Data Processing Addendum

In respect of Personal Data processed under the Agreement:

• Customer is the Controller of Personal Data about its end customers and their personnel that Customer routes through the Service.
• Vendor is the Processor acting on Customer’s documented instructions.
• Vendor acts as the Controller of Personal Data about Customer’s own account users and billing contacts, as set out in the Privacy Policy.

Capitalised terms not defined here have the meanings given in the Agreement or, where used in a GDPR sense, in Article 4 GDPR.

Vendor will process Personal Data for the duration of the Agreement plus any post-termination data-retention period set out in the Agreement (typically 30 days for active export, then deletion from live systems; backups are purged on a rolling 30-day schedule).

Subject matter and nature of processing: hosting, synchronisation, storage, and processing of data Customer routes through Vendor’s unified MSP workspace for Customer’s own business purposes, including read-side aggregation from connected third-party systems and write-back actions Customer authorises.

Purpose of processing: to provide the Service described in the Agreement.

Data subjects. Customer’s end customers (typically small- and medium-business contacts) and their personnel; Customer’s own personnel who use the Service.

Categories of Personal Data.

• names, work email addresses, and phone numbers;
• device identifiers, hostnames, MAC and IP addresses;
• ticket and incident content (including any Personal Data Customer chooses to include in tickets);
• asset metadata, contracts, invoices, and subscription records;
• authentication tokens and credentials for connected third-party systems (held encrypted; not processed as content);
• usage and diagnostic data about how Customer’s personnel interact with the Service.

Vendor does not knowingly process special categories of Personal Data (Article 9 GDPR). Customer must not route such data through the Service without first agreeing additional terms in writing.

Vendor will:

1. process Personal Data only on Customer’s documented instructions, including as set out in this DPA, the Agreement, and lawful instructions given through the Service;
2. ensure personnel authorised to process Personal Data are bound by a duty of confidentiality;
3. implement and maintain the technical and organisational measures described in Section 5 (Security measures) and at /legal/security;
4. not engage a new sub-processor without the notice period and terms set out in Section 6;
5. assist Customer in responding to requests from data subjects to exercise their rights (access, correction, deletion, portability, objection, restriction) using the tools provided in the Service and, where additional assistance is required, on commercially reasonable terms;
6. notify Customer without undue delay of a confirmed Personal Data Breach affecting Customer Data, and cooperate on investigation, mitigation, and any required notifications (see Section 10);
7. at Customer’s choice, delete or return all Personal Data at the end of the Agreement (subject to the retention window referenced in Section 2) and delete existing copies unless applicable law requires retention;
8. make available to Customer the information reasonably necessary to demonstrate compliance with this DPA, subject to Section 9 (Audit).

Vendor maintains technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. The current control set includes:

• Encryption. TLS in transit; AES-256 encryption at rest for integration credentials, with the encryption key held outside the database; encrypted EBS volumes for the database host; encrypted nightly backups.
• Authentication. bcrypt-hashed passwords (cost factor ≥ 12); HttpOnly / Secure / SameSite session cookies; 8-hour inactivity expiry; rate limiting on auth endpoints; MFA available on all paid tiers.
• Access control. Strict server-side role-based access control; per-tenant database isolation (no cross-tenant join paths); production access limited to operator personnel via SSH key restricted to the operator’s VPN CIDR.
• Audit. Every administrative action, rules-engine execution, write-back to a connected system, and authentication event is recorded in an append-only audit log that cannot be deleted from the application layer.
• Resilience. Nightly per-tenant database backups with weekly restore-verification; documented incident-response and breach-notification runbooks; external uptime monitoring of the public health endpoint.
• Secure development. Pinned dependencies (lockfile committed); container builds in CI under least-privilege tokens; no production secrets in source control; CI gate blocks pull requests that introduce orphan routes or unaudited mutating handlers.

The live, customer-facing description of these controls is published at /legal/security and updated as the control set evolves.

Customer authorises Vendor to engage sub-processors to assist in providing the Service. The current list of sub-processors — including each sub-processor’s role, the categories of data processed, and the location of processing — is maintained at /legal/sub-processors and is incorporated into this DPA by reference.

