Data processing addendum.

Last updated · 2026-04-23

Scope

This addendum applies to Vectis when processing personal data on behalf of a customer (the controller). It supplements the terms of service and the privacy policy.

Roles

You are the data controller. Vectis is the data processor. Vectis processes personal data only on your documented instructions, as required by the service.

Categories of data

• Account and profile data of your users.
• Organization data created inside Vectis.
• Contract, invoice, line item, wallet, and withdrawal records.
• Operational logs associated with your account.

Sub processors

Current sub processors:

• Cloud infrastructure provider · hosting and storage.
• Transactional email provider · account emails.
• Error monitoring provider · application error telemetry.

Specific vendors are listed on request. Changes are announced thirty days in advance via email to account admins.

Security

See the security page for baseline controls. A summary of technical and organizational measures is available on request.

International transfers

Where personal data is transferred outside the EEA or the UK, we rely on Standard Contractual Clauses. Where a sub processor falls under a qualifying adequacy decision, that is used instead.

Data subject rights

We assist the controller in responding to access, deletion, rectification, and portability requests. Routing these requests through the controller keeps the chain clean.

Breach notification

We notify the controller without undue delay on confirmation of a personal data breach affecting the controller's data, and at most within seventy two hours of confirmation.

Termination

On termination, personal data is deleted or returned within thirty days, except where retention is required by law.

Counter signed copy

A counter signed copy of this addendum is available on request via contact.