Data Processing Agreement

Last updated: December 2024

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Vendi Terms of Service and governs the processing of personal data by Vendi Inc. ("Processor") on behalf of the customer ("Controller").

2. Definitions

  • Controller: You (the customer) who determines the purposes and means of processing personal data
  • Processor: Vendi Inc., which processes personal data on behalf of the Controller
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data
  • Data Subject: The individual to whom the personal data relates
  • Sub-processor: Any third party engaged by Vendi to process personal data

3. Scope and Roles

3.1 Relationship

The parties acknowledge that the Controller is the Data Controller and Vendi is the Data Processor with respect to customer conversation data and contact information processed through the Service.

3.2 Controller Obligations

The Controller shall:

  • Ensure it has legal basis for processing personal data
  • Obtain necessary consents from data subjects
  • Comply with all applicable data protection laws
  • Provide clear processing instructions to Vendi
  • Inform Vendi of any restrictions on processing

3.3 Processor Obligations

Vendi shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to data subject requests
  • Assist the Controller with data protection impact assessments
  • Delete or return personal data upon termination (unless required by law to retain)
  • Make available information necessary to demonstrate compliance

4. Nature and Purpose of Processing

4.1 Categories of Data

  • Customer names and contact information
  • Conversation content and metadata
  • Customer interaction history
  • Device and usage information

4.2 Categories of Data Subjects

  • End customers of the Controller
  • Prospective customers
  • Business contacts

4.3 Processing Operations

  • Storage and hosting of conversation data
  • Transmission of messages across channels
  • AI-powered analysis for suggestions and automation
  • Analytics and reporting

5. Security Measures

Vendi implements the following technical and organizational measures:

Technical Measures

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Regular security testing and vulnerability assessments
  • Intrusion detection and prevention systems
  • Regular security updates and patches

Organizational Measures

  • Confidentiality agreements with all employees
  • Role-based access controls
  • Regular employee security training
  • Incident response procedures
  • Business continuity and disaster recovery plans

6. Sub-processors

6.1 Authorized Sub-processors

The Controller authorizes Vendi to engage the following categories of sub-processors:

  • Cloud hosting providers (AWS, Google Cloud)
  • Email service providers
  • Analytics providers
  • Payment processors
  • Messaging platform APIs (WhatsApp, Meta, Telegram, TikTok)

6.2 Sub-processor Requirements

Vendi shall: (a) enter into written agreements with sub-processors imposing data protection obligations equivalent to this DPA, (b) remain liable for sub-processor compliance, and (c) notify the Controller of any new sub-processors with an opportunity to object.

7. Data Subject Rights

Vendi shall assist the Controller in fulfilling data subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

The Controller shall be responsible for responding to data subject requests. Vendi will provide reasonable assistance upon request.

8. Data Breach Notification

In the event of a personal data breach, Vendi shall:

  • Notify the Controller without undue delay (within 72 hours of becoming aware)
  • Provide details of the breach including affected data and individuals
  • Describe measures taken to address the breach
  • Assist the Controller in fulfilling breach notification obligations

9. International Transfers

Data may be transferred to and processed in countries outside the EEA. For such transfers, Vendi ensures:

  • Standard Contractual Clauses (SCCs) are in place
  • Adequate safeguards per GDPR Article 46
  • Compliance with applicable data transfer regulations

10. Data Retention and Deletion

Upon termination of the Service:

  • Vendi will delete or return all personal data within 90 days
  • Unless required by law to retain for longer periods
  • The Controller may request earlier deletion
  • Backups will be securely deleted in accordance with retention schedules

11. Audit Rights

The Controller may audit Vendi's compliance with this DPA upon reasonable notice. Vendi may fulfill this obligation by providing SOC 2 reports or other relevant compliance documentation.

12. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.

13. Term and Termination

This DPA remains in effect for the duration of the Service agreement and survives termination with respect to obligations related to data retention, deletion, and return.

14. Contact

For DPA-related inquiries, contact us at [email protected]