Data Processing Agreement

Last updated: November 26, 2024

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Controller") and Brixon Group Ltd ("vavolta," "Processor") for the use of the vavolta platform.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, such as collection, storage, use, or disclosure.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Controller" means the entity that determines the purposes and means of Processing (you, the Customer).
• "Processor" means the entity that processes Personal Data on behalf of the Controller (vavolta).
• "Sub-processor" means any third party engaged by the Processor to process Personal Data.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.

2. Scope and Purpose

2.1 Subject Matter

This DPA governs the Processing of Personal Data by vavolta on behalf of the Customer when the Customer uses the vavolta platform to share content with and collect data from their contacts.

2.2 Nature and Purpose of Processing

vavolta processes Personal Data for the following purposes:

• Hosting and delivering lead magnets (PDF documents) to recipients
• Collecting email addresses and names through email-gated content and lead capture forms
• Tracking and recording engagement analytics (views, page interactions, time spent)
• Sending transactional emails on behalf of the Customer
• Providing analytics and reporting to the Customer
• Triggering webhooks to Customer-specified endpoints

2.3 Duration

This DPA remains in effect for as long as the Customer uses the vavolta Service and for as long as vavolta retains any Personal Data processed on behalf of the Customer.

3. Types of Personal Data

The following categories of Personal Data may be processed:

4. Categories of Data Subjects

The Data Subjects whose Personal Data may be processed include:

• Contacts and leads of the Customer
• Recipients who access the Customer's shared content
• Individuals who submit their information through lead capture forms

5. Obligations of the Processor (vavolta)

vavolta agrees to:

5.1 Processing Instructions

• Process Personal Data only on documented instructions from the Customer
• Inform the Customer if any instruction infringes applicable data protection law
• Not process Personal Data for any purpose other than providing the Service

5.2 Confidentiality

• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Not disclose Personal Data to third parties except as required by law or as permitted under this DPA

5.3 Security Measures

Implement appropriate technical and organizational measures including:

• Encryption of Personal Data in transit (TLS/SSL) and at rest
• IP address hashing to protect privacy
• Row-level security controls in the database
• Access controls and authentication mechanisms
• Regular security assessments and updates
• Secure password hashing for authentication
• Incident response and breach notification procedures

5.4 Sub-processors

• Use Sub-processors only with prior authorization (see Section 6)
• Ensure Sub-processors are bound by data protection obligations at least as protective as this DPA
• Remain liable for the acts and omissions of Sub-processors

5.5 Assistance

• Assist the Customer in responding to Data Subject requests (access, rectification, erasure, portability)
• Assist with data protection impact assessments when required
• Assist with prior consultations with supervisory authorities when required

5.6 Data Breach Notification

• Notify the Customer without undue delay (and within 72 hours where feasible) upon becoming aware of a Personal Data breach affecting Customer data
• Provide sufficient information to enable the Customer to meet its breach notification obligations under GDPR

5.7 Compliance Verification

As a self-service SaaS platform, vavolta provides the following compliance documentation to demonstrate adherence to this DPA:

• This publicly available DPA and our Technical and Organizational Measures (Annex A)
• Our Privacy Policy and security practices documentation
• Responses to standard security questionnaires upon written request
• Summaries of relevant third-party security assessments, where available

Due to the self-service nature and pricing of the Service, on-site audits and individual inspections are not available for standard subscriptions. Customers requiring enhanced audit rights should contact us to discuss enterprise arrangements.

5.8 Deletion and Return

• Upon termination of the Service, delete or return all Personal Data at the Customer's choice
• Delete existing copies unless storage is required by applicable law
• Provide 30 days for data export before deletion

6. Sub-processors

6.1 Authorized Sub-processors

The Customer authorizes vavolta to use the following Sub-processors:

6.2 Changes to Sub-processors

vavolta maintains an up-to-date list of Sub-processors in this DPA. We will update this list when adding new Sub-processors and notify customers via email or in-app notification. Continued use of the Service after such notification constitutes acceptance of the new Sub-processor. If you object to a new Sub-processor, you may terminate your subscription.

