Vibe Shield
AI / IS Governance
 Back to site
Legal

Data Processing Addendum

Last updated · May 27, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Controller") and Vibe Shield ("Processor") governing the processing of personal data under the EU General Data Protection Regulation and the UK GDPR.

1. Subject matter & duration

Processor will process Customer Personal Data only to provide the Service for the duration of the agreement and as instructed by Controller.

2. Nature & purpose of processing

Continuous operational control of AI and information security posture: storage, aggregation, analysis, alerting, and evidence generation.

3. Categories of data subjects & data

  • Data subjects: Controller's personnel, contractors, and end-users whose interactions trigger telemetry.
  • Categories: identifiers, authentication metadata, role assignments, technical telemetry, and any personal data Controller chooses to submit as evidence.

4. Processor obligations

  • Process only on documented instructions from Controller.
  • Ensure personnel are bound by confidentiality.
  • Implement appropriate technical and organisational measures (see Annex II).
  • Engage subprocessors only under written terms equivalent to this DPA.
  • Assist Controller with data-subject requests and DPIAs.
  • Notify Controller without undue delay (within 72 hours) of a personal data breach.
  • Delete or return personal data on termination, subject to legal hold.

5. International transfers

Transfers outside the EEA / UK are governed by the EU Standard Contractual Clauses (Module Two — Controller-to-Processor) and the UK IDTA, both of which are incorporated by reference.

6. Subprocessors

A current list of subprocessors is available on request. Controller may object to new subprocessors within 30 days of notice.

Annex II — Technical & organisational measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Tenant isolation enforced via Row-Level Security.
  • Tamper-evident, hash-chained evidence ledger.
  • Least-privilege access with MFA on all production systems.
  • SOC 2 and ISO 27001 aligned operational controls.
  • 24/7 security monitoring with documented incident response.