1. Roles
For personal data that you (the Customer) determine the purposes and means of processing when using the Service, you are the data controller and Vunve LTD is the data processor. This addendum applies to such processing and supplements our Terms of Service and Privacy Policy.
2. Processing
We process personal data on your documented instructions (including via the Service and your account actions) to provide, support, and improve the Service. We will not use that data for our own purposes except as necessary to provide the Service or as required by law.
3. Subprocessors
We may use subprocessors (e.g. Stripe, Supabase, Vercel, and email or analytics providers) to provide the Service. We ensure that subprocessors are bound by obligations consistent with this DPA and applicable data protection law. We can provide a list of key subprocessors on request. We will give you notice of new subprocessors where required by law and allow you to object in accordance with applicable terms.
4. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or alteration, in line with the nature of the data and the risks. These include access controls, encryption where appropriate, and secure development and operations practices.
5. Data Breach
If we become aware of a personal data breach affecting your data, we will notify you without undue delay and provide information reasonably necessary for you to meet any reporting or notification obligations. We will also take reasonable steps to contain and remediate the breach.
6. Deletion and Return
At the end of the provision of the Service (or on your request where feasible), we will delete or return personal data processed on your behalf in accordance with your instructions and our retention obligations under law. We may retain copies where required by law.
7. International Transfers
Where we or our subprocessors transfer personal data outside the UK or EEA, we will ensure appropriate safeguards (such as UK adequacy decisions, standard contractual clauses, or equivalent mechanisms) are in place as required by UK GDPR and GDPR.
8. Assistance and Audits
We will assist you in responding to data subject requests and in meeting your obligations regarding security, breach notification, and data protection impact assessments, to the extent that the processing relates to our processing on your behalf. You may request information or audits to verify our compliance to the extent required by applicable law and subject to confidentiality and reasonable conditions.
9. Governing Law
This DPA is governed by the laws of England and Wales. Nothing in it affects your or data subjects' statutory rights that cannot be excluded by law.