Vamble logo

Vamble

Legal Hub

All Policies

Effective: January 8, 2026

Last Updated: January 19, 2026

XXV. VAMBLE DATA PROCESSING AGREEMENT (DPA) FOR VENDORS & PARTNERS

This Data Processing Agreement (“DPA”) applies to any vendor, contractor, service provider, or partner (“Vendor”) that Processes Personal Data on behalf of Vamble, Inc. (“Vamble”) in connection with the Platform, and is incorporated by reference into, and forms part of, the services agreement, master services agreement, statement of work, or other written contract between Vamble and Vendor that governs Vendor’s services (the “Agreement”). If there is a conflict between this DPA and the Agreement regarding Processing of Personal Data, this DPA controls.

1. DEFINITIONS

1.1 Applicable Data Protection Law

“Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including as applicable: the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); the UK GDPR and the UK Data Protection Act 2018; Swiss data protection law; the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”); and other U.S. state privacy laws where applicable.

1.2 Defined Terms from Applicable Data Protection Law

  1. Controller

    “Controller” means the party that determines the purposes and essential means of Processing Personal Data.

  2. Processor

    “Processor” means the party that Processes Personal Data on behalf of a Controller.

  3. Personal Data

    “Personal Data” means any information relating to an identified or identifiable natural person, including “personal information” (or similar terms) as defined by Applicable Data Protection Law.

  4. Process

    “Process” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.

  5. Data Subject

    “Data Subject” means the individual to whom Personal Data relates.

1.3 Where CCPA/CPRA or similar U.S. state privacy law applies:

  1. Service Provider

    “Service Provider” means a person or entity that Processes Personal Information on behalf of a business for specified business purposes pursuant to a written contract restricting use of the data as required by law.

  2. Contractor

    “Contractor” means a person or entity that receives Personal Information from a business for a business purpose pursuant to a written contract restricting use of the data as required by law.

  3. Vamble Data

    “Vamble Data” means any data (including Personal Data) that Vamble discloses or makes available to Vendor, or that Vendor collects or generates, in each case in connection with Vendor’s services for Vamble.

  4. Security Incident

    “Security Incident” means any actual or reasonably suspected unauthorized access to, acquisition of, disclosure of, or loss of Personal Data Processed by Vendor (including a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data).

  5. Sub-Processor

    “Sub-Processor” means any third party engaged by Vendor to Process Personal Data on behalf of Vamble.

2. ROLES; SCOPE

2.1 Roles

As between the Parties, Vamble is the Controller of Personal Data Processed under the Agreement (unless the Parties expressly agree otherwise in writing for a specific use case), and Vendor is a Processor (and, where applicable under U.S. privacy laws, a Service Provider or Contractor) that Processes Personal Data on behalf of Vamble.

2.2 Scope

This DPA applies only to Processing in which Vendor Processes Personal Data on Vamble’s behalf. It does not govern disclosures to third parties acting as independent controllers, which are addressed in Vamble’s Privacy Policy and governed by separate agreements.

3. PROCESSING INSTRUCTIONS

3.1 Documented Instructions

Vendor will Process Personal Data only on Vamble’s documented instructions, including those set out in the Agreement, this DPA, and documented instructions communicated by Vamble from time to time (including via ticketing systems, email, or an admin console).

3.2 Conflicting Instructions

If Vendor believes an instruction violates Applicable Data Protection Law, Vendor will promptly notify Vamble (unless prohibited by law) and will not implement the instruction until the Parties agree on a lawful approach.

3.3 Details of Processing

The subject matter, duration, nature and purpose of Processing, categories of Personal Data, and categories of Data Subjects are described in Exhibit A.

4. CONFIDENTIALITY; PERSONNEL

4.1 Confidentiality

Vendor will ensure that all personnel authorized to Process Personal Data are bound by confidentiality obligations at least as protective as those in the Agreement and are trained regarding appropriate data handling and security.

4.2 Access Limitation

Vendor will limit access to Personal Data to personnel who need it to perform the services.

5. SECURITY MEASURES

5.1 Technical and Organizational Measures

Vendor will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against Security Incidents and to preserve the confidentiality, integrity, and availability of Personal Data, consistent with industry standards and the risk presented by the Processing. Vendor’s baseline measures are described in Exhibit B (Security Exhibit).

