Data Processing Agreement
Standard DPA · Version 1.0 · Effective May 8, 2026
This Data Processing Agreement (“DPA”) supplements the DataVibe Terms of Service and governs the processing of personal data by DataVibe on behalf of enterprise customers where the GDPR or equivalent data protection law applies. To execute this DPA, email [email protected] with your company name and signed counterpart.
1. Parties and definitions
“Controller” means the Customer entity that determines the purposes and means of processing personal data and has accepted the DataVibe Terms of Service.
“Processor” means DataVibe, Inc., acting on the Controller's instructions when processing personal data in the course of providing the Service.
“Personal Data” means any information relating to an identified or identifiable natural person that is submitted to the Service by the Controller or processed by the Service on the Controller's behalf.
“Service” means the DataVibe SaaS platform, including the AI governance gateway, outbound policy engine, approval queue, and audit infrastructure.
“GDPR” means the EU General Data Protection Regulation 2016/679 and, where applicable, the UK GDPR as retained in UK law.
2. Subject matter, nature, and purpose of processing
DataVibe processes personal data solely to provide the Service as described in the Terms of Service. The subject matter of processing is the Customer's AI-generated outbound actions and communications, which may include personal data submitted by the Customer as gate inputs (e.g., recipient identifiers, message content) or generated by the Customer's use of the Service (e.g., account data, usage logs).
The nature of processing includes: interception, storage, policy scanning, approval routing, and delivery of AI-generated outbound actions through Customer-configured policies; authentication and access management; billing and usage metering; and operational monitoring.
The purpose is to enable the Controller to intercept, scan, and govern AI-generated outbound messages as authorised under the Terms of Service. DataVibe does not process personal data for its own independent purposes.
3. Categories of personal data and data subjects
| Category | Examples | Data subjects |
|---|---|---|
| Account data | Name, work email, company | Customer employees |
| Gate inputs | Outbound message content, recipient identifiers, AI payload metadata | End users of Customer's product |
| Usage data | API call logs, pipeline run metadata, timing | Customer employees |
| Payment data | Billing contact, last 4 digits (Stripe-tokenised) | Customer billing contacts |
DataVibe does not intentionally collect or process special categories of personal data (Article 9 GDPR). The Customer is responsible for ensuring no special category data is submitted unless expressly agreed in writing.
4. Controller's obligations
- The Controller warrants that it has a valid legal basis for all personal data submitted to the Service and that it has provided required notices to data subjects.
- The Controller is responsible for the accuracy and lawfulness of instructions given to DataVibe regarding processing.
- The Controller shall promptly inform DataVibe of any changes to applicable law that affect the processing activities under this DPA.
- The Controller shall not submit special category data or data relating to children (under 16) without prior written agreement from DataVibe.
5. Processor's obligations
- Documented instructions. DataVibe processes personal data only on documented instructions from the Controller, including as set out in this DPA and the Terms of Service, unless required by applicable law.
- Confidentiality. DataVibe ensures that personnel authorised to process personal data are bound by confidentiality obligations.
- Security. DataVibe implements the technical and organisational measures set out in Section 8 of this DPA.
- Sub-processors. DataVibe engages sub-processors only under Section 6 of this DPA and remains liable for their acts and omissions.
- Data subject rights. DataVibe assists the Controller in responding to data subject requests under Section 7 of this DPA.
- Breach notification. DataVibe notifies the Controller of a personal data breach as set out in Section 9 of this DPA.
- DPIA assistance. DataVibe assists the Controller in carrying out data protection impact assessments where required, providing relevant information about its systems and controls upon request.
- Deletion / return. DataVibe deletes or returns personal data as set out in Section 10 of this DPA.
- Audit. DataVibe makes available information necessary to demonstrate compliance and contributes to audits as set out in Section 11 of this DPA.
6. Sub-processors
The Controller hereby grants DataVibe general written authorisation to engage the sub-processors listed below. DataVibe will notify the Controller of any intended changes (addition or replacement of sub-processors) with at least 14 days' notice via the registered account email. The Controller may object in writing within 14 days; where a reasonable objection cannot be accommodated, either party may terminate the affected services on 30 days' notice.
