Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the Agreement between Vertos AI, Inc. ("Processor" or "Vertos AI") and the entity agreeing to these terms ("Controller" or "Customer") for the provision of the Vertos AI platform services.

This DPA reflects the parties' agreement regarding the processing of Personal Data in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
• "Processing" means any operation performed on Personal Data as defined in GDPR Article 4(2).
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Sub-processor" means any processor engaged by Vertos AI to process Personal Data on behalf of the Customer.
• "Services" means the Vertos AI platform and related services provided under the Agreement.
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Purpose of Processing

2.1 Subject Matter

Vertos AI will process Personal Data solely for the purpose of providing the Services as described in the Agreement and as further instructed by the Customer in writing.

2.2 Categories of Data Subjects

• Customer's employees and contractors
• Customer's clients and business contacts
• Customer's end users and leads
• Individuals whose data appears in job or transaction records

2.3 Types of Personal Data

• Contact information (names, email addresses, phone numbers, addresses)
• Business transaction data (job details, service records)
• Financial data (invoice amounts, payment references - not full card numbers)
• Scheduling data (appointments, availability)
• Communication data (messages, notes)
• Usage data (access logs, feature usage)

2.4 Duration of Processing

Processing will continue for the duration of the Agreement plus 30 days for data export, unless otherwise required by applicable law or requested by the Customer.

3. Obligations of Vertos AI (Processor)

Vertos AI shall, in accordance with GDPR Article 28:

• Process Personal Data only on documented instructions from the Customer, unless required by applicable law
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
• Implement appropriate technical and organizational security measures as described in Section 4
• Not engage another processor (Sub-processor) without prior specific or general written authorization
• Assist the Customer in responding to Data Subject requests under GDPR Articles 15-22
• Assist the Customer in ensuring compliance with obligations under GDPR Articles 32-36
• At the Customer's choice, delete or return all Personal Data after the end of services
• Make available to the Customer all information necessary to demonstrate compliance with Article 28
• Allow for and contribute to audits, including inspections, conducted by the Customer or an appointed auditor

4. Security Measures

Vertos AI implements the following technical and organizational measures to ensure an appropriate level of security (GDPR Article 32):

5. Sub-processors

5.1 Authorization

Customer provides general authorization for Vertos AI to engage Sub-processors listed in Annex A (Sub-processors). Vertos AI will notify Customer of any intended changes to Sub-processors, giving Customer 30 days to object on reasonable grounds.

5.2 Sub-processor Obligations

Vertos AI will ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA. Vertos AI remains fully liable for the performance of Sub-processors.

6. Data Subject Rights

Vertos AI will assist the Customer in fulfilling its obligations to respond to Data Subject requests under GDPR Articles 15-22, including:

• Right of Access (Article 15) - confirmation and copy of Personal Data
• Right to Rectification (Article 16) - correction of inaccurate data
• Right to Erasure (Article 17) - deletion ("right to be forgotten")
• Right to Restriction (Article 18) - limiting processing
• Right to Portability (Article 20) - data export in structured format
• Right to Object (Article 21) - objection to certain processing

7. Data Breach Notification

In the event of a Personal Data breach, Vertos AI will:

• Notify Customer without undue delay, and in any case within 48 hours of becoming aware
• Provide all reasonably available information about the nature and scope of the breach
• Take immediate steps to contain and mitigate the breach
• Cooperate with Customer's incident response and investigation
• Document the breach, its effects, and remediation measures taken
• Assist Customer in meeting its notification obligations under GDPR Articles 33-34

8. International Data Transfers

Personal Data may be transferred to countries outside the European Economic Area (EEA). Vertos AI ensures appropriate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
• Participation in the EU-US Data Privacy Framework where applicable
• Supplementary measures as required following Schrems II (transfer impact assessments)
• Data localization options for Enterprise customers upon request

8.1 Data Processing Locations

Customer data is currently processed in the following locations:

• Primary Database: United States (AWS us-east-1, Virginia)
• Application Servers: United States (Vercel US East)
• Content Delivery: Global edge network (static assets only, no PII)

8.2 Customer Rights Regarding Data Location

Customers have the following rights regarding their data location:

• Request information about where their data is processed
• Receive documentation of data transfer safeguards upon request
• Enterprise customers may request regional deployment options (subject to availability)
• Object to new sub-processors within 30 days of notification

9. Audit Rights

Upon reasonable written notice (minimum 30 days), Customer may audit Vertos AI's compliance with this DPA:

• Vertos AI will provide access to relevant documentation, policies, and systems
• Relevant personnel will be made available for interviews
• On-site inspections may be conducted subject to confidentiality obligations and security protocols
• Vertos AI will provide copies of third-party audit reports (penetration tests, security assessments) upon request
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with operations

10. Term and Termination

This DPA remains in effect for the duration of the Agreement. Upon termination:

• Customer may request return of all Personal Data in a standard format within 30 days
• After the 30-day period, Vertos AI will securely delete all Personal Data
• Vertos AI will provide written certification of deletion upon request
• Obligations under this DPA survive termination to the extent necessary for their enforcement

Annex A: Sub-processors

Current list of authorized Sub-processors. For the most up-to-date list, visit our Sub-processors page.

Last updated: January 2025

How to Execute This DPA

Contact

For DPA-related inquiries:

• Legal: legal@vertosai.com
• Privacy: privacy@vertosai.com