5.2 No Material Degradation

Vendor will not materially decrease the overall security of the services during the term of the Agreement.

5.3 Segregation

Vendor will logically segregate Vamble Personal Data from data of other customers to prevent unauthorized cross-customer access.

6. SECURITY INCIDENTS; NOTICE; COOPERATION

6.1 Incident Notice

Vendor will notify Vamble without undue delay and in any event within forty-eight (48) hours after becoming aware of a Security Incident affecting Personal Data.

6.2 Content of Notice

To the extent known at the time, Vendor’s notice will include: (a) the nature of the Security Incident; (b) categories and approximate number of affected Data Subjects and records; (c) likely consequences; (d) mitigation steps taken or proposed; and (e) a point of contact for follow-up. Vendor will supplement information as it becomes available.

6.3 Investigation and Mitigation

Vendor will promptly investigate the Security Incident, take reasonable steps to contain and remediate it, and cooperate with Vamble’s reasonable requests relating to the Security Incident, including supporting notifications required by law.

6.4 No Public Statements

Vendor will not make public statements, notices, or filings regarding a Security Incident involving Vamble Personal Data without Vamble’s prior written approval, except where required by law.

7. SUB-PROCESSORS

7.1 Authorization Model

Vendor is authorized to engage Sub-Processors as follows:

  1. Vendor may engage Sub-Processors listed on Vendor’s current Sub-Processor list (the “Sub-Processor List”) and will keep the Sub-Processor List available to Vamble upon request.
  2. For any new or replacement Sub-Processor that will Process Vamble Personal Data, Vendor will provide advance notice at least thirty (30) days before the change becomes effective (or a shorter period where required to avoid interruption of services, security risk, or legal compliance issues, in which case Vendor will provide notice as early as practicable).

7.2 Objection Right

Vamble may reasonably object in writing to a new or replacement Sub-Processor within fifteen (15) days of notice on data protection grounds. If the Parties cannot resolve the objection in good faith within a reasonable time, Vendor will, at Vamble’s option: (i) use commercially reasonable efforts to provide the services without the disputed Sub-Processor, or (ii) allow Vamble to terminate the affected services without penalty upon written notice.

7.3 Flow-Down Terms

Vendor will impose written terms on Sub-Processors that are no less protective than this DPA (including confidentiality, security, breach notification, and transfer requirements).

7.4 Liability

Vendor remains fully responsible for its Sub-Processors’ performance and compliance with this DPA.

8. DATA SUBJECT REQUESTS; ASSISTANCE

8.1 Data Subject Requests

Vendor will promptly (and in any event within five (5) business days) notify Vamble if Vendor receives a request from a Data Subject, regulator, or other third party relating to Personal Data (e.g., access, deletion, correction, portability, objection), and will not respond except on Vamble’s documented instructions or as required by law.

8.2 Assistance

Taking into account the nature of the Processing, Vendor will provide reasonable assistance to Vamble to fulfill Data Subject requests and to comply with Controller obligations under Applicable Data Protection Law (including privacy impact assessments, security consultations, and prior consultations with regulators), with costs reimbursed where assistance requires material effort beyond the contracted services.

9. AUDIT; REPORTING; COMPLIANCE EVIDENCE

9.1 Audit Materials

Upon request, Vendor will provide reasonable information necessary to demonstrate compliance with this DPA, which may include: current SOC 2 Type II reports, ISO 27001 certificates, independent penetration test summaries (with sensitive details redacted), security policies, and completed security questionnaires.

9.2 On-Site Audits

Where (a) Vamble has reasonable grounds to believe Vendor is non-compliant with this DPA, (b) an on-site audit is required by Applicable Data Protection Law or a regulator with jurisdiction over Vamble, or (c) Vendor cannot provide reasonable alternative evidence, Vamble may conduct an on-site audit of Vendor’s facilities and systems relevant to the Processing, subject to: (i) at least thirty (30) days’ prior written notice (unless legally required sooner); (ii) reasonable confidentiality and security requirements; (iii) business-hours access; and (iv) limitations to avoid disruption and exposure of other customers’ data.

