vauzy
Agencies Teams Freelancers Features Pricing
Login
Sign up now

Data Processing Addendum (DPA).

Last updated: 15 September 2025

Controller

The customer identified in the order/registration.

Processor

Endpoint Esports Ltd (Company No. 10341616), registered office Ash House, 65 Napier Street, Sheffield, S11 8HA, United Kingdom (“Vauzy”).

  1. Subject matter, duration, and nature/purpose

    Subject matter: Processing of Personal Data to provide the Vauzy Service.

    Duration: For the term of the Vauzy Terms of Service, Section 8 (Term, suspension, termination), plus the deletion periods described in this DPA, Section 10 (Return and deletion) and in Vauzy Terms of Service, Section 8.4 (Data on exit).

    Nature/purpose: Hosting and processing encrypted vault data; enabling storage, sharing, sync, support, security, and billing.

  2. Categories of data and data subjects

    Data types: vault contents (may include usernames/emails within entries, API keys, 2FA seeds/codes, notes/files), user directory/profile data, audit/technical logs.

    Subjects: Customer’s users, client users, and any persons whose data Customer stores.

    Special categories: not intended; if stored by Customer, Customer is responsible for lawful basis and additional safeguards.

  3. Roles and instructions

    Customer is Controller; Vauzy is Processor. Vauzy processes Personal Data only on Controller’s documented instructions (Agreement, this DPA, in-product settings), unless required by law (Vauzy will inform Controller unless legally prohibited).

  4. Security and confidentiality

    Vauzy shall: (a) ensure personnel are bound by confidentiality; (b) implement appropriate technical and organisational measures (see this DPA, Annex A); (c) maintain policies/controls consistent with the Vauzy Security Statement.

  5. Assistance

    Taking into account the nature of processing, Vauzy will assist Controller with data subject requests, security obligations, DPIAs, and consultations, to the extent reasonably possible.

  6. Personal Data Breach

    Vauzy will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information/co-operation reasonably requested.

  7. Sub-processors

    Controller gives general authorisation for Vauzy to engage Sub-processors subject to data protection terms no less protective than this DPA. Vauzy will provide prior notice of changes (website/email) and allow reasonable objections. See this DPA, Annex B.

  8. International transfers

    Where Personal Data is transferred outside the UK/EEA, Vauzy will implement appropriate safeguards (e.g., EU SCCs and UK IDTA) and supplementary measures (strong encryption, access controls). Details available on request.

  9. Audits

    Upon written request (no more than annually unless required by law or following a breach), Vauzy will: (a) provide available compliance reports/summaries; and (b) allow audits under reasonable notice, confidentiality, and without undue disruption. Controller bears audit costs.

  10. Return and deletion

    On termination/expiry, Controller may export data self-service. After a 30-day window, Vauzy will delete Personal Data from live systems and purge backups on their normal cycle. On request, Vauzy will certify deletion. (See also Vauzy Terms of Service, Section 8.4.)

  11. Liability; precedence

    Liability is as set out in Vauzy Terms of Service, Section 9 (Warranties, disclaimers, limitation). If there is a conflict, this DPA prevails over the Terms for processing of Personal Data; the SCCs/UK IDTA prevail where applicable.

Annex A – Technical and Organisational Measures (summary)

  • Encryption at rest & in transit. Secret payloads encrypted with AEAD (e.g., AES-256-GCM) and AAD binding. Unique per-item keys are envelope-encrypted under per-vault keys, which are envelope-encrypted under per-tenant keys. TLS for all transport.
  • Key management & rotation. Keys never stored in plaintext; least-privilege access; full audit; high-entropy generation; rotation per policy. Optional customer-managed keys (BYOK/HYOK-style) on eligible plans.
  • Authentication. WebAuthn passkeys-only (passwordless); secure session handling; protections against phishing/credential replay.
  • Access control & audit. Role-based access; comprehensive audit logs for data/key access (actor, timestamp, source IP); tamper-resistant storage and monitoring.
  • Reliability & continuity. Encrypted backups; regional redundancy; DR/IR runbooks; periodic recovery testing (RTO/RPO fit for SaaS).
  • Vendor management. Sub-processor due diligence; contractual safeguards (e.g., SCCs/UK IDTA where applicable); ongoing monitoring.
  • Secure development. Secure SDLC; peer review; dependency scanning; regular vuln scanning and third-party pentests; tracked remediation.
  • Personnel security. Background checks where lawful; confidentiality; mandatory security/privacy training; MFA on admin systems.

Annex B – Sub-processors (current)

  • Amazon Web Services, Inc. – Cloud hosting & storage (UK/EU regions).
  • Stripe, Inc. – Payment processing (controller for payment card data).
  • MailerSend (The Remote Company / UAB “Mailersend”) – Transactional email delivery.
  • Twilio Inc. – SMS delivery (e.g., notifications).

(We will publish updates and provide prior notice of changes. Objections may be raised within 14 days; we will work in good faith to resolve.)

Back to top