Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined herein have the meanings given to them in the Terms of Service.

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Controller" means the natural or legal person that determines the purposes and means of the Processing of Personal Data (you, the Customer).
• "Processor" means the natural or legal person that processes Personal Data on behalf of the Controller (Digitaltableteur Tmi, trading as VertaaUX).
• "Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR. For VertaaUX, the lead supervisory authority is the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto).
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission Implementing Decision (EU) 2021/914.

2. Scope and Applicability

2.1 Scope of Processing

This DPA applies to all Personal Data processed by VertaaUX in connection with providing its automated UX auditing services to the Controller, including but not limited to:

• User account information (name, email address, OAuth identifiers, authentication data)
• Organization and team membership data for multi-user accounts
• Website URLs and associated metadata submitted for auditing
• Audit results, scores, recommendations, and reports
• Payment and billing information (processed via Stripe)
• Usage logs, activity data, and feature interaction records
• Support communications and feedback submitted through the Service
• Technical data including IP addresses, browser information, and device identifiers

2.2 Nature and Purpose

Personal Data is processed solely for the following purposes:

• Providing, operating, and maintaining the VertaaUX automated UX auditing platform
• Executing website audits, generating reports, and delivering audit results
• Managing user accounts, authentication, and authorization
• Processing payments and managing subscriptions
• Sending transactional emails and service notifications
• Monitoring service performance, diagnosing errors, and maintaining platform reliability
• Enforcing rate limits and preventing abuse
• Enriching audit results via LLM-powered analysis (with no PII sent to AI providers)
• Improving the Service based on aggregated and anonymized usage data

2.3 Processing Across Surfaces

VertaaUX is a multi-surface platform. Personal Data may be processed through any of the following distribution surfaces, each with specific processing characteristics:

Regardless of the surface used, the same data protection commitments, security measures, and sub-processor restrictions described in this DPA apply uniformly.

2.4 Duration

Processing will continue for the duration of the Controller's subscription to the Service and for the retention period specified in Section 7 of this DPA. Upon termination, data will be handled in accordance with Section 7.2.

3. Controller and Processor Obligations

3.1 Controller Obligations

The Controller warrants and represents that:

• It has all necessary rights, consents, and legal bases to submit Personal Data to the Service and to instruct the Processor to process such data
• It has provided appropriate privacy notices to Data Subjects in accordance with Articles 13 and 14 of the GDPR
• Its use of the Service complies with all applicable data protection laws, including the GDPR and any applicable national implementing legislation
• It will not submit special categories of Personal Data (as defined in Article 9 of the GDPR), including health data, biometric data, data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or data concerning sex life or sexual orientation, without prior written agreement from the Processor
• It will promptly notify the Processor of any changes to its processing instructions or any circumstances that may affect the Processor's ability to comply with this DPA

3.2 Processor Obligations

The Processor commits to the following obligations:

• Documented Instructions: Process Personal Data only in accordance with the Controller's documented instructions, unless required to do so by Union or Member State law to which the Processor is subject (in which case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law)
• Confidentiality: Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Security: Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 4
• Data Subject Requests: Assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR
• Deletion or Return: At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage of the Personal Data
• Demonstrate Compliance: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller

4. Security Measures

4.1 Technical Measures

The Processor implements the following technical security measures to protect Personal Data:

• Encryption in Transit: All data transmitted between clients and servers is encrypted using TLS 1.3. Certificate pinning is enforced for API communications.
• Encryption at Rest: All stored data is encrypted using AES-256 encryption. Database backups are encrypted with separate key management.
• Access Control: Role-based access control (RBAC) enforces the principle of least privilege. Multi-factor authentication (MFA) is required for all administrative access.
• Network Security: Web application firewalls (WAF), DDoS protection via Vercel and Cloudflare, intrusion detection systems (IDS), and network segmentation protect infrastructure.
• Database Security: Encrypted backups with point-in-time recovery, connection pooling with mandatory SSL, parameterized queries preventing SQL injection, and automated vulnerability scanning.
• Monitoring: Real-time security monitoring via Sentry error tracking, automated threat detection, comprehensive audit logging, and alerting on anomalous activity.

4.2 Organizational Measures

• Staff Training: Regular security awareness and data protection training for all personnel with access to Personal Data
• Background Checks: Background verification for employees with access to production systems and Personal Data
• Incident Response: Documented incident response plan with defined roles, escalation procedures, and communication protocols, tested at least annually
• Business Continuity: Business continuity management (BCM) including regular backups, disaster recovery plans, and service redundancy across multiple availability zones
• Vendor Management: Security and privacy assessments of all sub-processors prior to engagement and on an ongoing basis, including review of certifications, security practices, and data processing terms

4.3 Security Reviews

The Processor conducts regular security assessments, including vulnerability scanning and penetration testing by qualified third-party security firms. Enterprise customers may request access to security documentation, recent penetration test summaries, and may arrange security audits upon reasonable notice as described in Section 10.

