Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement ("Principal Agreement") between Vane Loop Research Inc. ("Processor") and the entity agreeing to these terms ("Controller" or "Customer"). This DPA applies where Vane Loop processes Personal Data on behalf of the Customer in the course of providing the Service. The Service is a B2B product; both parties act in a professional capacity.

1. Definitions

"Personal Data" means information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.

"Processing" means any operation on Personal Data (collection, storage, use, disclosure, erasure, etc.).

"Sub-Processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Data Breach" means a security breach leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data.

"SCCs" means Standard Contractual Clauses per Commission Implementing Decision (EU) 2021/914.

2. Scope and Purpose

The Processor processes Personal Data only per the Controller's documented instructions as specified in the Principal Agreement, this DPA, and Annex 1. No processing for other purposes unless required by law (with prior notice unless prohibited).

For on-premise deployments: where the Customer operates the Service on its own infrastructure, Vane Loop acts as a licensor and support provider, not a data processor. This DPA applies only to data that Vane Loop accesses in the course of providing support or maintenance services for on-premise deployments.

3. Controller Obligations

The Controller warrants: (a) lawful basis for processing; (b) required notices and consents obtained; (c) instructions comply with applicable law.

4. Processor Obligations

The Processor shall: (a) process only on documented instructions; (b) ensure authorized personnel are bound by confidentiality; (c) implement security measures per Annex 2; (d) respect sub-processor conditions (Section 6); (e) assist with data subject requests; (f) assist with security, breach notification, and DPIA obligations; (g) delete or return all Personal Data on termination (Controller's choice); (h) make available information for compliance demonstration and audits.

5. Data Subject Rights

Processor notifies Controller of data subject requests promptly. No direct response unless authorized by Controller or required by law. Reasonable assistance for fulfilling obligations.

6. Sub-Processors

General written authorization granted. List at vaneloop.com/legal/sub-processors. Thirty (30) days' advance notice for changes. Equivalent contractual obligations imposed. Processor remains liable. Controller may object; if unresolved, Controller may terminate affected Service with refund of prepaid fees.

7. International Transfers

Transfers outside EEA/UK/Switzerland rely on: EU-US Data Privacy Framework; SCCs Module 2 (Controller to Processor); supplementary measures. UK International Data Transfer Addendum and Swiss modifications incorporated. For regional hosting, data remains in-jurisdiction. For on-premise, no international transfers by the Processor.

8. Security

Technical and organizational measures per Annex 2, including: AES-256 at rest, TLS 1.2+ in transit; RBAC with least privilege; MFA for admin/production access; vulnerability assessments; logging and monitoring; secure SDLC; employee training.

9. Breach Notification

Notification within forty-eight (48) hours of awareness. Content: nature, categories/numbers affected, likely consequences, measures taken/proposed. Full cooperation in investigation and remediation.

10. Audits

Information and audit access with 30 days' notice, during business hours, at Controller's expense. Third-party certifications (SOC 2, ISO 27001) may substitute for physical audits where adequate.

11. Retention and Deletion

On termination: return in machine-readable format (XLSX, CSV) or secure deletion with written certification, at Controller's election. Thirty (30) day export window. Legal retention obligations observed with data isolation.

12. Liability

Subject to Principal Agreement limitations. Nothing limits liability for data subject rights under applicable law.

13. Term

Effective for the duration of the Principal Agreement. Survival: deletion, confidentiality, audit.

14. Governing Law

Governed by the Principal Agreement's governing law. Mandatory data protection laws take precedence.

ANNEX 1: Description of Processing

Subject Matter: Processing in connection with the Vane Loop AI-powered strategic management platform.

Duration: Principal Agreement term plus 30-day retention period.

Nature/Purpose: Collection, storage, analysis, display for portfolio management, readiness assessments, maturity analysis, benchmarking (per tier), and AI query processing.

Data Types: Name, email, company, role, country, IP, browser/device info, usage data, AI query content, billing data (via Stripe).

Data Subjects: Controller's employees and authorized Service users.

Special Categories: None processed intentionally (GDPR Art. 9).

ANNEX 2: Technical and Organizational Measures

Encryption: AES-256 at rest. TLS 1.2+ in transit.

Access Control: RBAC, least privilege, MFA for admin/production.

Network: Firewalls, IDS, DDoS protection. Environment segmentation.

Data Isolation: Multi-tenant with logical separation at database level.

Monitoring: Centralized logging, anomaly alerting.

Vulnerability Mgmt: Regular scanning, penetration testing, timely patching.

Business Continuity: Daily backups, tested restoration. RTO: 4 hours. RPO: 1 hour.

Personnel: Background checks, mandatory training, confidentiality agreements.

Incident Response: Documented plan, defined roles, escalation, post-incident review.

Contact Information

Vane Loop Research Inc.
State of Incorporation: Delaware, USA
Email: legal@vaneloop.com | Privacy: privacy@vaneloop.com | Sales: sales@vaneloop.com
Website: vaneloop.com