DataVigiaBack

Data Processing Agreement (DPA)

Last updated: July 2026

1. Subject

This agreement governs the processing of personal data that DataVigia (processor) carries out on behalf of the client (controller) in providing the service, under Article 28 GDPR.

2. Nature and purpose

DataVigia processes data only to provide the security auditing, exfiltration detection and anti-phishing training service, following the client's documented instructions.

3. Data and data subjects

Processed data: security metadata (permissions, configurations, access logs), account data and the client's employee data for training simulations. File contents are NOT processed.

4. Processor obligations

DataVigia processes data only on the client's instructions, ensures the confidentiality of those handling it, applies appropriate technical and organisational measures and assists the client in meeting its obligations.

5. Sub-processors

DataVigia uses Supabase, Vercel, Anthropic and Resend, bound by equivalent agreements. The client authorises these sub-processors and will be informed of changes, and may object on legitimate grounds.

6. International transfers

Where transfers outside the European Economic Area occur, adequate safeguards apply, such as the European Commission's Standard Contractual Clauses.

7. Security (Art. 32)

Measures: encryption of connector secrets, isolation between organisations (Row Level Security), least privilege, access control and logging, and minimisation (no collection of file contents).

8. Data breaches

DataVigia notifies the client without undue delay after becoming aware of a personal data breach, providing the necessary information.

9. Data subject rights

DataVigia assists the client, as far as possible, in responding to requests from data subjects exercising their rights.

10. Audit

DataVigia makes available the information necessary to demonstrate compliance and allows reasonable audits by the client or an auditor it mandates.

11. Termination

At the end of the service, DataVigia returns or deletes the personal data processed on the client's behalf, at the client's choice, unless legally required to retain it.