9.3 Frequency

On-site audits will occur no more than once annually unless triggered by a Security Incident, substantiated non-compliance, or a legal/regulatory requirement.

9.4 Auditor

Vamble may use an independent auditor bound by confidentiality. Vendor may require execution of reasonable audit access terms.

10. INTERNATIONAL TRANSFERS; SCCS; UK/SWISS ADDENDA

10.1 Transfer Restrictions

Vendor will not transfer Personal Data to a country outside the EEA/UK/Switzerland unless it implements an approved transfer mechanism required by Applicable Data Protection Law.

10.2 EU SCCs

Where a transfer of Personal Data from the EEA to a country that is not subject to an adequacy decision requires appropriate safeguards under GDPR, the Parties agree that the EU Standard Contractual Clauses (“EU SCCs”) are incorporated by reference as Exhibit C and are deemed executed and implemented between the Parties. The EU SCCs will apply using Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor), as applicable based on the Parties’ roles in the relevant transfer. For purposes of the EU SCCs, the Data Exporter is the Party established in the EEA that transfers (or makes available) the Personal Data, and the Data Importer is the receiving Party, each as identified for the applicable transfer in Exhibit C and its Annexes.

10.3 Data Importer: Vendor (and, where applicable, Vendor’s Sub-Processor).

10.4 Appendix/Annexes

Exhibit A (Processing Details) and Exhibit B (Security Measures) serve as the relevant annexes.

10.5 Docking clause: enabled.

10.6 Supervisory authority

The authority of Vamble’s main EU establishment, or if none, the authority determined under GDPR.

10.7 UK Transfers

Where UK GDPR applies to a restricted transfer from the UK, the EU SCCs will apply as modified by the UK International Data Transfer Addendum (the “UK Addendum”), which is incorporated by reference as part of Exhibit C. The Parties will treat the UK Addendum as completed with the information in Exhibit A and Exhibit B.

10.8 Swiss Transfers

Where Swiss law applies, the EU SCCs will apply with modifications required by Swiss law (including references to the Swiss Federal Data Protection and Information Commissioner where applicable) and are incorporated by reference in Exhibit C.

10.9 Additional Safeguards

If required, Vendor will implement supplementary measures to address transfer risks, consistent with legal guidance and the Parties’ risk assessment.

11. RETURN; DELETION; RETENTION

11.1 Return/Deletion at Termination

Upon termination or expiration of the services, Vendor will, at Vamble’s choice, return or delete all Personal Data Processed on Vamble’s behalf, and delete existing copies within thirty (30) days, unless retention is required by law.

11.2 Legal Retention

If Vendor must retain Personal Data to comply with law, Vendor will: (a) notify Vamble of the legal requirement (unless prohibited); (b) continue to protect the retained data under this DPA; and (c) delete the data as soon as legally permissible.

11.3 Backups

Vendor may retain Personal Data in backups for limited periods consistent with Vendor’s standard backup and disaster recovery policies, provided backups are secured and data is not actively Processed except for restore purposes.

12. CCPA/CPRA AND U.S. STATE PRIVACY TERMS

To the extent CCPA/CPRA applies and Vendor receives Personal Information from Vamble, Vendor will act as a “service provider” or “contractor” and will:

  1. Process the Personal Information only for the purposes of performing services for Vamble and as permitted by CCPA/CPRA;
  2. Not “sell” or “share” Personal Information (as those terms are defined by CCPA/CPRA);
  3. Not retain, use, or disclose Personal Information for any purpose other than performing the services specified in the Agreement, including not for Vendor’s commercial purposes outside the direct business relationship with Vamble;
  4. Not combine Personal Information received from Vamble with Personal Information obtained from other sources except as permitted by CCPA/CPRA; and
  5. Provide the same level of privacy protection as required by CCPA/CPRA and notify Vamble if Vendor can no longer meet those obligations.

13. ORDER OF PRECEDENCE; CHANGES

13.1 Precedence

This DPA controls solely with respect to Processing of Personal Data.

13.2 Updates

The Parties may update this DPA in writing to reflect changes in Applicable Data Protection Law, transfer mechanisms, or security requirements.

14. CONTACT

Questions or notices under this DPA: privacy@vamble.com.

Vamble — Pre-launch