Last updated: July 1, 2026
This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the agreement between DataVec, Inc. ("DataVec", "Processor") and the customer ("Customer", "Controller") for DataVec's Services (the "Agreement"). It applies where DataVec processes Personal Data on Customer's behalf and where the GDPR, UK GDPR, Swiss FADP, the CCPA/CPRA, or a similar data-protection law ("Data Protection Laws") applies. In case of conflict on data-protection matters, this DPA controls over the Agreement.
Capitalized terms not defined here have the meaning in the Agreement. "Controller," "Processor," "Data Subject," "Personal Data," "Processing," "Personal Data Breach," and "Supervisory Authority" have the meanings in the GDPR. "Customer Personal Data" means Personal Data within Customer Content that DataVec Processes on Customer's behalf. "Subprocessor" means a third party engaged by DataVec to Process Customer Personal Data. "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission (Decision 2021/914) for transfers to third countries.
2.1 Roles. For Customer Personal Data, Customer is the Controller (or a Processor acting on behalf of its own controller) and DataVec is the Processor. Where DataVec determines the purposes and means of processing its own account, billing, and operational data, DataVec acts as an independent controller and that processing is governed by DataVec's Privacy Policy, not this DPA.
2.2 Scope. This DPA applies to DataVec's Processing of Customer Personal Data to provide the Services. The subject matter, duration, nature, purpose, categories of Data Subjects, and types of Personal Data are described in Annex I.
3.1 Documented instructions. DataVec will Process Customer Personal Data only on Customer's documented instructions, including as set out in the Agreement, this DPA, and Customer's configuration and use of the Services, unless required by law (in which case DataVec will, where lawful, inform Customer first).
3.2 Lawfulness. Customer is responsible for the lawfulness of the Personal Data and of Customer's instructions, including having a valid legal basis and providing required notices to Data Subjects. Customer will not instruct DataVec to Process Personal Data in violation of Data Protection Laws.
3.3 Notice. DataVec will inform Customer if, in its opinion, an instruction infringes Data Protection Laws (without obligation to provide legal advice).
DataVec will ensure that personnel authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations and are informed of the confidential nature of the data.
DataVec will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against a Personal Data Breach, taking into account the state of the art, costs, and the nature, scope, context, and purposes of Processing, as well as the risk to Data Subjects. A description of these measures is set out in Annex II. DataVec may update the measures provided the level of protection is not materially reduced.
6.1 General authorization. Customer provides general authorization for DataVec to engage Subprocessors to Process Customer Personal Data. Current Subprocessors are listed in Annex III.
6.2 Flow-down. DataVec will impose on each Subprocessor data-protection obligations substantially equivalent to those in this DPA and remains responsible to Customer for each Subprocessor's performance.
6.3 Changes. DataVec will maintain the Subprocessor list and provide a mechanism to notify Customer of intended additions or replacements (for example, by email subscription or an updated list) with reasonable advance notice. Customer may object on reasonable data-protection grounds within the notice period; the parties will work in good faith to resolve the objection, and if they cannot, Customer may terminate the affected Services as its sole remedy.
Taking into account the nature of the Processing and information available to it, DataVec will provide reasonable assistance to Customer, through appropriate technical and organizational measures and to the extent possible, with:
If DataVec receives a request directly from a Data Subject relating to Customer Personal Data, it will not respond except to confirm the request relates to Customer, and will promptly forward it to Customer.
DataVec will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its notification obligations. Notice of a breach is not an acknowledgment of fault or liability.
On expiry or termination of the Services, DataVec will, at Customer's choice, delete or return Customer Personal Data and delete existing copies, within the period described in the Agreement (typically export availability for 30 days, then deletion), unless retention is required by law. Residual copies in routine backups are deleted in the ordinary course.
DataVec will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. To minimize disruption, audits will occur on reasonable prior notice, no more than once per year (unless required by a Supervisory Authority or following a Personal Data Breach), during business hours, subject to confidentiality, and DataVec may satisfy audit requests by providing then-current third-party certifications or reports where available.
11.1 Mechanism. Where DataVec Processes Customer Personal Data originating in the EEA, UK, or Switzerland in a country without an adequacy decision, the parties agree that the Standard Contractual Clauses apply and are incorporated by reference, with Customer as data exporter and DataVec as data importer:
11.2 Alternative mechanism. If DataVec adopts an alternative lawful transfer mechanism, that mechanism will apply instead to the extent it provides an adequate level of protection.
To the extent DataVec Processes Personal Information (as defined by the CCPA/CPRA) on Customer's behalf, DataVec acts as a service provider. DataVec will not (a) sell or share such Personal Information; (b) retain, use, or disclose it except as necessary to perform the Services under the Agreement or as permitted by the CCPA; (c) retain, use, or disclose it outside the direct business relationship between the parties; or (d) combine it with Personal Information from other sources except as permitted by the CCPA. DataVec certifies that it understands and will comply with these restrictions.
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability in the Agreement.
This DPA takes effect on the effective date of the Agreement and remains in force for as long as DataVec Processes Customer Personal Data.
DataVec maintains measures appropriate to the risk, including:
| Subprocessor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and billing | United States |
| DigitalOcean, LLC | Cloud infrastructure and hosting | United States (and configured regions) |
| Postmark (ActiveCampaign, LLC) | Delivery of account, billing, and system emails | United States |
| Certificate authority (e.g., Let's Encrypt / ISRG) | Issuance of TLS certificates for domains | United States |
DataVec will keep this list current. Customer may subscribe to notifications of changes as described in Section 6.3.
Contact: privacy@datavec.com
Questions about these terms? Contact legal@datavec.com.