Vendor will notify Customer at least 30 days before engaging a new sub-processor or materially expanding the scope of an existing sub-processor. Customer may object on reasonable data-protection grounds; the parties will work in good faith to address the objection. If the objection cannot be resolved, Customer may terminate the affected Service component without penalty by providing written notice within 30 days of Vendor’s sub-processor notice.

Vendor remains responsible to Customer for the acts and omissions of its sub-processors to the same extent that Vendor would be responsible if it were performing the services directly.

Vendor is based in the United States, and processing primarily occurs in US AWS regions. Where Customer or its data subjects are located in the European Economic Area, the United Kingdom, or Switzerland, and Personal Data is transferred to a jurisdiction not recognised by the European Commission as providing an adequate level of protection:

• the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two: Controller-to-Processor) are incorporated into this DPA by reference and govern the transfer;
• for transfers subject to the UK GDPR, the UK International Data Transfer Addendum (Version B1.0, issued by the Information Commissioner under section 119A of the Data Protection Act 2018) is incorporated by reference and applies to those transfers;
• for transfers subject to the Swiss FADP, the SCCs apply with the adjustments published by the Swiss Federal Data Protection and Information Commissioner.

The parties agree that, for purposes of the SCCs and the UK IDTA, Customer is the data exporter and Vendor is the data importer; Annex I, II, and III of the SCCs are populated by reference to Sections 3, 5, and 6 of this DPA respectively.

Vendor provides Customer with the tools reasonably necessary to respond to data-subject requests through the Service, including access, correction, export, and deletion. Where additional assistance is required to fulfil a request, Vendor will provide it on commercially reasonable terms and within the statutory response windows applicable to Customer.

If Vendor receives a request directly from a data subject who identifies as a customer or employee of Customer, Vendor will forward the request to Customer and will not respond substantively unless instructed by Customer or required by law.

On 30 days’ written notice, and no more than once per twelve months (except where a confirmed Personal Data Breach has occurred or a supervisory authority directs otherwise), Customer may request documentation reasonably demonstrating Vendor’s compliance with this DPA, including a copy of the latest security overview and, once available, the most recent SOC 2 Type II report under NDA.

On-site audits are permitted only in the event of a confirmed Personal Data Breach or where required by a supervisory authority, subject to reasonable conditions to protect Vendor’s security and other customers’ confidentiality. Customer bears its own costs of any audit and reimburses Vendor for time and materials beyond eight hours per audit.

Vendor will notify Customer of a confirmed Personal Data Breach affecting Customer Data without undue delay and, in any event, within 72 hours of confirmation. The notification will describe, to the extent known at the time:

• the nature of the breach;
• the categories and approximate number of data subjects and records concerned;
• the likely consequences of the breach; and
• measures Vendor has taken, or proposes to take, to address the breach and to mitigate its possible adverse effects.

Where the information is not available within the initial notification window, Vendor will provide it in phases as soon as reasonably practicable. Notification is sent to the security and billing contacts on file; Customer is responsible for keeping these current.

To the extent Personal Data includes “Personal Information” of California residents as defined under the CCPA:

• Customer is a “Business” and Vendor is a “Service Provider” (and, where applicable, “Contractor”);
• Vendor will not sell or share Personal Information; will not retain, use, or disclose it for any purpose other than the specific purpose of performing the services specified in the Agreement, including any commercial purpose other than those permitted under CCPA; and will not combine it with Personal Information received from or on behalf of other persons except as permitted by CCPA;
• Vendor certifies that it understands these restrictions and will comply with them.

Each party’s liability under this DPA is subject to the limitation of liability set out in the Agreement. Nothing in this DPA or the Agreement limits either party’s liability where such limitation is prohibited by applicable data-protection law.

In the event of any conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA controls. In the event of a conflict between this DPA and any incorporated Standard Contractual Clauses or UK IDTA, the SCCs / IDTA control to the extent of the conflict.

Vendor may update this DPA from time to time. Material changes will be announced to the billing email on file at least 30 days before they take effect. If a material change would substantively reduce the protections afforded to Personal Data, Customer may terminate the affected Service component without penalty by written notice before the effective date.

For DPA execution, privacy questions, or to escalate a data-protection concern, email privacy@mspvectis.com or legal@mspvectis.com. For confirmed security incidents, use security@mspvectis.com.