Last updated: March 18, 2026
Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Proviqa (“Processor”) and the customer (“Controller”) for the provision of the Proviqa monitoring service.
1. Definitions
- “Personal Data”, “Processing”, “Data Subject”, “Controller”, “Processor” have the meanings given in GDPR Art. 4
- “Service” means the Proviqa vendor monitoring and alerting platform
- “Sub-processor” means any third party engaged by the Processor to process Personal Data
2. Scope of Processing
| Element | Details |
|---|---|
| Subject matter | Vendor agreement monitoring and change alerting service |
| Duration | For the term of the service agreement |
| Nature and purpose | Processing account data to deliver monitoring alerts and reports |
| Types of personal data | Email address, company name, vendor monitoring preferences |
| Categories of data subjects | Customer employees and authorized users |
3. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (GDPR Art. 32)
- Assist the Controller in responding to Data Subject requests
- Assist the Controller in meeting GDPR Art. 32–36 obligations
- Delete or return all Personal Data upon termination, at the Controller’s choice
- Make available all information necessary to demonstrate compliance and allow for audits
4. Sub-processors
Current sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Resend | Email delivery | USA (EU SCCs) |
| LLM API provider | AI summarization | EU-region where available |
| Hetzner | Hosting infrastructure | Germany (EU) |
The Processor shall:
- Notify the Controller of any intended addition or replacement of sub-processors at least 30 days in advance
- Ensure sub-processors are bound by equivalent data protection obligations
- Remain liable for sub-processor compliance
5. Data Subject Rights
The Processor shall assist the Controller in fulfilling Data Subject requests under GDPR Chapter III, including rights of access, rectification, erasure, portability, restriction, and objection.
6. Security Measures
The Processor implements:
- Encryption of data in transit (TLS 1.2+)
- Encryption of data at rest
- Access controls and authentication
- Regular security assessments
- Incident response procedures
7. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach, providing:
- Nature of the breach
- Categories and approximate number of affected Data Subjects
- Likely consequences
- Measures taken or proposed to mitigate
8. Audit Rights
The Controller may audit the Processor’s compliance with this DPA:
- With reasonable notice (at least 30 days)
- During normal business hours
- No more than once per year (unless required by a supervisory authority)
- The Processor shall cooperate and provide access to relevant documentation
9. International Transfers
Where Personal Data is transferred outside the EU/EEA, the Processor ensures appropriate safeguards under GDPR Chapter V, including EU Standard Contractual Clauses (SCCs) where applicable.
10. Term and Termination
This DPA is effective for the duration of the service agreement. Upon termination, the Processor shall delete or return all Personal Data within 30 days, unless retention is required by law.
11. Contact
For DPA inquiries: hello@proviqa.com
Data Protection matters: Piotr Klosinski Web and Mobile Development, Krakow, Poland