What is compliance.tf?

Compliance.tf provides a controlled registry for Terraform modules. It automatically validates and remediates configurations so deployments meet SOC 2, HIPAA, and PCI DSS requirements and your internal policies.

What is behind compliance.tf?

Built on 8+ years of Terraform AWS modules used in billions of provisions. Now offered as a governed, supported service.

Why should I use compliance.tf?

Compliance.tf gives your team pre-approved Terraform modules that enforce the controls you choose. Each module is validated and remediated automatically so changes stay within policy before they reach the cloud. The result is faster audits, fewer findings, and a consistent security baseline. Modules are aligned to SOC 2, HIPAA, PCI DSS, CIS, and your internal policies. Guardrails prevent noncompliant settings from being deployed. No lock-in -- modules are standard Terraform and remain portable.

Why did we build compliance.tf?

Teams waste time rebuilding guardrails and still ship misconfigurations. We built compliance.tf to make compliant-by-default infrastructure practical. You get secure defaults, enforced controls, and audit-ready evidence without slowing delivery.

How to get access to compliance.tf?

Subscribe through AWS Marketplace using Buy with AWS or start a Free Trial. After subscribing, sign in to the compliance.tf console to set up your team and access the private Terraform registry. See the documentation at compliance.tf/docs for details.

Data Processing Agreement

Last updated: February 23, 2026

Quick Summary

This summary is for convenience only. The full agreement below governs how we process data on your behalf.

When you use compliance.tf, we process personal data on your behalf as a data processor
We only process data according to your documented instructions
Our sub-processors are AWS, Plausible Analytics, and Sprinto
Data is encrypted in transit and at rest, with strict access controls
We notify you of any data breach within 72 hours
Standard Contractual Clauses apply for international data transfers
You can request data return or deletion when the agreement ends

Introduction
Definitions
Scope and Roles
Processing Details
Customer Obligations
Processor Obligations
Sub-processors
Security Measures
International Transfers
Data Subject Rights
Breach Notification
Data Return and Deletion
Audit Rights
Liability
Term

1. Introduction

This Data Processing Agreement ("DPA") supplements our Terms and Conditions and Privacy Policy. It applies when Betajob AS (org. nr. 999 153 976), doing business as compliance.tf ("we," "us," "Processor"), processes personal data on behalf of the customer ("you," "Controller") in connection with the Service. This DPA is effective as of the date you agree to our Terms and Conditions.

2. Definitions

Controller — the entity that determines the purposes and means of processing personal data — in this context, you, the customer.
Processor — the entity that processes personal data on behalf of the Controller — in this context, Betajob AS.
Sub-processor — a third party engaged by the Processor to process personal data on behalf of the Controller.
Personal Data — any information relating to an identified or identifiable natural person.
Processing — any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
SCCs — Standard Contractual Clauses adopted by the European Commission for international data transfers.

3. Scope and Roles

Betajob AS acts as a data processor when processing personal data on your behalf through the Service. You, the customer, act as the data controller and determine the purposes and means of processing. This DPA covers all personal data processed in connection with your use of compliance.tf.

4. Processing Details

The following table describes the personal data processing carried out under this agreement.

Detail	Description
Subject matter	Providing the compliance.tf Terraform module registry and related services
Duration	For the duration of your service agreement, plus any retention periods described below
Nature and purpose	Account management, authentication, API access, service delivery, and support
Types of personal data	Name, email address, username, IP address, session data, API token identifiers
Categories of data subjects	Customers, authorized users of customer accounts

5. Customer Obligations

As the data controller, you're responsible for:

Ensuring you have a lawful basis for processing personal data through the Service
Practicing data minimization — only providing personal data that's necessary for the Service
Informing data subjects about the processing, including by referencing this DPA and our Privacy Policy
Promptly notifying us if any data subject's instructions conflict with applicable law

6. Processor Obligations

We commit to:

Processing personal data only on your documented instructions, unless required by law
Ensuring that personnel authorized to process personal data are bound by confidentiality obligations
Assisting you with data subject access requests (DSARs) and other rights requests
Notifying you of any personal data breach without undue delay, and in any event within 72 hours
Returning or deleting personal data at the end of the service relationship, at your choice
Making available all information necessary to demonstrate compliance with this DPA

7. Sub-processors

We use the following sub-processors to deliver the Service. You authorize us to engage these sub-processors, and we remain responsible for their compliance with this DPA.

Name	Purpose	Data Processed	Location
Amazon Web Services, Inc.	Cloud infrastructure, compute, storage, CDN, authentication (Cognito), and email delivery	Account data, session data, API tokens, server logs	US (us-east-1), Ireland (eu-west-1)
Plausible Insights OU	Privacy-friendly website analytics	Aggregated usage data only — no personal data is processed	EU
Sprinto Inc.	Compliance monitoring and audit automation	Internal compliance data only — no customer personal data is shared	US

If we need to add or replace a sub-processor, we'll give you at least 30 days' notice. If you object to a new sub-processor, you may terminate the affected services by notifying us before the sub-processor begins processing. We'll work with you in good faith to find an alternative solution where possible.

8. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

Encryption in transit (TLS 1.2 or higher for all connections)
Encryption at rest (AES-256 via AWS KMS for all stored data)
Access controls (IAM policies with least-privilege principles)
No shared credentials — individual access for all personnel
Audit logging for all access to personal data
Regular security reviews and vulnerability assessments

For more details on our security practices, see our Security page.

9. International Transfers

Personal data may be transferred outside the European Economic Area (EEA) and the United Kingdom (UK). For these transfers, we rely on:

Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor) as adopted by the European Commission
AWS's certification under the EU-US Data Privacy Framework

Data is primarily processed in AWS us-east-1 (US) and eu-west-1 (Ireland). We've assessed the data protection laws of these jurisdictions and have implemented appropriate supplementary measures, including encryption and access controls.

10. Data Subject Rights

We'll assist you in responding to data subject requests, including requests for access, correction, deletion, portability, and objection.

When we receive a request directly from a data subject, we'll redirect them to you unless you've instructed us otherwise.

We'll respond to your assistance requests within 30 days.

11. Breach Notification

In the event of a personal data breach, we'll notify you without undue delay, and in any event within 72 hours of becoming aware of it. Our notification will include:

The nature of the breach, including the categories and approximate number of data subjects affected
The name and contact details of our point of contact
The likely consequences of the breach
The measures we've taken or propose to take to address the breach and mitigate its effects

12. Data Return and Deletion

When the service agreement ends:

You may request a copy of your personal data within 30 days of termination
We'll delete all personal data within 90 days of termination, unless retention is required by law
We'll provide written certification of deletion upon request

Data in backups will be deleted according to our standard backup rotation schedule, and we'll isolate it from further processing in the meantime.

13. Audit Rights

You have the right to audit our compliance with this DPA. We make our SOC 2 reports and other compliance documentation available through our Trust Center.

If you require additional audit measures beyond what's available through our Trust Center, we can arrange on-site or remote audits with reasonable advance notice and during business hours. You'll bear the costs of any such audit.

14. Liability

Each party's liability under this DPA is subject to the limitations set out in our Terms and Conditions.

Nothing in this DPA excludes or limits liability for breaches that can't be limited by law.

15. Term

This DPA is effective for the duration of your service agreement with us. Provisions relating to data return, deletion, and confidentiality survive termination.

If we're still processing personal data on your behalf after termination (for example, during the deletion period), the terms of this DPA continue to apply until processing is complete.