Last updated: January 1, 2026
Data Processing Agreement
Data Processing Agreement (DPA)
1. Definitions
- "Data Controller": The Client (business) that uses VENDAQ to communicate with its end customers and that determines the purposes and means of personal data processing.
- "Data Processor": VENDAQ SpA, which processes personal data on behalf of and under the instructions of the Data Controller.
- "Sub-processor": A third party engaged by VENDAQ that processes personal data as part of delivering the Service.
- "Personal Data": Any information relating to an identified or identifiable natural person.
- "Data Subject": The natural person whose personal data is processed (the Client's end customers).
- "Security Breach": A security incident resulting in the destruction, loss, alteration, or unauthorized disclosure of personal data.
2. Roles & Responsibilities
The Client (Data Controller):
- Determines the purposes and means of processing its end customers' personal data
- Is responsible for having a lawful basis for the collection and processing of data (consent, legitimate interest, contractual relationship, etc.)
- Must inform its end customers about the use of AI in customer service and about the processing of their data
- Provides documented instructions to VENDAQ regarding data processing
VENDAQ (Data Processor):
- Processes personal data only according to the Client's documented instructions
- Does not process data for its own purposes (except as required by law)
- Ensures that personnel with access to personal data are bound by confidentiality obligations
- Implements appropriate technical and organizational measures to protect data
- Assists the Client in fulfilling its obligations regarding data subject rights
- Notifies the Client without undue delay of any security breach
3. Purpose of Processing
VENDAQ processes personal data exclusively for:
- Providing the AI-powered customer service
- Processing and responding to end-customer conversations
- Maintaining conversation history and customer context
- Integrating with e-commerce systems to query order information
- Generating aggregated analytics and reports for the Client's dashboard
- Managing billing and administration of the Client's account
4. Types of Data Processed
| Category | Types of Data | Data Subjects |
|---|---|---|
| Identification data | Name, phone number, profile picture (from messaging platform) | End customers |
| Conversation data | Text message content, transcribed audio, shared files, timestamps | End customers |
| Commercial data | Purchase history, orders, product preferences, shipping address | End customers |
| Account data | Name, email, company, billing information | Client (business) |
| Metadata | Communication channel, interaction time, device type, IP address | End customers and Client |
Sensitive data: VENDAQ is not designed to process special categories of data (health data, biometric data, data about sexual orientation, religious beliefs, or political affiliation). The Client must not configure the service to intentionally collect this type of data.
5. Sub-processors
VENDAQ uses the following sub-processors to deliver the Service. The Client authorizes the use of these sub-processors by accepting this DPA:
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Google (Gemini) | Natural language processing — AI response generation | United States |
| Anthropic (Claude) | Natural language processing — AI response generation | United States |
| Groq | Natural language processing — fast inference | United States |
| Deepgram | Speech-to-text transcription | United States |
| Fly.io | Application hosting — platform servers | São Paulo, Brazil |
| Neon | Managed PostgreSQL database | São Paulo, Brazil |
| Upstash | Redis cache and message queues | São Paulo, Brazil |
| Stripe | Payment processing and billing | United States |
Changes to sub-processors: VENDAQ will notify the Client at least 30 days in advance before adding or changing a sub-processor. The Client may object in writing within 15 days of the notification. If the objection cannot be resolved, the Client may terminate the service.
All sub-processors are subject to contractual agreements requiring the same level of data protection established in this DPA.
6. Security Measures
VENDAQ implements the following technical and organizational measures:
Encryption
- Encryption at rest: AES-256 for databases and storage
- Encryption in transit: TLS 1.2+ for all communications
- Backup encryption
Access Control
- Multi-factor authentication (MFA) for all staff with production access
- Principle of least privilege for internal access
- Role-based access control (RBAC)
- Periodic review of access permissions
Monitoring & Auditing
- Logging of all access to personal data
- Real-time security monitoring
- Automatic alerts for suspicious activity
- Audit log retention for 12 months
Application Security
- Per-tenant data isolation (secure multi-tenancy)
- Code review and security testing
- Security updates applied regularly
Business Continuity
- Automated daily backups with 30-day retention
- Documented disaster recovery plan
- Redundant infrastructure
7. Breach Notification
In the event of a security breach affecting personal data:
- VENDAQ will notify the Client within 72 hours of discovering the breach
- The notification will include:
- Nature of the breach and data affected
- Measures taken or proposed to mitigate the impact
- Approximate number of data subjects affected
- Point of contact for further information
- VENDAQ will cooperate with the Client in the investigation and mitigation of the breach
- VENDAQ will assist the Client in fulfilling its notification obligations to authorities and data subjects
8. Audit Rights
The Client has the right to verify VENDAQ's compliance with this DPA:
- VENDAQ will provide documentation and reports on its security and data protection practices upon reasonable request
- The Client may conduct or commission audits with 30 days' prior notice and during business hours
- Audits will be limited to aspects relevant to this DPA and will not interfere with normal operations
- Audit costs will be borne by the Client, unless the audit reveals a material breach by VENDAQ
- VENDAQ may provide independent third-party audit reports as an alternative to on-site audits
9. International Transfers
Some sub-processors process data outside Chile (primarily in the United States and Brazil). For these transfers:
- All sub-processors have adequate protection measures in place
- LLM providers (Google, Anthropic, Groq) process data under enterprise APIs with contractual commitments not to use data for training
- Core infrastructure (database, application) is hosted in São Paulo, Brazil, to minimize international transfers and reduce latency in Latin America
10. Data Deletion
Upon termination of the contractual relationship:
- The Client will have 30 days to export their data through the tools provided by the platform or by requesting an export from our team
- After the export period, VENDAQ will delete all personal data processed on behalf of the Client within 90 days
- Data will be deleted from:
- Main database
- Caches and message queues
- Backups (in the next rotation cycle)
- VENDAQ will provide written confirmation of deletion upon request
- Data that must be retained due to legal obligations will be protected and processed only for that purpose
11. Term
This DPA takes effect when the Client begins using the Service and remains in effect as long as VENDAQ processes personal data on behalf of the Client.
Confidentiality and data protection obligations survive the termination of this agreement.
Contact
For inquiries about this DPA or about data protection:
- Email: [email protected]
- Data protection officer: [email protected]