Data processing agreement
Standard processor terms for clients whose engagement involves personal data.
This Data Processing Agreement ("DPA") applies whenever Vectel BV processes personal data on behalf of a client ("controller") in the course of providing services. It supplements the main service agreement and reflects the requirements of Article 28 GDPR.
Subject matter and duration
Subject matter: processing of personal data necessary to deliver the agreed services (Managed IT, Development, Automation).
Duration: for the duration of the underlying service agreement, plus the retention period required by law or expressly agreed.
Nature, purpose and categories
Nature and purpose: storage, transmission, transformation, and routine administration of personal data as instructed by the controller.
Categories of data: typically employee directory data, customer contact details, and operational logs. The exact set is agreed in the engagement scope.
Categories of data subjects: employees, customers, suppliers and other contacts of the controller.
Processor obligations
We process personal data only on documented instructions from the controller, including transfers outside the EEA. We ensure persons authorised to process the data are bound by confidentiality. We implement appropriate technical and organisational measures (encryption in transit and at rest, access control, logging, and incident response). We assist the controller with data subject requests and with security and DPIA obligations as reasonably required.
Sub-processors
The controller authorises us to engage the sub-processors listed on our privacy policy. We will inform the controller of any planned change and give them a reasonable opportunity to object. We remain liable for sub-processors as for our own performance.
Security measures
Baseline measures include: TLS for all transport, AES-256 at rest by hosting providers, role-based access controls, MFA for all administrative accounts, regular dependency patching, monitoring and alerting, and tested backups. Specific additional measures may be agreed per engagement.
Breach notification
We notify the controller without undue delay (and in any case within 72 hours of discovery) of a personal data breach affecting their data, with the information needed for the controller to meet its own notification obligations (art. 33(2) GDPR).
Return or deletion at end of contract
On termination, we return or delete all personal data processed on the controller's behalf, at their choice, unless EU or Member State law requires retention. Deletion is confirmed in writing.
Audits
We make available to the controller all information necessary to demonstrate compliance with this DPA, and allow for audits, including inspections, conducted by the controller or another auditor mandated by the controller, on reasonable notice and during normal business hours.