Data Processing Agreement

1. Scope and Applicability

1. This DPA applies to the processing of personal data by VynFi on behalf of the Controller in connection with the provision of the VynFi platform and API services.
2. The subject matter, duration, nature, and purpose of processing, as well as the types of personal data and categories of data subjects, are described in Annex I of the Standard Contractual Clauses incorporated herein.
3. This DPA applies to the extent that VynFi processes personal data subject to GDPR, UK GDPR, the Swiss Federal Act on Data Protection, or other applicable data protection laws.

2. Definitions

• “Personal Data” has the meaning given in Article 4(1) of the GDPR.
• “Processing” has the meaning given in Article 4(2) of the GDPR.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
• “Subprocessor” means any third party engaged by VynFi to process personal data on behalf of the Controller.

3. Processing Instructions

1. VynFi shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by EU or member state law.
2. VynFi shall immediately inform the Controller if, in its opinion, an instruction infringes GDPR or other applicable data protection provisions.
3. The scope of processing is limited to: account provisioning, API authentication, credit tracking, billing, transactional communications, and service monitoring.

4. Subprocessors

The Controller provides general authorization for VynFi to engage the following subprocessors. VynFi will notify the Controller of any intended changes to subprocessors at least 30 days in advance, providing the Controller an opportunity to object.

4.1 Current Subprocessors

4.2 Subprocessor Obligations

1. VynFi shall impose on each subprocessor, by way of a written contract, data protection obligations no less protective than those set out in this DPA.
2. VynFi remains fully liable to the Controller for the performance of each subprocessor's obligations.
3. If the Controller objects to a new subprocessor within 14 days of notification, VynFi shall use commercially reasonable efforts to make available an alternative or allow the Controller to terminate the affected services without penalty.

5. Security Measures

VynFi implements and maintains the following technical and organizational measures to ensure a level of security appropriate to the risk:

5.1 Encryption

• TLS 1.3 for all data in transit (API, dashboard, internal services)
• AES-256 encryption at rest for all storage (Azure Storage Service Encryption)
• Azure Key Vault for cryptographic key management with HSM backing
• Argon2id hashing for passwords and API key secrets

5.2 Access Controls

• Role-based access control (RBAC) with principle of least privilege
• Multi-factor authentication required for all VynFi personnel access
• Azure AD Privileged Identity Management for just-in-time administrative access
• Network segmentation with Azure Virtual Network and Private Endpoints

5.3 Audit Logging

• Comprehensive audit logs of all data access and administrative operations
• Tamper-evident log storage with 12-month retention
• Automated alerting on anomalous access patterns
• Regular review of access logs by security personnel

5.4 Organizational Measures

• Background checks for all personnel with access to personal data
• Annual security awareness training and GDPR compliance training
• Documented incident response plan with annual tabletop exercises
• Regular penetration testing by qualified independent third parties

6. Data Breach Notification

1. VynFi shall notify the Controller of a confirmed Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach, in accordance with Article 33(2) of the GDPR.
2. The notification shall include, to the extent available:
   • A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records concerned
   • The name and contact details of VynFi's Data Protection Officer
   • A description of the likely consequences of the breach
   • A description of the measures taken or proposed to address the breach and mitigate its effects
3. VynFi shall cooperate with the Controller and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
4. VynFi shall document all Data Breaches, including the facts, effects, and remedial actions taken, and make such documentation available to the Controller upon request.
5. Notification of a Data Breach shall be sent to the Controller's designated security contact via email and, where available, through the VynFi dashboard notification system.

7. Data Subject Rights

1. VynFi shall assist the Controller in fulfilling its obligations to respond to data subject requests under Articles 15-22 of the GDPR (access, rectification, erasure, restriction, portability, and objection).
2. If VynFi receives a request directly from a data subject, VynFi shall promptly redirect the request to the Controller, unless legally prohibited from doing so.
3. VynFi shall provide the Controller with self-service tools through the dashboard for data export (JSON, CSV) and account deletion to facilitate data subject rights.
4. VynFi shall respond to the Controller's assistance requests within 10 business days.

8. International Transfers

1. VynFi shall not transfer personal data to a country outside the EEA unless appropriate safeguards are in place, as described in Section 4 (Subprocessors).
2. The Standard Contractual Clauses (Module Two: Controller to Processor) adopted by European Commission Decision (EU) 2021/914 are incorporated by reference into this DPA and shall apply to transfers of personal data to countries not covered by an adequacy decision.
3. For transfers to the United States, VynFi and its subprocessors rely on the EU-US Data Privacy Framework where certified, supplemented by SCCs.
4. VynFi shall conduct and document transfer impact assessments for each subprocessor located outside the EEA.

9. Audit Rights

1. VynFi shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or an independent auditor mandated by the Controller.
2. Audit requests must be submitted in writing with at least 30 days' notice. Audits shall be conducted during business hours and shall not unreasonably interfere with VynFi's operations.
3. VynFi shall provide the Controller with copies of relevant third-party audit reports (e.g., SOC 2 Type II) upon request, subject to confidentiality obligations.
4. The Controller shall bear its own costs for audits, unless the audit reveals material non-compliance by VynFi, in which case VynFi shall bear the reasonable costs.

10. Data Deletion and Return

1. Upon termination of the Service or upon the Controller's request, VynFi shall, at the Controller's choice, return all personal data to the Controller in a structured, commonly used, machine-readable format (JSON or CSV) or delete all personal data.
2. Deletion shall be completed within 30 days of the request or termination, and VynFi shall certify deletion in writing.
3. VynFi may retain personal data to the extent required by applicable law (e.g., billing records for tax purposes), provided that such data is isolated and protected from further processing.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service, except that nothing in this DPA limits either party's liability for breaches of data protection law, including obligations related to data breach notification, subprocessor compliance, and data subject rights.

12. Term and Termination

1. This DPA shall remain in effect for the duration of VynFi's processing of personal data on behalf of the Controller.
2. The obligations of VynFi under this DPA shall survive termination to the extent necessary to complete the deletion or return of personal data and to comply with applicable law.