Data Processing Addendum (DPA) | VastConfluence LLC — TechNanny, BizNanny & Template Waterfall

1. Overview

This DPA reflects VastConfluence's commitment to processing Personal Data lawfully, fairly, and transparently across all jurisdictions where our Services are used. It is structured to satisfy Article 28 of Regulation (EU) 2016/679 (the "EU GDPR"), Article 28 of the UK General Data Protection Regulation (the "UK GDPR"), the Swiss Federal Act on Data Protection ("FADP," as revised), and the requirements imposed on "service providers" under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), as well as applicable provisions of the Brazilian LGPD, Canadian PIPEDA and Quebec Law 25, Japanese APPI, Australian Privacy Act, and Singapore PDPA.

2. Parties & Acceptance

2.1 Parties

This DPA is entered into between:

Customer, the party identified in the Account record of the Services and accepting this DPA, acting as the data exporter or controller (or, where the Customer is itself a processor of its own customer's data, as processor on behalf of its own controller); and
VastConfluence LLC, a Wyoming limited liability company with its registered office in Wyoming, United States, acting as data importer or processor (or, where applicable, sub-processor).

2.2 Acceptance

This DPA is automatically incorporated into the Terms of Service when Customer subscribes to a paid plan that involves the processing of Personal Data on Customer's behalf. No separate signature is required for the DPA to take effect, but Customer may obtain a counter-signed copy by completing the form at vastconfluence.com/legal/dpa-countersign. The counter-signed copy has identical legal effect as this online version.

2.3 Hierarchy

This DPA prevails over conflicting terms in the underlying Terms of Service with respect to data-protection matters. Any data-protection terms imposed by Customer that purport to vary this DPA unilaterally (for example, in Customer's purchase order, vendor questionnaire response, or click-through procurement portal) have no effect unless agreed in writing and signed by both parties.

3. Definitions

Capitalized terms used and not defined in this DPA have the meanings given in the Terms of Service. The following definitions apply throughout this DPA. Where a term is defined in EU GDPR, UK GDPR, or CCPA/CPRA, that term carries its statutory meaning when applied in the relevant jurisdictional context.

"Applicable Data Protection Law" means all data-protection and privacy laws applicable to the processing of Personal Data under this DPA, including the EU GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, LGPD, PIPEDA, Quebec Law 25, APPI, Australian Privacy Act, Singapore PDPA, and any successor or replacement legislation.
"Controller," "Processor," "Sub-processor," "Data Subject," "Personal Data," "Processing," and "Special Categories of Personal Data" have the meanings given in EU GDPR (or, where applicable, UK GDPR or Swiss FADP).
"Business," "Service Provider," "Contractor," "Sale," "Share," "Sensitive Personal Information," and "Consumer" have the meanings given in CCPA/CPRA when applied to processing subject to that law.
"Customer Personal Data" means Personal Data that VastConfluence processes on behalf of Customer in connection with the Services.
"EU SCCs" means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914, as may be amended.
"UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office under section 119A of the UK Data Protection Act 2018, as may be amended.
"UK IDTA" means the International Data Transfer Agreement issued by the UK Information Commissioner's Office, as may be amended.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
"Restricted Transfer" means a transfer of Personal Data subject to transfer restrictions under Applicable Data Protection Law (including transfers from the EEA, UK, or Switzerland to a country not deemed adequate).
"Supervisory Authority" means an independent public authority responsible for supervising compliance with Applicable Data Protection Law.
"Standard Contractual Clauses" or "SCCs" means, depending on context, the EU SCCs, UK IDTA, UK Addendum, or Swiss SCCs (i.e., the EU SCCs as adapted by the Swiss Federal Data Protection and Information Commissioner).

4. Scope & Roles

4.1 Scope

This DPA applies to all processing of Customer Personal Data carried out by VastConfluence in the course of providing the Services. It does not apply to:

Personal Data that VastConfluence processes as a Controller for its own purposes (such as Account contact information, billing data, and security logs), which is governed by our Privacy Policy.
Customer Personal Data that Customer chooses to process outside the Services using its own infrastructure or third-party tools.
Aggregated, de-identified, or anonymized data that no longer constitutes Personal Data under Applicable Data Protection Law.

4.2 Roles

For Customer Personal Data processed under this DPA:

Where Customer is a Controller of Customer Personal Data, VastConfluence is its Processor.
Where Customer is itself a Processor (for example, where Customer is a digital agency operating TechNanny on behalf of its own end clients), VastConfluence is a Sub-processor of those end clients' data, and Customer warrants that it has the Controller's authorization to engage VastConfluence as Sub-processor.
Where applicable, VastConfluence is a "Service Provider" under CCPA/CPRA.

4.3 Independent Controller Activities

VastConfluence is an independent Controller (not Processor) for Personal Data it processes for its own legitimate business purposes, including: (i) account administration, billing, and tax compliance, (ii) provision and security of the Services in general (as opposed to handling Customer-specific content), (iii) responding to support requests, (iv) compliance with legal obligations, (v) detection and prevention of fraud and abuse, and (vi) aggregated product analytics that do not identify Data Subjects.