5. Sub-processors

5.1 Authorized Sub-processors

The Controller authorizes the Processor to engage the following sub-processors for processing Personal Data. A current list is also maintained at /subprocessors.

5.2 Sub-processor Changes

The Processor will provide the Controller with at least 30 days' advance written notice before adding, replacing, or materially changing the scope of any sub-processor. Notice will be provided via email to the account administrator and published on the sub-processors page.

The Controller may object to a new or replacement sub-processor on reasonable grounds relating to data protection by notifying the Processor in writing within 14 days of receiving notice. If the Processor cannot reasonably accommodate the Controller's objection, the Controller may terminate the affected services without penalty, with a pro-rata refund for any prepaid and unused fees.

5.3 Sub-processor Agreements

The Processor ensures that all sub-processors are bound by written data processing agreements imposing data protection obligations substantially similar to those set out in this DPA, including adequate security measures, confidentiality obligations, and GDPR compliance requirements. The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.

6. Data Subject Rights

6.1 Rights Under GDPR

The Processor will assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising rights under Chapter III of the GDPR, including:

• Right of Access (Art. 15): Provide copies of Personal Data being processed
• Right to Rectification (Art. 16): Correct inaccurate or incomplete Personal Data
• Right to Erasure (Art. 17): Delete Personal Data ("right to be forgotten") where applicable
• Right to Restriction (Art. 18): Restrict processing of Personal Data in certain circumstances
• Right to Data Portability (Art. 20): Export Personal Data in a structured, commonly used, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes
• Rights Related to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects

6.2 Request Handling

If the Processor receives a Data Subject request directly, it will promptly forward the request to the Controller within 3 business days. The Controller is responsible for responding to Data Subjects. The Processor will provide reasonable technical assistance to enable the Controller to fulfil such requests within the timeframes required by the GDPR.

6.3 Self-Service Tools

The Service includes self-service tools enabling Data Subjects to exercise their rights directly, including:

• Account settings for viewing and updating Personal Data
• Data export functionality for downloading account data and audit history in machine-readable formats (JSON, CSV)
• Account deletion functionality for permanent erasure of all associated Personal Data
• Cookie consent management for controlling analytics and non-essential tracking

7. Data Retention and Deletion

7.1 Retention Periods

Enterprise customers may negotiate custom retention periods aligned with their internal data governance policies.

7.2 Deletion Upon Termination

Upon termination of the Controller's subscription, the Processor will delete or anonymize all Personal Data within 90 days, except where retention is required by applicable law (such as Finnish accounting obligations). Enterprise customers may request expedited deletion. The Controller may request a copy of their data in a machine-readable format before deletion commences.

7.3 Secure Deletion

Data deletion includes removal from all production systems, backup systems, and sub-processor systems. Deletion is performed using industry-standard secure deletion methods. The Processor will provide written confirmation of deletion upon request from the Controller.

8. Data Breach Notification

8.1 Notification Timeline

The Processor will notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a Data Breach affecting the Controller's Personal Data. Where the notification cannot be made within 72 hours, the Processor will provide a reasoned justification for the delay.

8.2 Breach Information

The Processor's Data Breach notification will include, to the extent available:

• The nature of the Data Breach, including where possible the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned
• The name and contact details of the Data Protection Officer or other contact point where more information can be obtained
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects
• A timeline of events and initial root cause analysis, where available

8.3 Cooperation

The Processor will cooperate with the Controller in investigating the Data Breach and will provide reasonable assistance in notifying Data Subjects and supervisory authorities as required under Articles 33 and 34 of the GDPR. The Processor will take immediate steps to contain the breach and preserve evidence for forensic analysis.

9. International Data Transfers

9.1 Transfer Mechanisms

When Personal Data is transferred outside the European Economic Area (EEA), the Processor ensures appropriate safeguards are in place in accordance with Chapter V of the GDPR:

• Standard Contractual Clauses (SCCs): The Processor uses the EU Commission-approved Standard Contractual Clauses pursuant to Implementing Decision (EU) 2021/914 for transfers to sub-processors in third countries without an adequacy decision
• EU-US Data Privacy Framework (DPF): For transfers to US-based sub-processors that are certified under the EU-US Data Privacy Framework, the Processor relies on the adequacy decision of the European Commission (Implementing Decision of 10 July 2023), supplemented by SCCs as a fallback mechanism
• EU Data Residency: Enterprise customers may elect EU data residency options, ensuring that Personal Data at rest is stored exclusively within the European Economic Area. Contact enterprise@vertaaux.ai for configuration

9.2 Transfer Impact Assessments

The Processor has conducted Transfer Impact Assessments (TIAs) for all international data transfers to evaluate the legal framework of the recipient country and determine whether supplementary measures are necessary to ensure adequate protection. TIAs are reviewed and updated annually or when relevant circumstances change.

