Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between the Customer ("Controller") and VibeStartup ("Processor") for the provision of the VibeStartup service. It applies to the extent that VibeStartup processes personal data on behalf of the Customer in the course of providing the service.

1. Definitions

Terms such as "personal data," "processing," "data subject," "controller," "processor," and "sub-processor" have the meanings given under applicable data protection law, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA) as amended.

2. Scope and roles

The Customer is the controller of personal data submitted to the Service by or on behalf of the Customer (the "Customer Data"). VibeStartup is the processor of such Customer Data and will process it only on documented instructions from the Customer, including as set out in the service agreement and this DPA.

3. Subject matter and duration

Subject matter: provision of the VibeStartup service. Duration: the term of the service agreement plus any period during which VibeStartup retains Customer Data as permitted or required by law.

4. Nature and purpose of processing

VibeStartup processes Customer Data to host, store, transmit, analyze, and otherwise make available the functionality of the Service, including running AI agents on Customer Data as directed by the Customer.

5. Categories of data and data subjects

Categories of personal data and data subjects are determined by the Customer. Typical categories include employees, contractors, end users, customers, and other individuals whose personal data is uploaded into the Customer's project drives.

6. Confidentiality

VibeStartup ensures that personnel authorized to process Customer Data are subject to appropriate confidentiality obligations.

7. Security

VibeStartup implements appropriate technical and organizational measures to protect Customer Data against unauthorized access, loss, alteration, or destruction. These measures include encryption in transit and at rest, logical access controls, network segmentation, vulnerability management, and regular security reviews.

8. Sub-processors

The Customer authorizes VibeStartup to engage sub-processors to process Customer Data on its behalf. VibeStartup maintains a list of current sub-processors available on request and will notify the Customer of any intended changes, giving the Customer an opportunity to object on reasonable grounds.

9. Data subject rights

Taking into account the nature of the processing, VibeStartup will assist the Customer with reasonable technical and organizational measures to enable the Customer to respond to requests from data subjects exercising their rights under applicable data protection law.

10. Personal data breach

VibeStartup will notify the Customer without undue delay upon becoming aware of a personal data breach affecting Customer Data, and will provide reasonable information to allow the Customer to meet any obligations to notify data subjects or supervisory authorities.

11. International transfers

Where VibeStartup transfers Customer Data to a country outside the EEA, UK, or Switzerland that does not benefit from an adequacy decision, the parties will rely on the EU Standard Contractual Clauses or equivalent safeguards.

12. Return or deletion

Upon termination of the service agreement, VibeStartup will, at the Customer's choice, delete or return all Customer Data, unless retention is required by applicable law.

13. Audits

VibeStartup will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable confidentiality and notice provisions.

14. Contact

To request a signed copy of this DPA or to discuss data protection matters, contact privacy@vibestartup.pro.