Data Processing Addendum

This Data Processing Addendum ("DPA") is incorporated into the Vaultrice Terms of Service ("Terms") between you, the Customer ("Controller"), and inweso Ltd liab. Co ("Processor"). This DPA applies to the extent that we process Personal Data on your behalf in the course of providing the Service.

1. Definitions

Terms not otherwise defined herein shall have the meaning as set forth in the Terms. Capitalized terms used in this DPA shall have the meanings given to them below:

  • "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including but not limited to the EU General Data Protection Regulation 2016/679 ("GDPR") and the Swiss Federal Act on Data Protection ("FADP").
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation or set of operations which is performed on Personal Data.
  • "Controller" and "Processor" have the meanings given to them in the Applicable Data Protection Law.
  • "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • "Subprocessor" means any third-party processor engaged by inweso Ltd liab. Co to process Personal Data.

2. Scope and Purpose of Processing

  1. Roles of the Parties: The parties acknowledge that for the purpose of this DPA, the Customer is the Controller and inweso Ltd liab. Co is the Processor of any Personal Data stored in the Service by the Customer.
  2. Details of Processing: The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of data subjects, are described in Annex 1 of this DPA.

3. Processor's Obligations

inweso Ltd liab. Co, as the Processor, agrees to:

  1. Process Personal Data only on the documented instructions of the Controller (as set out in the Terms and this DPA), unless required to do so by applicable law.
  2. Ensure that all personnel authorized to process Personal Data are subject to a strict duty of confidentiality.
  3. Implement and maintain the appropriate technical and organizational measures to protect the security of Personal Data, as detailed in Annex 2.
  4. Promptly notify the Controller of any requests from data subjects to exercise their rights under Applicable Data Protection Law and provide reasonable assistance to the Controller in responding to such requests.
  5. Provide reasonable assistance to the Controller in ensuring compliance with its obligations regarding data security and data protection impact assessments.
  6. Where required by law, Mr. Adriano Raiano Director, inweso Ltd liab. Co Email: privacy@vaultrice.com has been appointed as Data Protection Officer.

4. Subprocessing

  1. Authorization: The Controller provides a general authorization for the Processor to engage Subprocessors to process Personal Data.
  2. Current Subprocessors: The Processor's current list of Subprocessors is detailed in Annex 3.
  3. Notification of New Subprocessors: The Processor will notify the Controller of any intended changes concerning the addition or replacement of Subprocessors. The Controller may object to such changes on reasonable data protection grounds.

5. Security Incidents

Upon becoming aware of a Security Incident, the Processor will notify the Controller without undue delay and will provide timely information and cooperation as the Controller may require to fulfill its data breach reporting obligations under Applicable Data Protection Law.

6. International Data Transfers

Our Service is built on a global network, and your data may be stored and processed in countries outside of Switzerland. We take steps to ensure your data is protected when transferred internationally.

  • Our primary infrastructure provider, Cloudflare, operates a global network. While we prioritize European data centers where possible, data may be routed globally for performance and resilience.
  • Other subprocessors, such as Stripe, Amazon Web Services, and Google, also operate globally.

For any transfers of personal data to countries that may not have a level of data protection equivalent to Switzerland's, we rely on appropriate legal safeguards, primarily the Standard Contractual Clauses (SCCs) approved by the European Commission and recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC). These clauses contractually oblige the receiving party to protect your data with standards equivalent to those in Switzerland and the EU.

7. Audits

Upon reasonable request, the Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and contribute to audits.

8. Termination

Upon termination of the Service, the Processor shall, at the choice of the Controller, delete all Personal Data stored in the Service, and delete existing copies unless applicable law requires storage of the Personal Data.

9. Governing Law

This DPA shall be governed by the laws of Switzerland. The exclusive place of jurisdiction shall be the courts of the canton of Thurgau.

Annex 1: Details of Processing

  • Subject Matter: The provision of the Vaultrice key-value storage service as described in the Terms.
  • Duration of Processing: For the duration of the Customer's subscription to the Service, until termination in accordance with the Terms.
  • Nature and Purpose of Processing: To store, manage, and synchronize application state and data as directed by the Controller through their use of the Service.
  • Categories of Data Subjects: End-users, employees, customers, or other individuals whose data the Controller chooses to store in the Service.
  • Types of Personal Data: Any Personal Data that the Controller chooses to upload, store, and process within the Service. The Controller is solely responsible for the types of data they store.

Annex 2: Technical and Organizational Measures

The Processor implements the following measures to ensure the security of the Processing:

  1. Data Encryption:
    • In Transit: All data transmitted between the client and the Service is encrypted using industry-standard TLS.
    • At Rest: All data is encrypted at rest on our infrastructure provider's platform (Cloudflare). Additionally, sensitive account information (e.g., username, email) and system secrets (e.g., API keys, public keys) are subject to a second layer of application-level encryption. Passwords and API secrets are stored as salted hashes.
  2. Access Control:
    • Access to production systems is strictly limited to authorized personnel on a least-privilege basis.
    • Multi-Factor Authentication (MFA) is enforced for all access to critical infrastructure.
  3. Personnel Security:
    • All employees are subject to confidentiality agreements.
    • All employees complete security and privacy training and are kept up-to-date on best practices.
  4. Incident Response:
    • In the event of a Security Incident, we will promptly investigate the matter, take necessary steps to mitigate any effects and remediate the cause, and notify affected Controllers without undue delay.
  5. Service Integrity and Availability:
    • The Service is built on Cloudflare's highly available, resilient global network, designed to withstand failures and ensure continuous operation.

Annex 3: Subprocessors

SubprocessorPurposeLocation
Cloudflare, Inc.Core cloud infrastructure, hosting, data storage, and networking.Global (EU preferred)
Stripe, Inc.Payment and billing processing.Global
Amazon Web Services, Inc.Transactional email delivery (SES) and internal company email (Workmail).Global (EU preferred)
Google LLCWebsite analytics for vaultrice.com.Global
GitHub, Inc.Hosting for the marketing website vaultrice.com.Global

Change Log

July 18, 2025

  • first version