9.3 Supplementary Measures

Where TIAs identify risks, the Processor implements supplementary measures including strong encryption in transit and at rest, pseudonymization where feasible, contractual commitments from sub-processors to challenge government access requests, and transparency reporting.

10. Audits and Compliance

10.1 Compliance Documentation

The Processor maintains documentation demonstrating compliance with this DPA and the GDPR, including:

• Records of processing activities (Article 30 GDPR)
• Security policies, procedures, and technical documentation
• Staff training records and certifications
• Incident response logs and post-incident reports
• Sub-processor agreements and due diligence records
• Data Protection Impact Assessment (DPIA) reports
• Transfer Impact Assessment (TIA) documentation

10.2 Audit Rights

Enterprise customers may, upon reasonable written notice of at least 30 days and no more than once per year, audit the Processor's compliance with this DPA through:

• Review of security documentation, policies, and certifications
• Written security questionnaires and assessments
• On-site or remote audits conducted by the Controller or a qualified, independent third-party auditor (at the Controller's expense), subject to reasonable confidentiality obligations

The Processor will cooperate with all reasonable audit requests and provide access to relevant facilities, systems, and personnel. Audit findings and any required remediation actions will be documented in writing and tracked to completion.

10.3 Certifications

The Processor maintains industry-standard certifications and regularly undergoes third-party security assessments. Current certifications and attestation reports are available upon request to Enterprise customers.

11. AI and Automated Processing

11.1 Use of AI Sub-processors

The Service uses large language models (LLMs) provided by Mistral AI SAS and OpenAI Inc. as authorized sub-processors to enrich audit results with AI-powered analysis and recommendations. The following safeguards apply:

• No PII Transmission: The Processor strips all Personal Data and personally identifiable information from data before sending it to LLM providers. Only audit results text, issue descriptions, and technical analysis data are transmitted.
• No Model Training: Data sent to LLM providers is not used for model training, fine-tuning, or improvement of the AI providers' models. Both Mistral AI and OpenAI are contractually prohibited from using VertaaUX customer data for any purpose other than processing the specific request.
• EU-First Processing: Where feasible, the Processor routes AI processing through Mistral AI (based in France, EU) to minimize international data transfers.
• Transient Processing: LLM providers process data in real-time and do not retain input or output data beyond the duration required to complete the request (typically seconds).

11.2 Data Protection Impact Assessment

The Processor has conducted a Data Protection Impact Assessment (DPIA) pursuant to Article 35 of the GDPR covering the use of AI and automated processing within the Service. The DPIA assesses risks to Data Subject rights and freedoms and documents the measures implemented to mitigate identified risks. Enterprise customers may request a summary of the DPIA.

11.3 Automated Decision-Making

The Service does not make decisions based solely on automated processing that produce legal effects or similarly significant effects on Data Subjects. Audit scores and recommendations are provided as informational tools only and do not constitute automated decision-making under Article 22 of the GDPR.

12. Liability

12.1 Limitation of Liability

Each party's liability under this DPA is subject to the limitation of liability provisions set out in the Terms of Service, except to the extent that such limitations are prohibited by applicable data protection laws, including the GDPR.

12.2 Controller Liability

The Controller acknowledges that it is responsible for ensuring its use of the Service complies with applicable data protection laws and for any claims arising from its processing instructions, its failure to comply with its obligations as Controller, or the lawfulness of the Personal Data it submits to the Service.

12.3 Indemnification

Each party shall indemnify the other party against any losses, damages, liabilities, costs, and expenses (including reasonable legal fees) arising from any breach of this DPA by the indemnifying party, to the extent permitted by applicable law.

13. Term and Termination

13.1 Term

This DPA takes effect on the date the Controller first accesses or uses the Service, and continues in force for the duration of the Terms of Service. This DPA is automatically incorporated into and forms part of the Terms of Service.

13.2 Effect of Termination

Upon termination of the Terms of Service, the Processor will cease all processing of Personal Data on behalf of the Controller and will delete or return all Personal Data as specified in Section 7, unless retention is required by Union or Member State law. The Controller may request a data export prior to termination.

13.3 Survival

The following provisions survive termination of this DPA: confidentiality obligations, data deletion obligations (Section 7), liability and indemnification (Section 12), audit rights (Section 10), and any provisions that by their nature are intended to survive termination.

14. Amendments

The Processor may update this DPA to reflect changes in applicable data protection laws, regulatory guidance, our processing activities, or industry best practices. The Processor will provide at least 30 days' advance notice of material changes via email to the account administrator and by publishing a notice on the Service.

Enterprise customers may negotiate custom DPA terms, including additional security commitments, data residency requirements, custom retention periods, and enhanced audit rights. Contact enterprise@vertaaux.ai to discuss custom terms.

15. Contact Information

For questions, requests, or concerns about this DPA or data protection matters, contact us using the following channels: