Data Processing Addendum
Download PDFThis Data Processing Addendum ("DPA") forms part of the agreement between you (the "Controller") and Vexta CMO (the "Processor") with respect to processing of personal data carried out by the Processor on behalf of the Controller in connection with the Services. A counter-signed copy on company letterhead is available on request to [email protected].
1. Definitions and Construction
Capitalised terms not defined in this DPA have the meanings given to them in the underlying Services agreement, our Terms of Service, or in applicable data protection laws. "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of personal data under this DPA, including without limitation the General Data Protection Regulation, the UK General Data Protection Regulation, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act and the California Privacy Rights Act, the Digital Personal Data Protection Act of India, and any other comparable laws and regulations to the extent applicable to the processing of personal data hereunder. References to terms such as "personal data", "processing", "controller", "processor", "data subject", "supervisory authority", "international transfer", and "personal data breach" have the meanings given to them under Applicable Data Protection Laws.
2. Parties and Roles
The Controller determines the purposes and means of the processing of personal data submitted to or processed through the Services. The Processor processes personal data on the documented instructions of the Controller, in its capacity as a processor, and provides the Services in accordance with the underlying Services agreement and this DPA. The Processor will not process personal data for any purpose other than as set out in this DPA, the underlying Services agreement, the Controller's documented instructions, or as required by Applicable Data Protection Laws. Where the Processor reasonably believes that an instruction would infringe Applicable Data Protection Laws it shall promptly notify the Controller.
3. Subject Matter and Duration
The subject matter of the processing under this DPA is the provision of the Services to the Controller, as described in the underlying Services agreement. The processing shall be carried out for the duration of the Services agreement and for any additional period required to fulfil legal, regulatory, or contractual obligations of the Processor, after which personal data shall be returned or deleted as set out below.
4. Nature, Purpose, and Categories of Processing
The Processor processes personal data to provide, secure, maintain, operate, monitor, and improve the Services, and to provide the related support, technical, billing, and account-management functions. The categories of data subjects whose personal data may be processed include the Controller's authorised users, administrators, customers, prospects, employees, contractors, agents, and end users, together with any other categories of data subjects whose personal data is submitted to the Services by the Controller. The categories of personal data processed may include identifying information such as name, contact details, work-related information, account credentials in protected form, usage and device information, communication content, and any other information that the Controller chooses to submit to the Services. Special categories of personal data and information relating to criminal convictions and offences should not be submitted to the Services except as expressly permitted under the underlying Services agreement and Applicable Data Protection Laws.
5. Controller Obligations
The Controller shall comply with its obligations as a controller under Applicable Data Protection Laws. The Controller shall ensure that it has obtained all necessary consents, provided all required notices, and otherwise established a valid lawful basis under Applicable Data Protection Laws for the processing of personal data by the Processor in accordance with this DPA. The Controller shall be responsible for the accuracy, quality, and legality of personal data submitted to the Services and for the means by which the Controller acquired such personal data. The Controller shall instruct the Processor only to the extent permitted by Applicable Data Protection Laws.
6. Processor Obligations
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to third countries or international organisations, unless required to do so by Applicable Data Protection Laws. The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall take all measures required pursuant to Article 32 of the General Data Protection Regulation and equivalent provisions of Applicable Data Protection Laws.
7. Sub-processors
The Controller provides general authorisation for the Processor to engage sub-processors to process personal data in connection with the Services, subject to the conditions set out in this section. A current list of sub-processors used in connection with the Services is maintained at our publicly accessible sub-processors page and is updated from time to time. When the Processor engages a new sub-processor or replaces an existing one, it shall give the Controller prior written notice of the proposed change, which may be by email, in-product notification, or update to the published sub-processors list, with a minimum of thirty days' advance notice where reasonably possible. The Controller may object on reasonable grounds related to data protection by notifying the Processor within thirty days of the notice, and the parties shall work together in good faith to address the objection; if no resolution can be reached, the Controller may terminate the affected portion of the Services. The Processor shall enter into a written agreement with each sub-processor imposing data protection obligations substantially equivalent to those contained in this DPA, and shall remain liable to the Controller for the acts and omissions of its sub-processors with respect to the processing of personal data under this DPA.
8. Security Measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk. Such measures include, as appropriate, the encryption of personal data in transit and at rest using industry-standard cryptographic techniques; measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; access controls and authentication measures appropriate to the sensitivity of the data; logging and monitoring of access and activity; secure development practices and vulnerability management; regular review and testing of the effectiveness of the security measures; and personnel training and awareness. The specific measures applied may evolve over time consistent with good industry practice and the Processor's information security program. Where a Controller requires more detailed information about the security measures, the Processor will respond to a reasonable request for such information consistent with section 11 below.
