Legal

Data Processing Addendum

Last updated: November 30, 2025

Overview

This DPA forms part of the master agreement between Vaultaproof Inc. (Processor) and the customer (Controller).

It governs how Vaultaproof processes Customer Data to deliver the platform.

1. Definitions

Customer Data: Documents or information uploaded by the customer, including insurance policies, vendor data, and metadata.

Personal Data: Information about an identified or identifiable individual as defined by applicable law.

Processing: Any operation such as storage, extraction, classification, transmission, or deletion.

Controller: The entity that determines purposes and means of processing.

Processor: Vaultaproof Inc., processing Customer Data solely to provide the Service.

Sub-processor: Third-party service provider engaged by Vaultaproof to process Customer Data.

2. Purpose and Scope

Vaultaproof processes Customer Data only to provide and maintain the Service, extract expiry metadata, generate reminders, audit evidence, and support account administration.

Customer Data is never used for advertising or resale.

3. Controller Responsibilities

The Controller determines the lawful basis for processing, obtains necessary consents, uploads only authorized documents, and ensures no prohibited data (e.g., PHI) is stored without agreement.

4. Processor Obligations

  • Process only according to documented instructions.
  • Ensure personnel with access are bound by confidentiality.
  • Maintain administrative, technical, and organizational security measures (encryption, RBAC, audit logging).
  • Notify Controller without undue delay after confirmed data breaches.

5. Sub-processors

Vaultaproof uses trusted providers such as AWS (hosting), Stripe (billing), and email vendors.

Vaultaproof imposes data-protection terms and remains responsible for their performance, providing notice of new sub-processors upon request.

6. International Transfers

Customer Data may be processed in the United States where sub-processors operate and will follow applicable requirements.

7. Data Subject Requests

Vaultaproof assists the Controller, when feasible, in responding to access, correction, deletion, or export requests. The Controller decides how to handle each request.

8. Data Retention and Deletion

Upon termination, Vaultaproof deletes Customer Data upon request unless retention is required by law. Backups and audit logs may persist temporarily for security and compliance.

9. Audits

Upon reasonable written request, Vaultaproof provides summaries of security policies and available attestations. On-site audits require mutual agreement and may incur fees.

10. Liability

Liability related to this DPA is governed by the limitation-of-liability section of the master agreement.

11. Governing Law

Unless otherwise agreed, the DPA is governed by the laws of Delaware, USA.

12. Contact

Vaultaproof Inc., 2967 Dundas St. W. #431B, Toronto, ON M6P 1Z2

Email: info@vaultaproof.com