| Sub-processor | Processing activity | Location | Safeguard |
|---|---|---|---|
| Neon | PostgreSQL hosting (Core + migrations) | USA / EU regions | DPA + SCCs |
| Render | Core API and worker hosting | USA | DPA + SCCs |
| Upstash | Redis REST (rate limits, control-plane cache) | USA / EU | DPA + SCCs |
| Stripe | Payments and usage metering | USA / EU | DPA + SCCs |
| Resend | Transactional email | Global | DPA + SCCs |
| Sentry | Error monitoring | USA / EU | DPA + SCCs |
| Google (Gemini, OAuth) | AI inference and Google OAuth | Global | Google Cloud terms + SCCs |
| Anthropic | AI inference | USA | Anthropic enterprise terms |
| NVIDIA NIM | Optional AI inference | USA / EU | NVIDIA terms + DPA where offered |
| Groq | AI inference | USA | Groq terms |
| OpenRouter | AI model routing | USA | OpenRouter terms |
| Jina AI | Embeddings / reader | Global | Jina terms |
| Hunter.io | Email enrichment | EU / USA | Hunter DPA |
| FRED (Federal Reserve Bank of St. Louis) | Public macroeconomic data API | USA | Public data; no processor DPA |
Where a sub-processor is located outside the EEA or UK, DataVibe relies on Standard Contractual Clauses (Module 3: Processor-to-Processor) as the transfer mechanism.
7. Data subject rights
DataVibe shall, taking into account the nature of the processing, assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). DataVibe will:
- Promptly forward to the Controller any data subject request received directly by DataVibe that relates to the Controller's data.
- Provide the Controller with the technical means to export, correct, or delete personal data via the dashboard or API within 30 days of request.
- Not respond directly to data subject requests on behalf of the Controller unless expressly authorised in writing.
8. Technical and organisational security measures (TOMs)
Encryption in transit
TLS 1.2+ enforced on all endpoints. HSTS headers applied.
Encryption at rest
Database volumes are AES-256 encrypted by the cloud provider.
Access control
RBAC with MFA enforced for all production infrastructure access.
Key/secret management
Secrets stored in platform secret stores; never in source control.
Vulnerability management
Automated dependency scanning in CI; critical CVEs patched within 72 hours.
Penetration testing
Annual third-party penetration test of application and infrastructure layers.
Audit logging
Append-only audit logs for all privileged operations, retained 7 years.
Data minimisation
Gate inputs are processed in memory; only outputs and audit records configured by the Controller are persisted.
Logical separation
Customer data is isolated by tenant ID at the database layer. No cross-tenant queries are possible.
Incident response
Documented IR runbook; on-call rotation; post-mortems for all P1/P2 incidents.
9. Personal data breach notification
DataVibe will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach affecting the Controller's data. The notification will include:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
- Contact details of the DataVibe DPO or nominated contact.
- A description of the likely consequences of the breach.
- A description of measures taken or proposed to address the breach, including mitigation measures.
Notifications will be sent to the account email address on record. The Controller is responsible for notifying the relevant supervisory authority and, where required, affected data subjects. DataVibe will provide reasonable assistance in preparing those notifications.
10. Retention, return, and deletion
Upon termination of the Terms of Service or on written request from the Controller, DataVibe will:
- Make available a full export of the Controller's policy configurations and audit records for 30 days following termination.
- Permanently delete the Controller's personal data from production systems within 90 days of the export period ending, except where retention is required by applicable law (e.g., billing records, audit logs).
- Provide a written confirmation of deletion within 14 days of completing the deletion process.
Billing records and financial audit logs are retained for 7 years as required by applicable financial regulations. Anonymised, aggregated telemetry that cannot reasonably be re-identified may be retained indefinitely.
11. Audit rights
DataVibe will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. DataVibe may satisfy this obligation by providing:
- A current SOC 2 Type I (or Type II) report under NDA.
- Written responses to reasonable security questionnaires within 10 business days.
- On-site or virtual audit access (at the Controller's cost) with 30 days' notice and subject to reasonable confidentiality protections.
12. International data transfers
Where DataVibe transfers personal data from the EEA or UK to a third country (including to sub-processors in the United States), DataVibe relies on the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) as the lawful transfer mechanism. Copies of executed SCCs are available on request.
13. Governing law and disputes
This DPA is governed by the same law as the Terms of Service. For EEA Controllers, where required by applicable data protection law, the supervisory authority of the Controller's EU establishment shall have jurisdiction. The parties will attempt to resolve disputes amicably; if they cannot, disputes will be resolved in accordance with the Terms of Service.
14. Order of precedence
In the event of any conflict between this DPA and the Terms of Service with respect to the subject matter of this DPA, this DPA shall prevail. Nothing in this DPA varies or modifies the Terms of Service with respect to matters not relating to data protection.
Execute this DPA
Enterprise customers requiring a countersigned DPA should email [email protected] with their company name, registered address, and the contact name of their DPO or legal representative. DataVibe will return a countersigned copy within 5 business days.
Customers who have accepted the Terms of Service on or after May 2026 are covered by the standard DPA terms embedded in Section 10 of the Terms. A separately executed DPA is available for enterprise customers requiring additional customisation or countersignature.