Data Processing Agreement

GDPR-Compliant DPA | Last Updated: October 28, 2025

1. Introduction and Purpose

This Data Processing Agreement ("DPA") is entered into between VantageML Analytics ("Processor") and the Client ("Controller") to ensure compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This DPA supplements our Terms of Service and applies to all personal data processed by VantageML as part of providing machine learning services.

2. Definitions

  • Controller: The Client who determines the purposes and means of processing personal data
  • Processor: VantageML Analytics, who processes personal data on behalf of the Controller
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data, including collection, storage, use, or deletion
  • Sub-processor: Third-party service provider engaged by VantageML to assist in processing
  • Data Subject: Individual whose personal data is processed

3. Scope and Nature of Processing

3.1 Subject Matter

Development, deployment, and maintenance of custom machine learning models for the Controller's business operations.

3.2 Duration

Throughout the term of the service agreement and for 90 days after termination (or as specified in the agreement).

3.3 Nature of Processing

  • Collection of operational and transaction data
  • Storage and organization of training datasets
  • Analysis and transformation for model development
  • Model training and validation
  • Prediction generation via API
  • Performance monitoring and logging

3.4 Purpose of Processing

  • Training custom predictive models specific to Controller's business
  • Providing real-time predictions via API
  • Monitoring and improving model performance
  • Model retraining and updates
  • Technical support and troubleshooting

3.5 Categories of Data Subjects

  • Controller's customers and users
  • Website visitors
  • Transaction participants
  • Other individuals in Controller's operational data

3.6 Types of Personal Data

Depending on Controller's use case, may include:

  • Identifiers (customer IDs, anonymized user tokens)
  • Transaction data (purchase history, amounts, timestamps)
  • Behavioral data (browsing patterns, interactions)
  • Demographic data (age, location - if provided)
  • Technical data (IP addresses, device info - if provided)

Note: VantageML recommends and prefers anonymized/pseudonymized data. We do NOT require and discourage providing: names, email addresses, phone numbers, or other direct identifiers unless specifically necessary for the use case.

4. Controller and Processor Obligations

4.1 Controller Obligations

The Controller shall:

  • Ensure lawful basis for processing and sharing data with Processor
  • Obtain necessary consents from data subjects
  • Provide clear privacy notices to data subjects
  • Ensure data accuracy and completeness
  • Inform Processor of any data subject rights requests
  • Comply with all applicable data protection laws

4.2 Processor Obligations

VantageML shall:

  • Process personal data only on documented instructions from Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures
  • Assist Controller with data subject rights requests
  • Assist Controller with security assessments and audits
  • Delete or return data upon termination (as instructed)
  • Notify Controller of any data breaches without undue delay
  • Not engage sub-processors without Controller's authorization

5. Technical and Organizational Measures

5.1 Security Measures

VantageML implements:

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Access Control: Role-based access (RBAC), multi-factor authentication
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Infrastructure: SOC 2 Type II certified cloud providers
  • Monitoring: 24/7 security monitoring and logging
  • Testing: Regular penetration testing and vulnerability assessments
  • Backups: Encrypted, geographically distributed backups

5.2 Organizational Measures

  • Information security policies and procedures
  • Employee security training and awareness programs
  • Background checks for personnel with data access
  • Incident response and breach notification procedures
  • Data retention and deletion procedures
  • Vendor management and due diligence
  • Regular security audits and reviews

5.3 Data Minimization

  • Process only data necessary for specified purposes
  • Recommend pseudonymization and anonymization
  • Delete temporary data after use
  • Aggregate data where possible

6. Sub-processors

6.1 Authorization

Controller provides general authorization for VantageML to engage sub-processors. VantageML will notify Controller of any new sub-processors with 30 days' notice. Controller may object within 14 days.

6.2 Current Sub-processors

Sub-processor Service Location Purpose
Google Cloud Platform Cloud Infrastructure EU (Frankfurt/Amsterdam) Model hosting, API deployment

Note: For local deployment, no sub-processors are used for data processing.

6.3 Sub-processor Obligations

VantageML ensures all sub-processors:

  • Are bound by data protection obligations equivalent to this DPA
  • Implement appropriate security measures
  • Process data only as instructed
  • Allow audits and inspections

6.4 Liability

VantageML remains fully liable to Controller for any sub-processor's performance.