5. Processing Details

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex I. Customer is responsible for ensuring that its description of Customer Personal Data in Annex I (and the use case implemented through the Services) is accurate, lawful, and reflects an appropriate lawful basis for the processing.

6. Customer Instructions & Lawful Basis

6.1 Documented Instructions

VastConfluence will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers to third countries or international organizations, unless required to do so by law applicable to VastConfluence. The Terms of Service, this DPA, the configuration choices Customer makes within the Services, and any further written instructions agreed by both parties together constitute Customer's complete and final instructions.

6.2 Notification of Conflicting Law

If VastConfluence is required by EU, EU Member State, UK, U.S., or other applicable law to process Customer Personal Data in a manner inconsistent with Customer's instructions, VastConfluence will inform Customer of that legal requirement before processing, unless that law prohibits such notice on important grounds of public interest.

6.3 Notification of Unlawful Instructions

VastConfluence will inform Customer immediately if, in its opinion, an instruction infringes Applicable Data Protection Law. VastConfluence is not obligated to perform a comprehensive legal review of Customer's instructions, and any failure to notify does not relieve Customer of its responsibility for the lawfulness of its instructions.

6.4 Customer Lawful Basis

Customer warrants that (i) it has the right to disclose Customer Personal Data to VastConfluence and to authorize the processing described in this DPA, (ii) it has obtained all consents and provided all notices required under Applicable Data Protection Law, and (iii) the processing instructions issued to VastConfluence are lawful.

7. VastConfluence's Processing Obligations

VastConfluence will:

process Customer Personal Data only on documented instructions from Customer;
ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations as described in Section 8;
implement appropriate technical and organizational measures as described in Section 9 and Annex II;
respect the conditions for engaging Sub-processors as described in Section 10;
taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to respond to Data Subject requests as described in Section 11;
assist Customer in ensuring compliance with the obligations relating to security, breach notification, DPIAs, and prior consultation as described in Sections 9, 12, and 13;
at Customer's choice, delete or return all Customer Personal Data after the end of the provision of services, as described in Section 14; and
make available to Customer all information necessary to demonstrate compliance with Article 28 EU GDPR and equivalent provisions, and allow for and contribute to audits as described in Section 15.

8. Confidentiality of Personnel

VastConfluence ensures that any person it authorizes to process Customer Personal Data has committed themselves to confidentiality or is under an appropriate statutory obligation of confidentiality. VastConfluence limits access to Customer Personal Data to personnel who require such access for the performance of their duties, and who have completed training on data-protection and security obligations relevant to their role. Confidentiality obligations survive the termination of employment or contractor engagement.

9. Security of Processing

9.1 Technical and Organizational Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, VastConfluence implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures are described in Annex II.

9.2 Updates to Measures

VastConfluence may update Annex II from time to time to reflect changes in the threat landscape, technology, and operational practice, provided the updates do not materially diminish the overall level of protection of Customer Personal Data. Material updates are summarized in the security overview at vastconfluence.com/security.

9.3 Risk Assessment

VastConfluence regularly assesses the effectiveness of its security measures through internal review, independent third-party assessments, and where applicable certifications such as SOC 2 Type II and ISO/IEC 27001. The current scope of certifications and audit reports is summarized in our security overview.

10. Sub-processors

10.1 General Authorization

Customer grants VastConfluence general written authorization to engage Sub-processors for the performance of the Services, subject to the conditions in this Section. The current list of Sub-processors authorized at the date of this DPA is set out in Annex III and maintained at vastconfluence.com/legal/sub-processors.

10.2 Conditions for Engagement

Before engaging a Sub-processor, VastConfluence will:

conduct appropriate due diligence on the Sub-processor's ability to provide the level of protection required by Applicable Data Protection Law and this DPA;
enter into a written contract with the Sub-processor that imposes data-protection obligations no less protective than those imposed on VastConfluence under this DPA, including, where relevant, Article 28(3) EU GDPR obligations and the appropriate Standard Contractual Clauses for any Restricted Transfer; and
where the Sub-processor will process Personal Data outside the EEA, UK, or Switzerland, ensure that an appropriate transfer mechanism under Section 16 is in place.

10.3 Notice of New Sub-processors

VastConfluence will provide Customer with notice of any new Sub-processor before authorizing them to process Customer Personal Data. Notice is provided by updating the public Sub-processor list and (where Customer has subscribed to notifications) by email to the Account contact. Customers may subscribe to notifications at vastconfluence.com/legal/sub-processors#subscribe.

10.4 Customer Right to Object

Customer may object to the engagement of a new Sub-processor on reasonable grounds related to data protection within 30 days of the notice. If Customer objects, the parties will work in good faith to resolve the objection, which may involve VastConfluence offering an alternative configuration, additional safeguards, or, if no resolution can be reached, Customer's right to terminate the affected Service for material breach with a pro-rata refund of unused prepaid amounts.

10.5 Liability for Sub-processors

VastConfluence remains fully liable to Customer for the performance of each Sub-processor's data-protection obligations under this DPA.

11. Data Subject Rights

11.1 Direct Requests to VastConfluence

If VastConfluence receives a request directly from a Data Subject seeking to exercise rights under Applicable Data Protection Law that relate to Customer Personal Data (for example, access, rectification, erasure, restriction of processing, data portability, objection, or rights related to automated decision-making), VastConfluence will, to the extent legally permitted, promptly forward the request to Customer and will not respond substantively to the Data Subject except to confirm receipt and direct them to Customer.

11.2 Assistance to Customer

VastConfluence will provide reasonable assistance to Customer to enable Customer to fulfill its obligation to respond to Data Subject requests, taking into account the nature of the processing. Where the Services include self-service tooling that Customer can use to fulfill a Data Subject request directly (for example, deleting an end-user record from a TechNanny database, exporting a BizNanny customer record), Customer is expected to use that tooling rather than escalating to VastConfluence.

11.3 Cost of Assistance

Standard assistance with Data Subject requests is provided at no additional charge. Where a request is unusually voluminous, repeated, or requires custom engineering work that cannot be performed using the Services' self-service tooling, VastConfluence may charge a reasonable fee at its then-current professional-services rates, with prior estimate to Customer.

12. Personal Data Breach Notification

12.1 Notice to Customer

VastConfluence will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and, in any event, within 72 hours after becoming aware of it. The notice will, to the extent then known, contain the information required by Article 33(3) EU GDPR, including:

the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
the name and contact details of VastConfluence's data-protection officer or other contact point;
the likely consequences of the breach;
the measures taken or proposed to address the breach and mitigate its possible adverse effects.

Where information is not yet known at the time of initial notification, VastConfluence will provide updates in phases as the investigation progresses.

12.2 Notification Channel

Notice is sent by email to the security or privacy contact on file for the Account, with a copy to the primary Account contact. Customers should ensure these contacts are kept current via the Account settings; failure to maintain current contacts does not relieve VastConfluence of the duty to notify but may limit the practical effectiveness of the notice.

12.3 No Admission of Fault

VastConfluence's notice of a Personal Data Breach does not constitute an admission of fault or liability. The parties will cooperate in good faith on investigation and remediation.

12.4 Customer's Notification Obligations

Customer is responsible for notifying its Supervisory Authority and affected Data Subjects of any Personal Data Breach to the extent required by Applicable Data Protection Law. VastConfluence will provide reasonable assistance with such notifications.

13. Data Protection Impact Assessments & Prior Consultation

Taking into account the nature of the processing and the information available to it, VastConfluence will provide reasonable assistance to Customer in carrying out data-protection impact assessments and, where required, in consultations with Supervisory Authorities under Articles 35 and 36 EU GDPR (and equivalent provisions of other Applicable Data Protection Law). Such assistance typically takes the form of providing the documentation, security descriptions, sub-processor information, and similar materials in our DPIA Information Pack.

14. Return or Deletion of Customer Personal Data

14.1 Choice at End of Term

Within 30 days of termination or expiry of the Services, Customer may, by written request, instruct VastConfluence to either:

return all Customer Personal Data in the Services in a structured, commonly used, machine-readable format; or
delete all Customer Personal Data from the Services.

Absent a contrary instruction within the 30-day window, VastConfluence will proceed with deletion.

14.2 Backup & Log Retention

Following deletion, residual copies may persist in encrypted backups and immutable logs for the duration of the standard retention cycle (currently up to 90 days for backups and up to 12 months for security logs). These residual copies are not actively processed, are protected by the security measures in Annex II, and are deleted on the standard rotation.

14.3 Legal Retention Exceptions

VastConfluence may retain Customer Personal Data to the extent and for the duration required by applicable law (including tax, accounting, anti-money-laundering, and litigation-hold obligations). Such retention is limited to what is necessary for the legal obligation, and the data continues to be subject to the security and confidentiality obligations of this DPA.

14.4 Certification

Upon written request, VastConfluence will provide Customer with written certification of completed deletion.

15. Audits & Information Rights

15.1 Information First

VastConfluence will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Article 28 EU GDPR. In the first instance, this is satisfied by providing on request:

this DPA, together with current Annexes and Sub-processor list;
the most recent SOC 2 Type II report (under NDA);
the most recent ISO/IEC 27001 certificate and Statement of Applicability;
the security overview at vastconfluence.com/security;
summary penetration-test reports (under NDA);
responses to standard security questionnaires (e.g., SIG Lite, CAIQ).

15.2 On-Site Audits

If the information made available under Section 15.1 does not adequately address Customer's audit requirements, Customer may, on at least 30 days' prior written notice and not more than once per calendar year (except where required by a Supervisory Authority or following a Personal Data Breach), request an on-site audit at a mutually agreed time during VastConfluence's regular business hours. Such audits:

are conducted by an independent third-party auditor mutually agreed by the parties, bound by appropriate confidentiality obligations;
are limited in scope to information directly relevant to compliance with this DPA;
do not give the auditor access to other customers' data, source code, security keys, or infrastructure components whose disclosure would compromise security;
are at Customer's expense, except where the audit reveals a material non-compliance, in which case VastConfluence bears the reasonable costs of audit and remediation.

15.3 Supervisory Authority Audits

Notwithstanding Section 15.2, VastConfluence will permit and contribute to audits or inspections conducted by a competent Supervisory Authority where required by Applicable Data Protection Law.

16. International Data Transfers

16.1 Data Center Locations

VastConfluence primarily processes Customer Personal Data in the United States. Where Customer selects an EU or UK region in the Services configuration, processing of Customer Personal Data primarily takes place within the EEA or UK respectively, with limited Sub-processor activities (e.g., DDoS mitigation, fraud screening, customer support) potentially involving transfer to other jurisdictions on the basis of an appropriate transfer mechanism described in this Section.

16.2 Transfer Mechanisms

Where a transfer of Customer Personal Data constitutes a Restricted Transfer, the parties rely on the following mechanisms in order of preference:

An adequacy decision by the European Commission, the UK Secretary of State, or the Swiss Federal Council, where one applies (including the EU-US Data Privacy Framework where VastConfluence's certification covers the relevant transfer).
The Standard Contractual Clauses, as described in Sections 17, 18, and 19.
Any other valid transfer mechanism agreed in writing by the parties.

16.3 Transfer Impact Assessment

The parties acknowledge that they have considered the circumstances of any Restricted Transfer, including the legal framework of the importing jurisdiction, the supplementary technical and contractual measures described in Annex II, and the operational reality of the Services, and conclude that the appropriate transfer mechanism, together with the safeguards described in this DPA, ensures an essentially equivalent level of protection. A summary of the assessment is provided in Annex IV.

17. EU Standard Contractual Clauses

17.1 Incorporation

To the extent that the processing of Customer Personal Data involves a Restricted Transfer from the EEA, the EU SCCs are hereby incorporated into and form part of this DPA. The SCCs apply as follows:

Module Two (Controller to Processor) applies where Customer is a Controller exporting Personal Data to VastConfluence as Processor.
Module Three (Processor to Sub-processor) applies where Customer is a Processor exporting Personal Data to VastConfluence as Sub-processor on behalf of an underlying Controller.

17.2 Selected Options

For purposes of the EU SCCs, the parties agree to the following selections:

Clause 7 (Docking Clause): not adopted.
Clause 9 (Sub-processors): Option 2 (general written authorization) applies, with the notice period for changes set at 30 days as in Section 10.4.
Clause 11 (Redress): the optional independent dispute-resolution body language is not adopted.
Clause 17 (Governing law): the law of Ireland governs the EU SCCs.
Clause 18 (Choice of forum and jurisdiction): the courts of Ireland have exclusive jurisdiction over disputes arising from the EU SCCs.
Annex I.A (List of parties): as set out in Annex I of this DPA.
Annex I.B (Description of transfer): as set out in Annex I.
Annex I.C (Competent supervisory authority): determined by reference to Clause 13 of the EU SCCs; for Module Two, where Customer's establishment is in the EEA, the Supervisory Authority is that of Customer's main establishment; where Customer is outside the EEA, the Irish Data Protection Commission acts as competent Supervisory Authority by virtue of VastConfluence having appointed an EU representative in Ireland.
Annex II (Technical and Organizational Measures): as set out in Annex II of this DPA.
Annex III (Sub-processors): as set out in Annex III of this DPA.

17.3 EU-US Data Privacy Framework

Where VastConfluence is at any time certified under the EU-US Data Privacy Framework ("EU-US DPF") for the categories of data transferred under this DPA, the parties may rely on that certification as an alternative transfer mechanism. The EU SCCs continue to apply as a fallback in case the EU-US DPF is invalidated or VastConfluence's certification lapses, and as the operative mechanism for transfers to VastConfluence affiliates or Sub-processors not covered by the certification.

18. UK International Data Transfers

18.1 Mechanism Selection

To the extent that the processing of Customer Personal Data involves a Restricted Transfer from the UK, the parties rely on either:

the EU SCCs as supplemented by the UK Addendum; or
the UK IDTA, where Customer expressly elects the IDTA in writing.

By default, the EU SCCs as supplemented by the UK Addendum apply.

18.2 UK Addendum Tables

For purposes of the UK Addendum:

Table 1 (Parties): as set out in Annex I.
Table 2 (Selected SCCs and modules): the EU SCCs Modules Two and Three, as appropriate, as incorporated by Section 17.
Table 3 (Appendix Information): the Annex Information of the EU SCCs, as set out in Annex I, Annex II, and Annex III.
Table 4 (Ending the Addendum when the Approved Addendum changes): neither party may end the UK Addendum solely because the ICO publishes a revised Approved Addendum.

18.3 UK Adequacy

Where the UK is at any time deemed adequate by the European Commission for transfers from the EU, transfers from the EU to the UK do not constitute a Restricted Transfer and the EU SCCs are not required for such transfers.

19. Swiss FADP Transfers

For Restricted Transfers from Switzerland under the Swiss FADP, the EU SCCs apply with the following adjustments, in line with guidance from the Swiss Federal Data Protection and Information Commissioner ("FDPIC"):

References to "Regulation (EU) 2016/679" or "EU GDPR" are read as references to the FADP, except where the EU GDPR applies extraterritorially.
References to the competent Supervisory Authority and competent courts in Member States are read as references to the FDPIC and competent Swiss courts respectively, where Swiss law applies.
The term "Member State" is read so as not to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence.
Where the FADP applies, the SCCs protect Personal Data of legal persons until the FADP no longer affords such protection.

20. California Consumer Privacy Act / CPRA Terms

20.1 Service Provider / Contractor Status

The parties acknowledge that, with respect to Personal Information of California Consumers processed by VastConfluence on behalf of Customer in providing the Services, VastConfluence acts as a "Service Provider" (or, to the extent applicable, "Contractor") and Customer acts as a "Business," each as defined in CCPA/CPRA.

20.2 Permitted Purposes

VastConfluence will process Personal Information only for the limited and specified business purposes described in this DPA and the Terms of Service, which constitute Customer's documented "business purpose" for purposes of Cal. Civ. Code § 1798.140(e). VastConfluence will not:

"Sell" or "Share" (as defined under CCPA/CPRA) Personal Information processed under this DPA;
retain, use, or disclose Personal Information outside the direct business relationship between VastConfluence and Customer, or for any purpose (including any "commercial purpose") other than the business purposes specified in the Terms of Service or this DPA, except as permitted by CCPA/CPRA;
combine Personal Information received from or on behalf of Customer with Personal Information received from or on behalf of any other person, or collected from VastConfluence's own interaction with Consumers, except as permitted under CCPA/CPRA Regs. § 7050(b).

20.3 Compliance and Cooperation

VastConfluence will:

comply with applicable obligations under CCPA/CPRA and provide the same level of privacy protection to Personal Information as is required of Businesses;
notify Customer if VastConfluence determines it can no longer meet its obligations under CCPA/CPRA;
cooperate with Customer in responding to verifiable Consumer requests under CCPA/CPRA, including requests to know, delete, correct, opt out of "sale" or "share," and limit use of Sensitive Personal Information;
permit Customer to take reasonable and appropriate steps under CCPA/CPRA Regs. § 7051(a)(5) to ensure VastConfluence uses Personal Information consistently with Customer's CCPA/CPRA obligations;
permit Customer, upon notice and with appropriate safeguards, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

20.4 Sensitive Personal Information

VastConfluence will not process Sensitive Personal Information for purposes other than those permitted by Cal. Civ. Code § 1798.121(a) and applicable regulations.

20.5 Sub-processor Flow-Down

VastConfluence's contracts with Sub-processors include CCPA/CPRA flow-down obligations equivalent to those in this Section 20.

21. Other Jurisdictions

21.1 Brazilian LGPD

For Personal Data of Brazilian Data Subjects, VastConfluence acts as "operador" (operator) and Customer as "controlador" (controller) within the meaning of the Lei Geral de Proteção de Dados Pessoais (Lei 13.709/2018). The obligations in this DPA are intended to satisfy the corresponding requirements under Articles 39 and 42 LGPD, in addition to GDPR-equivalent obligations.

21.2 Canadian PIPEDA & Quebec Law 25

For Personal Information of Canadian Data Subjects, VastConfluence processes such Personal Information only on Customer's instructions, with comparable safeguards to those required of Customer under PIPEDA, the Quebec Act respecting the protection of personal information in the private sector (as amended by Law 25), and equivalent provincial statutes. Cross-border transfers of Quebec residents' Personal Information are accompanied by a transfer impact assessment as described in Annex IV.

21.3 Japanese APPI

For Personal Information subject to the Japanese Act on the Protection of Personal Information, VastConfluence undertakes to provide a level of protection equivalent to APPI requirements, in line with PPC notifications relating to cross-border transfers and the supplementary rules for handling Personal Information transferred from the EU and UK.

21.4 Australian Privacy Act

VastConfluence will handle Personal Information of Australian Data Subjects in accordance with the Australian Privacy Principles ("APPs") to the extent applicable to a Processor, and will assist Customer in complying with APP 11 (security) and APP 8 (cross-border disclosure).

21.5 Singapore PDPA

VastConfluence acts as a "data intermediary" within the meaning of the Singapore Personal Data Protection Act and will comply with the protection and breach-notification obligations applicable to data intermediaries.

21.6 Other Laws

Where Applicable Data Protection Law not expressly listed in this DPA imposes specific Processor obligations, VastConfluence will comply with such obligations to the extent required by law.

22. Liability

22.1 Cap

Each party's aggregate liability under this DPA, taken together with the underlying Terms of Service, is subject to the limitation of liability set out in the Terms of Service. The parties have considered the value of the Services and the data-protection risks involved in negotiating that cap.

22.2 Carve-Outs from Cap

The cap does not limit liability that cannot be excluded or limited under Applicable Data Protection Law, including (in each case to the minimum extent required by mandatory law): (i) liability of either party for damages awarded to a Data Subject under Article 82 EU GDPR or equivalent provisions, (ii) liability for fines imposed by a Supervisory Authority for which the relevant party is responsible, and (iii) the parties' indemnification obligations to each other in respect of third-party claims arising from the other party's material breach of this DPA.

22.3 SCC Liability

The liability provisions in the Standard Contractual Clauses, where applicable, prevail over this Section 22 to the extent (and only to the extent) of any conflict.

23. Order of Precedence

In case of any conflict between documents, the order of precedence is:

The Standard Contractual Clauses (where applicable).
This DPA, including its Annexes.
The Terms of Service and any executed order form.
Any other document incorporated by reference.

24. Term & Termination

This DPA takes effect on the Effective Date and continues in force for as long as VastConfluence processes Customer Personal Data on behalf of Customer. Termination of the Terms of Service automatically terminates this DPA, except for provisions that by their nature should survive (including those relating to confidentiality, deletion or return, audits, liability, and the Standard Contractual Clauses to the extent that any Customer Personal Data remains in VastConfluence's custody).

25. Governing Law & Jurisdiction

Except as otherwise provided in the Standard Contractual Clauses (which are governed by the law specified therein), this DPA is governed by the law of the State of Wyoming, United States, without regard to conflict-of-law principles, and the parties submit to the exclusive jurisdiction of the courts of Wyoming, except where mandatory consumer-protection or data-protection law provides for the exclusive competence of a different court.

26. Updates to this DPA

We may update this DPA to reflect changes in Applicable Data Protection Law, the issuance of new Standard Contractual Clauses, or operational changes. Where an update materially affects Customer's rights or obligations, we will provide at least 30 days' prior notice by email and in-product notification, and Customer may terminate the affected Service for material breach if it does not accept the update. Updates that simply reflect new versions of Standard Contractual Clauses or new Sub-processor entries do not require Customer consent.

27. Contact & Data Protection Officer

For data-protection inquiries, requests under this DPA, or to engage with our representatives in the EU and UK, please use the contacts below.

VastConfluence LLC — Data Protection Contacts

Registered Office: Wyoming, United States

General & Privacy Inquiries (including DPO, EU/UK representatives):
Email: info@vastconfluence.com

Security Incidents & Breach Reports:
Email: abuse@vastconfluence.com

Appeals (content/account restrictions):
Email: appeals@vastconfluence.com

Annex I — Description of Processing

A. List of Parties

Data Exporter (Customer)

Identity, contact details, and signature: as recorded in Customer's Account at the time of acceptance of this DPA. Activities relevant to the data transferred under this DPA: provision of websites, applications, business-management workflows, and template usage through the Services.

Data Importer (VastConfluence)

Identity: VastConfluence LLC, a Wyoming limited liability company. Contact details: info@vastconfluence.com. Activities: providing TechNanny (pure-static CMS SaaS), BizNanny (small-business cloud ERP), Template Waterfall (template marketplace), and related support services.

B. Description of Transfer

Categories of Data Subjects

Customer's authorized end users, employees, contractors, customers, suppliers, and prospects, and any other natural persons whose Personal Data Customer chooses to upload, process, or display through the Services.

Categories of Personal Data

Identification and contact data (such as name, email address, telephone number, postal address); employment and professional data (such as job title, department, employee ID); customer-relationship data (such as order history, communication logs, support tickets); financial data limited to that necessary for invoicing and accounting (such as invoice records, payment status; full payment-card numbers are processed by Stripe and not by VastConfluence); content and communications data uploaded by Customer; technical data (such as IP address, device identifiers, cookies, browser metadata); usage data; and any other Personal Data Customer chooses to upload to the Services.

Sensitive Data

The Services are not designed for, and Customer should not upload, Special Categories of Personal Data (as defined in Article 9 EU GDPR), data related to criminal convictions and offenses, financial-account credentials, government-issued identification numbers, biometric data, children's data without verifiable parental consent, or other Sensitive Personal Information except where Customer has implemented all required additional safeguards. Where Customer chooses to upload such data despite this, Customer warrants that all required notices, consents, and safeguards are in place and Customer remains solely responsible for compliance.

Frequency of Transfer

Continuous, on the basis of Customer's use of the Services.

Nature of Processing

Hosting, storage, transmission, retrieval, indexing, backup, and processing of Customer Personal Data in connection with providing the Services, including: rendering pages, executing application logic, sending transactional emails initiated by Customer, generating reports, providing analytics dashboards, supporting Customer when a support ticket is opened, and any other operations strictly necessary for service provision.

Purpose of Transfer and Further Processing

Provision of the Services to Customer in accordance with the Terms of Service and Customer's documented instructions, and (for VastConfluence's Controller-role activities described in Section 4.3) the limited business purposes described in our Privacy Policy.

Retention Period

For the duration of the Services subscription, plus any period reasonably necessary for backup rotation, legal retention, or completion of agreed return/deletion operations under Section 14.

Sub-processor Transfers

For purposes of transfers to Sub-processors, the subject matter, nature, and duration of processing match those of the primary transfer above.

C. Competent Supervisory Authority

For Module Two transfers from the EEA: as described in Section 17.2. For UK transfers: the UK Information Commissioner's Office. For Swiss transfers: the FDPIC. For California transfers: the California Privacy Protection Agency. For other jurisdictions: the data-protection authority designated under Applicable Data Protection Law.

Annex II — Technical & Organizational Measures

The measures below describe the technical and organizational measures that VastConfluence has implemented as of the Effective Date. Capitalized terms used in this Annex have the meanings given in this DPA. The current detailed security overview, including evidence of independent assessments, is available at vastconfluence.com/security.

1. Pseudonymization & Encryption

Customer Personal Data is encrypted at rest using AES-256 (or equivalent) and in transit using TLS 1.2 or higher with certificates managed by recognized public certificate authorities. Database encryption keys are managed in a hardware-backed key-management service with strict access controls and audit logging. Backup data is encrypted using independent keys.

2. Confidentiality, Integrity, Availability & Resilience

VastConfluence maintains documented information-security and business-continuity programs, including network-segmentation, intrusion-detection, denial-of-service mitigation, redundant and geographically distributed infrastructure, capacity monitoring, and disaster-recovery planning with regularly tested recovery objectives. Production access is logged, monitored, and subject to anomaly detection.

3. Restoration of Availability

Backups are taken on a defined schedule, encrypted, and stored separately from the primary processing environment. Restore procedures are tested at least annually, with results documented and reviewed by management.

4. Regular Testing & Evaluation

Security controls are tested through a combination of internal testing, automated vulnerability scanning, dependency monitoring, code review, and at least annual independent penetration testing. We pursue and maintain industry-standard certifications including SOC 2 Type II, with ISO/IEC 27001 certification scope being expanded.

5. User Identification & Authorization

Access to Customer Personal Data is granted on the principle of least privilege and only to personnel whose role requires such access. Personnel access uses unique identifiers, strong passwords, and enforced multi-factor authentication. Privileged operations are subject to additional authorization, peer review, and logging. Access reviews are performed at least quarterly.

6. Data Transmission Protection

Personal Data in transit between Customer, VastConfluence, and Sub-processors is protected using TLS 1.2 or higher with modern cipher suites. Insecure protocols are disabled at the network edge. Internal service-to-service communication uses mutual TLS where available.

7. Data Storage Protection

Storage media are encrypted, located in physically secured data centers operated by reputable infrastructure providers (with their own physical-security and SOC 2 / ISO 27001 attestations), and decommissioned media are securely sanitized in accordance with NIST SP 800-88 or equivalent.

8. Physical Security

Physical access to data centers is controlled by the underlying infrastructure providers and is restricted to authorized personnel with biometric or multi-factor controls, video surveillance, and detailed access logs. VastConfluence does not maintain its own physical data centers.

9. Event Logging

Security-relevant events (authentication, privileged operations, configuration changes, data-access events) are logged with sufficient detail and retention to support incident investigation. Logs are protected against unauthorized modification and reviewed both automatically and by trained personnel.

10. System Configuration

Production systems are configured according to documented hardening standards, with default credentials changed, unnecessary services disabled, and security patches applied on a defined schedule (with critical patches applied promptly outside the standard cycle). Configuration changes are version-controlled and reviewed.

11. Internal IT Governance & Management

VastConfluence operates a documented information-security management system aligned with ISO/IEC 27001 controls, with assigned security ownership at executive level, regular risk assessments, defined security policies, mandatory training, and a formal vendor-management program.

12. Certification & Assurance

Certifications and audit reports are made available under NDA on request. The current scope is summarized at vastconfluence.com/security.

13. Data Minimization

The Services are designed to collect only Personal Data necessary for the specified processing purpose. Customer is responsible for similarly minimizing the Personal Data it uploads.

14. Data Quality

The Services support Customer in maintaining the accuracy of Personal Data through editing, correction, and deletion features made available to Customer's authorized users.

15. Limited Retention

VastConfluence retains Customer Personal Data for the duration of the Services subscription plus the periods described in Section 14, after which Personal Data is deleted or returned according to Customer's instructions.

16. Accountability

VastConfluence maintains records of processing activities (Article 30 EU GDPR), conducts privacy and security training, performs DPIAs for significant new processing activities, and operates internal review mechanisms.

17. Allowing Data Portability & Erasure

Customer-facing tooling supports export of Customer Personal Data in structured, commonly used, machine-readable formats and supports deletion of individual records, in support of Data Subject portability and erasure rights.

18. Supplementary Measures for Restricted Transfers

For Restricted Transfers, in addition to the foregoing, VastConfluence (i) applies strong end-to-end encryption where supported by the Service architecture, (ii) maintains a public transparency report on government access requests received and our response, (iii) commits to challenge in court any law-enforcement request that, in our reasonable assessment, conflicts with our obligations under the EU SCCs, and (iv) promptly notifies Customer of any direct law-enforcement access request relating to Customer Personal Data, except where legally prohibited.

Annex III — List of Sub-processors

The following Sub-processors are authorized as of the Effective Date. The current list, including changes since the Effective Date, is maintained at vastconfluence.com/legal/sub-processors. Customer may subscribe to email notifications of changes at the same URL.

For each Sub-processor, the table below indicates: the entity providing the service, the category of processing performed, the location of processing, and the applicable transfer mechanism (where the Sub-processor is outside the EEA, UK, or Switzerland and a Restricted Transfer is involved).

Sub-processor	Service	Location	Transfer Mechanism
Amazon Web Services, Inc.	Cloud infrastructure (compute, storage, networking)	U.S., EU, UK regions per Customer selection	EU SCCs / UK Addendum / EU-US DPF (where applicable)
Cloudflare, Inc.	Content delivery, DDoS mitigation, WAF	Global edge network	EU SCCs / UK Addendum / EU-US DPF
Stripe, Inc. / Stripe Payments Europe Ltd.	Payment processing (Customer billing only)	U.S., Ireland	EU SCCs / UK Addendum / EU-US DPF
SendGrid (Twilio Inc.)	Transactional email delivery	U.S.	EU SCCs / UK Addendum / EU-US DPF
Datadog, Inc.	Application monitoring & logging	U.S., EU regions per Customer plan	EU SCCs / UK Addendum / EU-US DPF
Zendesk, Inc.	Customer support ticketing	U.S., EU	EU SCCs / UK Addendum / EU-US DPF
Google Cloud (Google LLC / Google Ireland Ltd.)	Selected analytics & AI services	U.S., EU regions per service	EU SCCs / UK Addendum / EU-US DPF
VastConfluence affiliated entities	Customer support, engineering, business operations	U.S., Taiwan	EU SCCs / UK Addendum (intra-group)

Note: This is the foundational list. Additional Sub-processors used in specific configurations or premium features (for example, regional payment processors, regional email-delivery providers, optional integrations) are listed in full at the URL above.

Annex IV — Transfer Impact Assessment Summary

This Annex summarizes the assessment performed by the parties under the EU SCCs and UK Addendum (and equivalent rules) regarding the legal framework of the importing jurisdiction and the supplementary measures applied to ensure essentially equivalent protection. This summary is intended to assist Customer's own assessment under European Data Protection Board guidance and is not a substitute for it.

1. Importing Jurisdiction

The principal importing jurisdiction is the United States, with limited transfers to other jurisdictions where Sub-processors are located (see Annex III).

2. Relevant U.S. Laws

The parties have considered Section 702 of the U.S. Foreign Intelligence Surveillance Act, Executive Order 12333, and the Cloud Act, in light of the Court of Justice of the European Union's Schrems II judgment and the European Commission's adequacy decision in respect of the EU-US Data Privacy Framework.

3. Operational Reality

VastConfluence's Services are not intended for, and the customer base does not principally consist of, the categories of person typically subject to FISA Section 702 directives. To the best of VastConfluence's knowledge, VastConfluence has not received any FISA 702 directive. VastConfluence publishes a transparency report describing government access requests received and our response.

4. Supplementary Measures

The supplementary technical, organizational, and contractual measures applied to Restricted Transfers are described in Annex II, Section 18, and include strong encryption, transparency commitments, legal challenge of overreaching requests, and prompt notice to Customer of access requests where lawful.

5. Adequacy via EU-US DPF

To the extent VastConfluence is certified under the EU-US Data Privacy Framework, transfers to VastConfluence covered by that certification benefit from an adequacy decision and the assessment in this Annex applies as a fallback rather than as the primary justification.

6. Conclusion

Taking into account the legal framework, operational reality, and supplementary measures, the parties conclude that an essentially equivalent level of protection is provided for Restricted Transfers to VastConfluence at the U.S. importing jurisdiction. The parties will reassess this conclusion if the legal or operational landscape changes materially.

This DPA is published in English. Translations are provided for convenience only; in case of any conflict, the English version prevails. This DPA does not constitute legal advice; Customer should consult its own counsel regarding the application of Applicable Data Protection Law to its use of the Services.