Data Processing Addendum

1. Roles

You are the controller of personal data processed through the Services. VenduSys acts as the processor on your behalf. Where VenduSys engages further processors ("sub-processors"), it does so on your authorization in accordance with this DPA.

2. Subject matter and duration

The subject matter is the processing of personal data to provide the Services. The duration is the term of the underlying agreement plus any retention period required by law.

3. Categories of data and data subjects

Categories of data: identifiers, contact information, transactional data, account data, and any other personal data you choose to process through the Services. Categories of data subjects: your end users, partners, employees, and any other natural persons whose data you process.

4. Instructions

We process personal data only on your documented instructions — including those set out in the agreement, your configuration of the Services, and any subsequent written instructions. We will inform you if, in our opinion, an instruction violates applicable law.

5. Security measures

We implement technical and organizational measures appropriate to the risk, including:

TLS 1.3 in transit, AES-256 at rest, per-tenant encryption keys.
SSO + MFA for all personnel, least-privilege role-based access.
SAST/SCA in CI, mandatory code review, dependency review on every PR.
SOC 2 Type II audited annually, ISO 27001 in progress.
External pentest annually, private bug-bounty.
Documented incident response with 72-hour notification.

See the Security page for the full set of controls.

6. Sub-processors

You authorize VenduSys to engage the sub-processors listed below. We will give 30 days' notice before adding or replacing any sub-processor, and you may object on reasonable data-protection grounds.

Vercel Inc. — frontend hosting · USA / EU regions.
Supabase — Postgres & storage · EU (Paris, Frankfurt).
Amazon Web Services — compute & object storage · EU.
Cloudflare — edge & DDoS protection · Global.
Sentry — error monitoring · EU.
Linear — issue tracking · USA.
Slack — internal comms · USA.
Postmark — transactional email · USA (EU region available).

7. International transfers

Data is stored in the EU by default. Transfers outside the EEA are made under Standard Contractual Clauses (Module 2 or 3 as applicable) with supplementary measures. Customers on Scale and Enterprise plans may pin processing to a specific region.

8. Data subject requests

We will provide reasonable assistance to help you respond to data-subject requests (access, rectification, erasure, portability, restriction, objection). We will notify you if we receive a request directed at your data, and not respond to it without your instruction.

9. Incidents

We will notify you of a personal-data breach affecting your data without undue delay, and in any case within 72 hours of becoming aware. Notifications will include the available information about the nature, scope, likely consequences and measures taken.

10. Audits

You may audit our compliance with this DPA. In practice, we satisfy audit obligations through (a) the annual SOC 2 Type II report, and (b) a written questionnaire process. On-site audits are reserved for material concerns, no more than once per year, with reasonable notice.

11. Deletion and return

On termination, you may export Customer Data via the documented export tools for 30 days. After 90 days from termination, we will delete or anonymize Customer Data, except where law requires retention.

12. Liability and miscellaneous

This DPA forms part of and is subject to the limitations of liability of the underlying agreement. In case of conflict between the DPA and the agreement, the DPA controls for data-protection matters.

13. Contact

DPA-related questions: privacy@vendusys.com. Registered office: VenduSys SAS, 75002 Paris, France.

Version 2026.04 · Effective April 18, 2026 · VenduSys SAS · 75002 Paris · France

Data Processing Addendum.