7. International Data Transfers

7.1 Transfer Mechanisms

Where Personal Data is transferred outside the EEA, vavolta ensures that appropriate safeguards are in place:

• EU-US Data Privacy Framework: For transfers to certified US organizations
• Standard Contractual Clauses: EU Commission approved contractual clauses (Module 2: Controller to Processor)
• Supplementary measures: Additional technical and organizational measures as needed

7.2 Customer Acknowledgment

By using the Service, the Customer authorizes vavolta to transfer Personal Data to Sub-processors located outside the EEA, subject to the safeguards described above.

8. Obligations of the Controller (Customer)

The Customer agrees to:

• Ensure that Personal Data is collected lawfully and with appropriate legal basis
• Provide all necessary privacy notices to Data Subjects
• Obtain any required consents from Data Subjects
• Not provide instructions that would cause vavolta to violate applicable law
• Comply with all applicable data protection laws
• Maintain appropriate records of Processing activities

9. Data Subject Rights

vavolta will assist the Customer in responding to Data Subject requests by:

• Providing tools to access and export Personal Data
• Enabling deletion of Personal Data upon request
• Forwarding any Data Subject requests received directly to the Customer
• Not responding directly to Data Subject requests unless authorized or required by law

10. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Where GDPR applies, each party shall be liable for damages caused by Processing that infringes the GDPR in accordance with Article 82.

11. Term and Termination

This DPA is effective upon the Customer's acceptance of the Terms of Service and remains in effect until:

• The Customer's use of the Service terminates; and
• All Personal Data has been deleted or returned in accordance with Section 5.8

12. Governing Law

This DPA is governed by the laws of Malta and the European Union, including the GDPR where applicable. The courts of Malta shall have exclusive jurisdiction over any disputes arising from this DPA.

13. Contact

For questions about this DPA or to exercise any rights, contact:

Annex A: Technical and Organizational Measures

vavolta implements the following security measures:

A.1 Access Controls

• Role-based access control for all systems
• Multi-factor authentication available for user accounts
• Unique user credentials required for system access
• Regular access reviews and revocation procedures

A.2 Encryption

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for data at rest
• Secure key management practices

A.3 Data Minimization

• IP addresses are hashed (SHA-256, truncated to 16 characters) before storage
• Only necessary data is collected and retained
• Regular data retention reviews

A.4 System Security

• Row-level security in database
• Regular security updates and patching
• Secure coding practices
• Input validation and sanitization

A.5 Incident Response

• Documented incident response procedures
• Breach notification within 72 hours
• Regular security assessments

A.6 Business Continuity

• Regular data backups
• Disaster recovery procedures
• High availability infrastructure

A.7 Personnel Security

• Background checks for personnel with access to Personal Data
• Mandatory data protection training for all staff
• Confidentiality agreements with all personnel

A.8 Vendor Management

• Due diligence on Sub-processors before engagement
• Contractual data protection obligations for all Sub-processors
• Periodic review of Sub-processor compliance

Annex B: Standard Contractual Clauses

For transfers of Personal Data to Sub-processors located outside the EEA and not covered by an adequacy decision or the EU-US Data Privacy Framework, the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are hereby incorporated by reference and form part of this DPA.

The Clauses apply as follows:

• Module Two (Controller to Processor): Applies between the Customer (as Controller) and vavolta (as Processor)
• Module Three (Processor to Processor): Applies between vavolta (as Processor) and its Sub-processors

The annexes to the SCCs are completed as follows:

• Annex I.A (List of parties): As identified in this DPA
• Annex I.B (Description of transfer): As described in Sections 2, 3, and 4 of this DPA
• Annex II (Technical and organizational measures): As set forth in Annex A of this DPA

The full text of the Standard Contractual Clauses is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj