Data Processing Addendum.
Last updated: June 6, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Vindicara, Inc. ("Vindicara," "Processor") and the customer agreeing to those Terms ("Customer," "Controller") and applies to the Processing of Personal Data by Vindicara on Customer's behalf through the Hosted Services. Where Customer is itself a processor acting for a third-party controller, references to Controller apply to that third party and Customer is the intermediary. To execute a countersigned copy, contact legal@vindicara.io.
1. Definitions
"Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, and the California Consumer Privacy Act as amended by the CPRA ("CCPA"). "Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Personal Data Breach" have the meanings given in Applicable Data Protection Law. "Customer Personal Data" means Personal Data contained in Customer Data that Vindicara Processes on Customer's behalf. "Subprocessor" means a third party engaged by Vindicara to Process Customer Personal Data. "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission for transfers of Personal Data to third countries.
2. Roles and Scope of Processing
As between the parties, Customer is the Controller (or processor) of Customer Personal Data and Vindicara is the Processor. Vindicara will Process Customer Personal Data only (a) to provide, secure, and support the Services in accordance with the Terms, (b) on Customer's documented instructions (including via configuration and use of the Services), and (c) as required by law, in which case Vindicara will inform Customer unless legally prohibited. The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Annex 1. Vindicara will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
3. Customer Responsibilities
Customer is responsible for the lawfulness of Customer Personal Data and of Customer's instructions, including having a valid legal basis, providing required notices to Data Subjects, and configuring redaction, retention, and anchoring appropriately. Customer must not submit special-category data or protected health information except as permitted by the Services and, for PHI, under a separate Business Associate Agreement.
4. Confidentiality
Vindicara will ensure that personnel authorized to Process Customer Personal Data are subject to binding confidentiality obligations and have received appropriate data-protection training.
5. Security Measures
Vindicara will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data, taking into account the state of the art and the risks of Processing, as described in Annex 2 and on our Security page. These include encryption in transit and at rest, least-privilege access controls, authenticated access, default-deny redaction of published payloads, and tamper-evident signed records. Vindicara may update its measures provided that the level of protection is not materially decreased.
6. Subprocessors
Customer provides general authorization for Vindicara to engage Subprocessors to Process Customer Personal Data. Vindicara maintains a current list of Subprocessors (including Amazon Web Services, Auth0, Stripe, and Sigstore Rekor and a timestamp authority) available on request, imposes data-protection obligations on each Subprocessor no less protective than this DPA, and remains responsible for each Subprocessor's performance. Vindicara will give Customer notice of any intended addition or replacement of a Subprocessor, and Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection.
7. Data Subject Requests
Taking into account the nature of the Processing, Vindicara will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects to exercise their rights. If Vindicara receives such a request directly, it will, where legally permitted, direct the Data Subject to Customer.
8. Personal Data Breach
Vindicara will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its breach-notification obligations, and will take reasonable steps to mitigate and remediate.
9. Data Protection Impact Assessments
Vindicara will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of Processing and information available to Vindicara.
10. International Transfers
Vindicara Processes Customer Personal Data primarily in the United States. Where the transfer of Customer Personal Data from the EEA, UK, or Switzerland is subject to Applicable Data Protection Law, the SCCs (and the UK Addendum where applicable) are incorporated into this DPA by reference and apply to that transfer, with Customer as data exporter and Vindicara as data importer.
11. Return and Deletion
Upon termination of the Services and on Customer's request, Vindicara will delete or return Customer Personal Data within the period described in the Terms, except (a) hashes already published to public transparency logs, which are immutable, and (b) data Vindicara is required to retain by law, which it will continue to protect.
12. Audits
Vindicara will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable confidentiality, scope, frequency, notice, and security conditions. Vindicara may satisfy audit requests by providing third-party reports or certifications where available.
13. California (CCPA)
For Personal Data subject to the CCPA, Vindicara acts as a "service provider." Vindicara will not sell or share such Personal Data, will not retain, use, or disclose it except for the limited business purpose of providing the Services or as permitted by the CCPA, and will not combine it with data from other sources except as permitted. Vindicara certifies that it understands and will comply with these restrictions.
14. Liability and Precedence
Each party's liability under this DPA is subject to the limitations and exclusions in the Terms. In the event of a conflict between this DPA and the Terms regarding the Processing of Personal Data, this DPA controls; the SCCs control over both with respect to transfers they govern.
Annex 1 — Description of Processing
Subject matter: provision of the Hosted Services. Duration: the term of the Services plus the post-termination period in the Terms. Nature and purpose: hosting, recording, signing, anchoring, analyzing, and producing evidence from agent activity to provide accountability, detection, and compliance-evidence features. Categories of Personal Data: account and authentication identifiers; billing metadata; usage and device data; and any Personal Data contained in Customer-submitted agent traces and decision records (which Customer controls; published records are redacted to hashes by default). Categories of Data Subjects: Customer's authorized users and administrators, and individuals referenced in Customer Data.
Annex 2 — Technical and Organizational Measures
Encryption of data in transit (TLS) and at rest; least-privilege, role-based access control; authentication via Auth0; default-deny redaction of published payloads; tamper-evident, cryptographically signed and hash-chained records; logging and monitoring; secrets management; secure SDLC and dependency hygiene; and incident response. Further detail is on the Security page.
Annex 3 — Subprocessors
Amazon Web Services (cloud hosting; primary region US-West-2); Auth0 (authentication and identity); Stripe (payment processing); Sigstore Rekor and an RFC 3161 timestamp authority (public anchoring of hashes and timestamps). A current, detailed list is available on request.