Data Processing Addendum

The Controller determines the purposes and means of processing its Customer Data; Vestora processes that data only as a Processor, on the Controller’s documented instructions (including via the Service’s settings and use), to provide the Service. Using the Service constitutes the Controller’s instructions; any other processing requires written agreement or is required by law.

• Subject matter — provision of the CRM Service.
• Duration — for the term of the agreement, plus deletion/return period.
• Nature & purpose — hosting, storage, organisation, retrieval, and AI-assisted processing of relationship data on the Controller’s instruction.
• Categories of data — business-contact identifiers (names, emails, roles, companies), interaction history and notes, and any content the Controller chooses to store.
• Data subjects — the Controller’s investors, analysts, press, prospects and other business contacts, and the Controller’s own users.

• Process Customer Data only on documented instructions, and inform the Controller if an instruction appears to infringe data-protection law.
• Ensure persons authorised to process the data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (Annex B).
• Assist the Controller, where reasonable, in responding to data-subject requests and in meeting its security, breach-notification and DPIA obligations.
• At the Controller’s choice, delete or return Customer Data at the end of the engagement, save where retention is legally required.
• Make available information reasonably necessary to demonstrate compliance, and allow for audits as set out below.

The Controller authorises Vestora to engage the sub-processors listed in the Privacy Policy (hosting: Hetzner; and, only where the Controller enables them, AI and email/calendar providers). Vestora imposes data-protection terms on each sub-processor no less protective than this DPA, and remains liable for their performance. Vestora will give notice of intended changes and allow a reasonable objection period.

Data is hosted in the EU. For any transfer outside the EEA/UK, the parties rely on the EU Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated by reference.

• Per-customer isolation: a dedicated database and application stack per customer.
• Encryption in transit (TLS) and at rest for sensitive secrets (AES-256-GCM).
• Access controls: authenticated access, optional two-factor, least-privilege administrative access over key-only SSH.
• Network controls: firewalling, brute-force protection, and restricted public surface.
• Breach response: notification to the Controller without undue delay (and, per the MSA, within 24 hours) on becoming aware of a personal-data breach.
• Regular review of controls.

Vestora will notify the Controller without undue delay after becoming aware of a breach affecting Customer Data, with the information reasonably available to help the Controller meet its own notification duties.

Vestora will respond to reasonable Controller requests for information to verify compliance, and will permit audits (on reasonable notice, no more than annually absent cause, subject to confidentiality) where required by Article 28.

On termination, the Controller may export Customer Data for a reasonable period. Thereafter Vestora deletes it from the live environment within a reasonable period, subject to legal retention requirements.

Liability under this DPA is subject to the limitations in the agreement / MSA. If this DPA conflicts with the agreement on data-protection matters, this DPA controls. All other terms of the agreement remain in effect.