Data Processing Addendum

This Data Processing Addendum, or DPA, is incorporated into the VisionFabrik Terms of Service and any applicable order form whenever VisionFabrik processes personal data on behalf of a customer that is subject to applicable data protection law.

If there is a conflict between this DPA and the Terms of Service on matters specifically related to data protection and processing of customer personal data, this DPA controls to that extent.

The customer is responsible for determining whether customer content or connected-platform data contains personal data and for providing any notices, obtaining any consents, and establishing the lawful basis needed for the customer's use of VisionFabrik.

As between the parties, the customer acts as controller or business for customer personal data, and VisionFabrik acts as processor or service provider except where VisionFabrik independently controls data for its own account, security, legal, billing, or support purposes.

VisionFabrik will process customer personal data only on documented instructions from the customer, including the customer's use of the service, the applicable agreement, and related support requests, unless processing is required by applicable law.

The subject matter, categories of data, categories of data subjects, and duration of processing depend on how the customer configures and uses the service, including uploads, generated assets, connected publishing platforms, support interactions, and billing records tied to the workspace.

VisionFabrik will ensure that personnel authorized to process customer personal data are subject to appropriate confidentiality obligations.

VisionFabrik maintains reasonable technical and organizational safeguards designed to protect customer personal data, taking into account the nature of the processing and the service architecture. These safeguards may include encryption for sensitive integration credentials, access controls, logging, rate limiting, secure development practices, and measures to detect, respond to, and remediate unauthorized access.

The customer authorizes VisionFabrik to use subprocessors that are reasonably necessary to deliver the service. VisionFabrik remains responsible for the acts and omissions of its subprocessors to the extent required by applicable law and the parties' agreement.

VisionFabrik maintains a public subprocessor list and may update that list from time to time as the service evolves.

Taking into account the nature of the processing, VisionFabrik will provide reasonable assistance to help the customer respond to requests from data subjects or regulators regarding customer personal data, provided the customer remains responsible for the substance and legality of the response.

If VisionFabrik receives a request directly from a data subject relating to customer personal data, VisionFabrik may redirect the requester to the customer unless applicable law requires a different response.

VisionFabrik will notify the customer without undue delay after becoming aware of a confirmed security incident affecting customer personal data processed under this DPA, and will provide information reasonably available to us to help the customer assess the incident and meet any applicable reporting obligations.

If customer personal data subject to the GDPR, UK GDPR, or similar regimes is transferred internationally through the service, the parties will rely on legally recognized transfer mechanisms as required for the relevant transfer path. Those mechanisms may include the European Commission Standard Contractual Clauses, the UK addendum, or similar approved safeguards incorporated by reference where required.

Upon termination of the applicable services and subject to the agreement, VisionFabrik will delete or return customer personal data in its possession or control unless retention is required by law, necessary for security or dispute-resolution purposes, or preserved temporarily in routine backup systems for a limited period.

Upon reasonable written request and no more than once per year, VisionFabrik will provide information reasonably necessary to demonstrate compliance with this DPA, which may include existing audit summaries, security documentation, or policy materials, subject to confidentiality, security, and proportionality limits.