Data Processing Agreement

Contents

Definitions
Subject matter & duration
Nature & purpose of processing
Types of personal data & data subjects
Processor obligations
Security measures
Subprocessors
International transfers
Data subject rights & controller assistance
Personal data breach notification
Audits & inspections
Return & deletion
Liability
General provisions
Annex A — Subprocessors
Annex B — Technical & organisational measures

This Data Processing Agreement (the "DPA") forms part of the Master Subscription Agreement (the "Agreement") between Vigilo (the "Processor") and the customer entity that has entered into the Agreement (the "Controller"). It applies to the extent that Vigilo processes Personal Data on behalf of the Controller in connection with the Services. Capitalised terms not defined here have the meanings given in the Agreement.

1. Definitions

"Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Supervisory Authority", and "Personal Data Breach" have the meanings set out in the GDPR.

"GDPR" means Regulation (EU) 2016/679 and, where applicable, the UK GDPR as defined in the UK Data Protection Act 2018.

"Services" means the Vigilo risk-monitoring service provided to the Controller under the Agreement.

"Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Services.

2. Subject matter & duration

The subject matter of this DPA is the Processing of Personal Data by the Processor on behalf of the Controller for the purpose of delivering the Services.

This DPA enters into force on the effective date of the Agreement and remains in force for the duration of the Agreement plus any period during which the Processor continues to hold Personal Data, after which Section 12 applies.

3. Nature & purpose of processing

The Processor will process Personal Data solely for the purposes of:

providing risk-monitoring alerts to the Controller's authorised users;
maintaining and securing the Controller's account, authentication, and billing records;
responding to Data Subject requests and complying with legal obligations;
improving and operating the Services, subject to the restrictions in Section 5.

4. Types of personal data & data subjects

Category	Personal Data
Account users	Email address, name (if voluntarily provided), authentication tokens, role assignment within the Controller's account
Watchlist data	Country / region preferences set by users (not Personal Data of third parties)
Billing contact	Name, email, billing address, organisation name (no payment card details — handled by the payment processor directly)
Communication logs	Timestamps and delivery status of transactional emails sent to the user
API usage logs	API key identifier, endpoint, timestamp, response status (no payload content)

Data subjects: the Controller's employees, contractors, and end users authorised to access the Services.

The Processor does not request, and asks that the Controller does not submit through the Services, any special categories of Personal Data under Article 9 GDPR.

5. Processor obligations

The Processor shall:

process Personal Data only on documented instructions from the Controller, including the instructions reflected in this DPA and the Agreement;
ensure that persons authorised to process Personal Data have committed to confidentiality or are under appropriate statutory obligations of confidentiality;
implement and maintain appropriate technical and organisational measures (Annex B);
respect the conditions for engaging Subprocessors (Section 7);
taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligations to respond to Data Subject requests;
assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, impact assessments, prior consultation);
at the choice of the Controller, return or delete all Personal Data after the end of the provision of the Services, except where retention is required by law (Section 12);
make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits (Section 11).

The Processor will not:

sell or rent Personal Data to third parties;
use Personal Data for advertising, profiling, or training of third-party AI models;
combine Controller's Personal Data with data from other controllers other than as necessary to operate the Services in aggregate, anonymised form.

6. Security measures

The Processor will implement and maintain the technical and organisational measures set out in Annex B, including (without limitation) encryption in transit and at rest, access control, logging, and incident response procedures.

The Processor will not materially reduce the security measures during the term of the Agreement.

7. Subprocessors

The Controller provides general written authorisation for the Processor to engage Subprocessors. A current list of Subprocessors is maintained in Annex A and on the public Subprocessors page at vigilo.cc/security.

The Processor will:

notify the Controller of any intended addition or replacement of a Subprocessor at least 30 days before that change takes effect (for paid plans Team and above);
impose data protection obligations on the Subprocessor that are no less onerous than those set out in this DPA;
remain liable for the acts and omissions of its Subprocessors as if they were its own.

The Controller may object in writing to a new Subprocessor on reasonable grounds within 14 days of notification. If the parties cannot resolve the objection in good faith, the Controller may terminate the affected Services and receive a prorated refund of prepaid fees.

8. International transfers

The Processor primarily processes Personal Data on infrastructure located in the United States and, for certain Subprocessors, the European Union. Where Personal Data is transferred outside the EEA / UK, the Processor will ensure an appropriate transfer mechanism is in place, including (as applicable):

Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914);
UK International Data Transfer Agreement or Addendum;
recognised adequacy decisions.

Where the Processor relies on SCCs, the parties incorporate the SCCs by reference. Module Two (Controller-to-Processor) applies between the Controller and the Processor; Module Three (Processor-to-Processor) applies between the Processor and onward Subprocessors. Annex I, II, and III of the SCCs are populated by reference to this DPA's schedules and Annexes.

9. Data subject rights & controller assistance

The Processor will, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures in responding to Data Subject requests under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection, automated decision-making).

