Data Processing Agreement

"Controller" means the entity that determines the purposes and means of the processing of Personal Data — typically, the Customer.

"Processor" means VectorAutomate, Inc., which processes Personal Data on behalf of the Controller in connection with providing the Services.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by VectorAutomate on behalf of the Customer.

"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, or erasure.

VectorAutomate processes Personal Data solely for the purpose of providing the Services as described in the applicable subscription agreement. Processing activities include indexing documentation, generating citation-backed responses, and maintaining audit logs.

VectorAutomate does not sell Personal Data, use Personal Data for advertising, or process Personal Data for any purpose other than providing the contracted Services.

VectorAutomate implements and maintains appropriate technical and organizational security measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, and continuous monitoring.

VectorAutomate maintains SOC 2 Type II certification and undergoes annual third-party security audits.

VectorAutomate may engage sub-processors to assist in providing the Services. A current list of sub-processors is maintained and available upon request. VectorAutomate will notify the Controller at least 30 days before engaging a new sub-processor.

VectorAutomate ensures that all sub-processors are bound by data protection obligations no less protective than those set out in this DPA.

VectorAutomate will assist the Controller in responding to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection, to the extent technically feasible.

Requests should be directed to the Controller. VectorAutomate will cooperate promptly upon receiving instructions from the Controller.

In the event of a confirmed data breach involving Personal Data, VectorAutomate will notify the Controller without undue delay and in no event later than 72 hours after becoming aware of the breach.

Notification will include the nature of the breach, categories and approximate number of affected records, likely consequences, and measures taken or proposed to mitigate the impact.

Upon termination of the subscription agreement, VectorAutomate will delete or return all Personal Data to the Controller within 60 days, unless retention is required by applicable law.

Audit logs may be retained for a minimum period as required by compliance obligations, after which they will be securely deleted.

If Personal Data is transferred outside the European Economic Area, VectorAutomate relies on Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by additional technical and organizational measures where appropriate.

For questions about this DPA or to request a signed copy, please contact us at dpa@vectorautomate.io.