Data Processing Agreement (DPA)
Last updated: July 2026
1. Subject
This agreement governs the processing of personal data that DataVigia (processor) carries out on behalf of the client (controller) in providing the service, under Article 28 GDPR.
2. Nature and purpose
DataVigia processes data only to provide the security auditing, exfiltration detection and anti-phishing training service, following the client's documented instructions.
3. Data and data subjects
Processed data: security metadata (permissions, configurations, access logs), account data and the client's employee data for training simulations. File contents are NOT processed.
4. Processor obligations
DataVigia processes data only on the client's instructions, ensures the confidentiality of those handling it, applies appropriate technical and organisational measures and assists the client in meeting its obligations.
5. Sub-processors
DataVigia uses Supabase, Vercel, Anthropic and Resend, bound by equivalent agreements. The client authorises these sub-processors and will be informed of changes, and may object on legitimate grounds.
6. International transfers
Where transfers outside the European Economic Area occur, adequate safeguards apply, such as the European Commission's Standard Contractual Clauses.
7. Security (Art. 32)
Measures: encryption of connector secrets, isolation between organisations (Row Level Security), least privilege, access control and logging, and minimisation (no collection of file contents).
8. Data breaches
DataVigia notifies the client without undue delay after becoming aware of a personal data breach, providing the necessary information.
9. Data subject rights
DataVigia assists the client, as far as possible, in responding to requests from data subjects exercising their rights.
10. Audit
DataVigia makes available the information necessary to demonstrate compliance and allows reasonable audits by the client or an auditor it mandates.
11. Termination
At the end of the service, DataVigia returns or deletes the personal data processed on the client's behalf, at the client's choice, unless legally required to retain it.