7. International Data Transfers

7.1 Data Location

  • Cloud Deployment: EU data centers (Frankfurt or Amsterdam) by default
  • Local Deployment: Controller's specified location
  • Backups: EU regions only (unless otherwise agreed)

7.2 Transfers Outside EU

If data transfers outside the EU are necessary:

  • Only with Controller's explicit authorization
  • Protected by Standard Contractual Clauses (SCCs)
  • Additional safeguards as required by GDPR
  • Documentation maintained and available upon request

8. Data Subject Rights

8.1 Assistance with Rights Requests

VantageML will assist Controller in responding to data subject requests:

  • Access: Provide data in structured, machine-readable format
  • Rectification: Correct inaccurate data
  • Erasure: Delete data upon request ("right to be forgotten")
  • Restriction: Limit processing under certain conditions
  • Portability: Export data in portable format
  • Objection: Cease processing for specific purposes

8.2 Response Timeframe

  • VantageML will respond to Controller's requests within 5 business days
  • Controller remains responsible for responding to data subjects within legal timeframes (typically 30 days)

8.3 Costs

Assistance with data subject rights requests is included in services. Excessive or repetitive requests may incur reasonable fees.

9. Data Breach Notification

9.1 Notification Obligation

In the event of a personal data breach, VantageML will:

  • Notify Controller without undue delay (within 24 hours of detection)
  • Provide all relevant information available
  • Cooperate with Controller's breach investigation
  • Take reasonable measures to mitigate harm

9.2 Breach Information

Notification will include:

  • Nature of the breach (date, time, discovery)
  • Categories and approximate number of data subjects affected
  • Categories and approximate number of personal data records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact point for further information

9.3 Controller Responsibility

Controller remains responsible for:

  • Notifying supervisory authorities (within 72 hours if required)
  • Notifying affected data subjects (if required)
  • Documenting the breach

10. Audits and Inspections

10.1 Audit Rights

Controller has the right to:

  • Request information about VantageML's data processing practices
  • Review relevant policies and procedures
  • Request evidence of compliance (certifications, audit reports)
  • Conduct on-site audits (with reasonable notice and at Controller's expense)

10.2 Audit Frequency

  • Annual audit rights (more frequent if required by law or supervisory authority)
  • Immediate audit rights in case of suspected breach

10.3 Documentation Provided

VantageML maintains and can provide:

  • SOC 2 Type II audit reports
  • Security certifications (ISO 27001, etc.)
  • Penetration test results (summary)
  • Sub-processor agreements and documentation
  • Data processing records

11. Data Retention and Deletion

11.1 Retention Periods

  • Training Data: Duration of contract + 90 days
  • API Logs: 30 days (configurable, max 90 days)
  • Model Predictions: Not stored unless explicitly requested
  • Backups: 90 days (encrypted, secure deletion thereafter)
  • Aggregated/Anonymized Data: May be retained indefinitely

11.2 Deletion Upon Termination

Upon service termination, VantageML will:

  • Delete all personal data within 90 days (or as instructed)
  • Provide certification of deletion upon request
  • Option to return data to Controller before deletion
  • Securely delete all copies, including backups

11.3 Legal Retention

VantageML may retain data longer if required by:

  • Legal obligations (tax, accounting laws)
  • Pending litigation or regulatory investigations
  • Legitimate interests (fraud prevention)

Controller will be notified of any such retention.

12. Liability and Indemnification

12.1 Mutual Liability

Each party is liable for damages caused by its own GDPR violations.

12.2 Indemnification

  • VantageML indemnifies Controller for damages caused by VantageML's breach of GDPR
  • Controller indemnifies VantageML for damages arising from Controller's unlawful processing instructions

12.3 Liability Cap

Subject to limitations in Terms of Service, except where not permitted by law.

13. Term and Termination

13.1 Term

This DPA becomes effective when services commence and remains in effect throughout the service term.

13.2 Survival

Following termination:

  • Data deletion obligations survive for 90 days
  • Confidentiality obligations survive for 5 years
  • Audit rights survive for 1 year
  • Liability provisions survive indefinitely

14. Amendments

This DPA may be amended:

  • By mutual written agreement
  • To comply with changes in data protection laws (with notice)
  • To reflect changes in sub-processors (with notice and objection rights)

Material amendments require Controller's acceptance.

15. Governing Law and Disputes

This DPA is governed by:

  • GDPR: General Data Protection Regulation (EU) 2016/679
  • Local Law: Latvian data protection laws
  • Disputes: As specified in Terms of Service

16. Contact for DPA Matters

Data Protection Contact

VantageML Analytics

Daniels Bondars

Email: requests@vantageml.com

Subject: "DPA Inquiry" or "Data Protection"

Location: Riga, Latvia (EU)

Back to Home