosted Qdrant handles RAG on EU infrastructure), SCC Module 2 noted for OpenAI. Penetration test TOM corrected to reflect H2 2026 planned date.

To receive legal update notifications, email dpo@cognitis.cloud with subject “Legal update notifications”.

Data Protection

Contact Our Data Protection Team

For questions about data protection, GDPR compliance, the DPA, or to exercise data subject rights.

Data Protection Officer

GDPR queries, DPA questions, data subject rights, DSAR submissions.

Security & Incidents

Security concerns, suspected breaches, vulnerability disclosures.

Legal & Contractual

Countersigned DPA requests, sub-processor objections, legal correspondence.

Customer Support

Platform support, account queries, onboarding assistance.

Ready to see the HRIS built specifically for European SMEs: transparent, GDPR-compliant and verifiable?

Book Your Free 30-Min Demo →