Data Processing Agreement

1. Definitions

This Data Processing Agreement ("DPA") forms part of the Terms of Service and applies to the processing of Personal Data by VertaaUX Oy ("Processor", "we", "us") on behalf of the Customer ("Controller", "you"). This DPA is particularly relevant for Enterprise customers and organizations subject to GDPR and other data protection regulations.

Key Terms:

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on Personal Data, including collection, storage, analysis, or deletion
• Data Subject: The individual whose Personal Data is being processed
• Controller: The entity that determines the purposes and means of processing Personal Data (you)
• Processor: The entity that processes Personal Data on behalf of the Controller (us)
• Sub-processor: Any third party appointed by the Processor to process Personal Data
• GDPR: General Data Protection Regulation (EU) 2016/679

2. Scope and Applicability

2.1 Scope of Processing

This DPA applies to all Personal Data processed by VertaaUX in connection with providing UX auditing services to you, including:

• User account information (name, email, authentication data)
• Organization member data for team accounts
• Website URLs and metadata submitted for auditing
• Audit results and associated analytics
• Usage logs and activity data

2.2 Nature and Purpose

Personal Data is processed solely for the purpose of providing UX auditing services, maintaining the Service, and communicating with you about your account.

2.3 Duration

Processing will continue for the duration of your subscription and for the retention period specified in Section 6 of this DPA.

3. Controller and Processor Obligations

3.1 Your Obligations as Controller

You warrant and represent that:

• You have all necessary rights and consents to submit Personal Data to our Service
• You have provided appropriate privacy notices to Data Subjects
• Your use of the Service complies with all applicable data protection laws
• You will not submit sensitive Personal Data (health, biometric, political opinions, etc.) without prior written agreement

3.2 Our Obligations as Processor

We commit to:

• Process Personal Data only in accordance with your documented instructions
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational measures to ensure data security
• Assist you in responding to Data Subject requests
• Assist you in ensuring compliance with data protection obligations
• Delete or return Personal Data upon termination of services, unless retention is required by law
• Make available all information necessary to demonstrate compliance with this DPA

4. Security Measures

4.1 Technical Measures

We implement the following technical security measures:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Control: Multi-factor authentication, role-based access control (RBAC), least privilege principle
• Network Security: Firewalls, DDoS protection, intrusion detection systems
• Database Security: Encrypted backups, connection pooling with SSL, parameterized queries
• Monitoring: Real-time security monitoring, automated threat detection, audit logging

4.2 Organizational Measures

• Staff Training: Regular security and privacy training for all employees
• Access Management: Background checks, confidentiality agreements, access reviews
• Incident Response: Documented incident response procedures and breach notification protocols
• Business Continuity: Regular backups, disaster recovery plans, service redundancy
• Vendor Management: Security assessments of all sub-processors

4.3 Security Reviews

We conduct regular security assessments and penetration testing. Enterprise customers may request security documentation or arrange security audits upon reasonable notice.

5. Sub-processors

5.1 Authorized Sub-processors

You authorize us to engage the following sub-processors for processing Personal Data:

5.2 Sub-processor Changes

We will provide at least 30 days' notice before adding or replacing sub-processors. You may object to a new sub-processor on reasonable grounds relating to data protection. If we cannot accommodate your objection, you may terminate your subscription without penalty.

5.3 Sub-processor Agreements

We ensure that all sub-processors are bound by data processing terms substantially similar to this DPA, including adequate security measures and GDPR compliance obligations.

6. Data Subject Rights

6.1 Rights Under GDPR

We will assist you in fulfilling your obligations to respond to Data Subject requests, including:

• Right of Access: Provide copies of Personal Data
• Right to Rectification: Correct inaccurate Personal Data
• Right to Erasure: Delete Personal Data ("right to be forgotten")
• Right to Restriction: Limit processing of Personal Data
• Right to Data Portability: Export Personal Data in machine-readable format
• Right to Object: Object to processing for direct marketing or legitimate interests

6.2 Request Handling

If we receive a Data Subject request directly, we will forward it to you within 3 business days. You are responsible for responding to Data Subjects. We will provide reasonable assistance upon request.

6.3 Self-Service Tools

Our Service includes self-service tools for Data Subjects to exercise their rights, including account settings for data access, export, and deletion.

7. Data Retention and Deletion

7.1 Retention Periods

• Active Accounts: Personal Data retained for the duration of your subscription
• Audit Data: Retained for the duration of your subscription unless deleted earlier by user. Enterprise customers may request custom retention periods
• Usage Logs: Retained for 90 days for security and operational purposes
• Backups: Retained for 30 days, then securely deleted
• Legal Holds: Data may be retained longer if required by law or legal proceedings

7.2 Deletion Upon Termination

Upon termination of your subscription, we will delete or anonymize all Personal Data within 90 days, except where retention is required by law. Enterprise customers may request earlier deletion.

7.3 Secure Deletion

Data deletion includes removal from production systems, backups, and sub-processor systems. Deletion is performed using industry-standard secure deletion methods.

8. Data Breach Notification

8.1 Notification Timeline

We will notify you without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data breach affecting your data.

8.2 Breach Information

Our breach notification will include, to the extent available:

• Nature of the breach, including categories and approximate number of affected Data Subjects
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate harm
• Contact point for more information

8.3 Cooperation

We will cooperate with you in investigating the breach and will provide reasonable assistance in notifying Data Subjects and supervisory authorities as required.

9. International Data Transfers

9.1 Transfer Mechanisms

When Personal Data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses: We use EU Commission-approved Standard Contractual Clauses (SCCs) for transfers to third countries
• Adequacy Decisions: We prioritize transfers to countries with EU adequacy decisions
• Data Localization: Enterprise customers may request EU data residency options

9.2 Transfer Impact Assessment

We have conducted Transfer Impact Assessments for all international data transfers and implement supplementary measures as necessary to ensure adequate protection.

10. Audits and Compliance

10.1 Compliance Documentation

We maintain documentation demonstrating compliance with this DPA and GDPR, including:

• Records of processing activities
• Security policies and procedures
• Staff training records
• Incident response logs
• Sub-processor agreements

10.2 Audit Rights

Enterprise customers may, upon reasonable notice and no more than once per year, audit our compliance with this DPA through:

• Review of security documentation and certifications
• Written questionnaires
• On-site or remote audits by qualified third parties (at customer's expense)

10.3 Certifications

We maintain industry-standard certifications and regularly undergo third-party security assessments. Current certifications are available upon request.

11. Liability and Indemnification

11.1 Limitation of Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service, except where such limitations are prohibited by applicable data protection laws.

11.2 Controller Liability

You acknowledge that you are responsible for ensuring your use of the Service complies with applicable data protection laws and for any claims arising from your processing instructions or your failure to comply with your obligations as Controller.

12. Term and Termination

12.1 Term

This DPA takes effect on the date you first use the Service and continues until termination of the Terms of Service.

12.2 Effect of Termination

Upon termination, we will cease processing Personal Data and will delete or return all Personal Data as specified in Section 7, unless retention is required by law.

12.3 Survival

Provisions relating to confidentiality, data deletion, liability, and dispute resolution survive termination of this DPA.

13. Amendments

We may update this DPA to reflect changes in data protection laws, our processing activities, or industry best practices. We will provide at least 30 days' notice of material changes. Enterprise customers may request negotiation of custom DPA terms.

14. Contact Information

For questions about this DPA or data protection matters:

• Data Protection Officer: dpo@vertaaux.ai
• Legal Department: legal@vertaaux.ai
• Security Issues: security@vertaaux.ai
• Address: VertaaUX Oy, Helsinki, Finland