9. Personal Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within seventy-two hours, after becoming aware of a personal data breach affecting personal data processed under this DPA. Such notification shall include, to the extent then known, the nature of the personal data breach, the categories and approximate number of data subjects and personal data records affected, the likely consequences of the breach, and the measures taken or proposed to be taken to address it and mitigate its adverse effects. The Processor shall reasonably cooperate with the Controller and provide reasonable assistance in the Controller's response to the breach, including in connection with the Controller's notification obligations to supervisory authorities and affected data subjects. The Processor's notification of a personal data breach is not an acknowledgement of fault or liability.
10. Data Subject Rights and Cooperation
The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights under Applicable Data Protection Laws. To the extent a data subject submits a request directly to the Processor that relates to personal data processed on behalf of a Controller, the Processor shall, without undue delay, refer the data subject to the Controller and shall not respond to the request directly except as required by Applicable Data Protection Laws or as instructed by the Controller. The Processor shall further assist the Controller, taking into account the nature of processing and the information available to the Processor, with the Controller's compliance with its obligations under Applicable Data Protection Laws relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
11. Audit Rights
The Processor shall make available to the Controller, upon reasonable request and subject to appropriate confidentiality protections, the information necessary to demonstrate compliance with the obligations set out in this DPA and Applicable Data Protection Laws, including by providing copies of relevant certifications, third-party audit reports, and responses to reasonable due-diligence questionnaires. To the extent permitted by Applicable Data Protection Laws, audits shall be conducted no more than once in any twelve-month period, except in the case of a reasonable suspicion of material non-compliance with this DPA or following a personal data breach. The Controller shall give the Processor reasonable advance notice of any audit and the parties shall mutually agree on the scope, timing, and confidentiality terms. The Controller shall bear the costs of any audit, except where the audit reveals a material breach by the Processor of its obligations under this DPA, in which case the Processor shall bear the reasonable costs of the audit.
12. International Data Transfers
Where the Processor transfers personal data to a country or international organisation outside of the country in which the personal data was originally collected, the Processor shall ensure that such transfer is carried out in accordance with Applicable Data Protection Laws. Where the transfer is from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been the subject of an adequacy decision, the parties shall implement standard contractual clauses approved by the European Commission, the United Kingdom's International Data Transfer Addendum, the Swiss equivalent thereof, or such other appropriate transfer mechanism as may be required by Applicable Data Protection Laws. The Processor shall make available to the Controller, on request, the relevant executed transfer instruments in respect of its sub-processors.
13. Return and Deletion of Personal Data
Upon the termination or expiration of the Services agreement, or on earlier written request by the Controller, the Processor shall, at the choice of the Controller, return all personal data processed under this DPA to the Controller or delete the personal data in accordance with the Processor's standard data deletion timelines, subject to a reasonable transitional period during which the Controller may export personal data using the export functionality of the Services. The Processor may retain personal data to the extent and for so long as required by Applicable Data Protection Laws, in archival or backup form retained in the ordinary course, or as reasonably necessary to comply with its legal obligations, resolve disputes, or enforce its agreements, provided that such retained personal data remains subject to the confidentiality and security provisions of this DPA.
14. Liability
Each party's liability arising out of or in connection with this DPA shall be subject to the limitations of liability set out in the underlying Services agreement, including any caps on aggregate liability. Nothing in this DPA limits or excludes the liability of either party for any matter that cannot be limited or excluded under Applicable Data Protection Laws.
15. Conflict; Governing Law
In the event of any conflict or inconsistency between this DPA and the underlying Services agreement with respect to the subject matter of this DPA, this DPA shall prevail to the extent of the conflict. This DPA is governed by and construed in accordance with the laws specified in the underlying Services agreement, except where Applicable Data Protection Laws require otherwise.
16. Modifications
The Processor may modify this DPA from time to time as reasonably necessary to address operational requirements, changes in applicable law, the introduction of new Services or features, or changes to the Processor's data processing practices, provided that any such modification shall not materially diminish the protections afforded to personal data under this DPA. The Processor shall provide reasonable notice of material changes by email, in-product notification, or by updating the version of this DPA published on its website.
17. Contact
Questions, requests for a counter-signed version, or notices under this DPA should be directed to [email protected].
Last updated: 2026-05-17. Customers requiring a counter-signed version on company letterhead should email the address above and we will respond within five business days.