If a Data Subject contacts the Processor directly with a request relating to the Controller's Personal Data, the Processor will forward the request to the Controller without undue delay and will not respond to the request except on the Controller's documented instructions.

The Controller may request assistance by writing to alex@vigilo.cc. The Processor responds within 7 days and substantively assists within 30 days of receipt.

10. Personal data breach notification

The Processor will notify the Controller of any confirmed Personal Data Breach affecting Controller's Personal Data without undue delay and within 72 hours of becoming aware. The notification will, to the extent known at the time, include:

the nature of the breach, including categories and approximate number of Data Subjects and records affected;
the name and contact details of the Processor's contact;
likely consequences;
measures taken or proposed to address the breach and mitigate its possible adverse effects.

The Processor will provide updated information as it becomes available and will not require the Controller to assess severity or notifiability — that determination is the Controller's responsibility.

11. Audits & inspections

The Processor will make available to the Controller, on reasonable request and at intervals no greater than once per calendar year (or more frequently if required by a supervisory authority or following a Personal Data Breach):

documentation of its technical and organisational measures (current version of Annex B);
responses to a security questionnaire of reasonable scope;
copies of relevant third-party audit reports (when available) or attestations.

On-site audits may be conducted only where the above is insufficient and after 30 days' written notice, during business hours, with reasonable scope, and subject to confidentiality undertakings. Costs of on-site audits are borne by the Controller.

12. Return & deletion

On termination of the Agreement, the Processor will, at the Controller's choice and within 30 days:

return all Personal Data to the Controller in a structured, commonly used, machine-readable format; or
delete all Personal Data, including from backups (within 60 days for backups), and certify deletion to the Controller.

The Processor may retain Personal Data only where required by EU, Member State, or other applicable law, and only for the period required.

13. Liability

Each party's liability arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits or excludes liability that cannot lawfully be limited or excluded under applicable law.

14. General provisions

Conflict. In the event of any conflict between this DPA and the Agreement, this DPA prevails in respect of data protection matters.

Amendment. The Processor may update this DPA from time to time to reflect changes in applicable law or best practice. The Processor will notify the Controller of material changes at least 30 days in advance. Changes that materially diminish the Processor's obligations are not effective without the Controller's written agreement.

Governing law. This DPA is governed by the laws specified in the Agreement.

A. Annex A — Current Subprocessors

The list below is current as of the date of this DPA. The live list is at vigilo.cc/security.

Subprocessor	Purpose	Region	Transfer mechanism
Netlify, Inc.	Hosting, CDN, edge functions, blob storage	US	SCCs (Module 3)
Resend	Transactional email delivery	US / EU	SCCs (Module 3)
Stripe	Payment processing (when active)	US / EU / IE	SCCs / IE adequacy
Mapbox	Map tiles, geocoding (no PII transmitted)	US	SCCs (Module 3)
Plausible Insights OÜ	Cookie-less, anonymous web analytics	EU (DE)	EU — no transfer
GitHub, Inc.	Source code & scheduled data pipeline	US	SCCs (Module 3)

B. Annex B — Technical & organisational measures

1. Confidentiality

All personnel with access to Personal Data are bound by written confidentiality undertakings.
Access to production systems is limited to the minimum number of authorised personnel necessary to operate the Services. Currently: founder only.
Multi-factor authentication enforced for all administrative interfaces.

2. Integrity

TLS 1.2+ enforced for all data in transit.
Data at rest in Netlify Blobs encrypted using AES-256 by the underlying infrastructure.
Secret material (API keys, JWT signing secrets, Bearer tokens) stored exclusively in Netlify environment variables; never in source code or logs.
Webhook payloads to customer endpoints are signed with HMAC-SHA256; customers can verify integrity using a shared secret.

3. Availability & resilience

Hosting on Netlify global CDN with automated failover.
Daily encrypted backups of subscriber and account data; 30-day retention.
Source code, infrastructure-as-code, and configuration version-controlled in GitHub.

4. Pseudonymisation & data minimisation

Email addresses for subscribers are stored hashed where the application logic does not require the plaintext.
No analytics tracking of individual users across sessions or sites (Plausible is cookie-less).
API logs do not capture request payloads.

5. Testing & review

Critical authentication and security code is unit-tested.
Dependency vulnerabilities monitored via GitHub Dependabot.
Annual review of technical and organisational measures; documented update of this Annex.

6. Incident response

Single-point incident contact: security@vigilo.cc.
Personal Data Breach notification within 72 hours of confirmation (Section 10).
Post-incident review documented and shared with affected Controllers on request.

For the Controller

Name & title

Signature & date

For the Processor — Vigilo

Aleksey Stepikin · Founder

Name & title

Signature & date

Working draft v0.1. This document is provided as a customer-ready starting point and represents Vigilo's standard processing terms. Final binding text will be re-issued with customer details at execution. Both parties are advised to obtain independent legal review.