Data Processing Agreement

1. Scope and application

This DPA applies to all personal data that the Processor processes on behalf of the Controller through the VectorLingo platform. It applies for the duration of the Controller's subscription and any period thereafter during which the Processor retains Controller personal data.

The Controller is the data controller and determines the purposes and means of processing. The Processor processes personal data only on behalf of and on the documented instructions of the Controller, as described in this DPA and the Terms of Service.

2. Details of processing

3. Processor obligations

The Processor shall:

• Process on instructions. Process personal data only on the documented instructions of the Controller, unless required to do so by law. The Terms of Service and the Controller's use of Platform features constitute the Controller's instructions.
• Ensure confidentiality. Ensure that all persons authorised to process personal data are bound by appropriate obligations of confidentiality.
• Implement security measures. Implement and maintain appropriate technical and organisational measures to protect personal data (see section 6).
• Assist with data subject requests. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligations to respond to data subject access requests and other rights under UK GDPR.
• Assist with compliance. Assist the Controller in ensuring compliance with obligations relating to security, breach notification, and prior consultations, taking into account the nature of processing and the information available to the Processor.
• Assist with data protection impact assessments. Assist the Controller in carrying out data protection impact assessments under Article 35 of UK GDPR, including providing all information about the Processor's processing activities that is necessary for the Controller to conduct such assessments.
• Notify of breaches. Notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a personal data breach affecting Controller personal data. The notification shall include the nature of the breach, categories of data affected, estimated number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
• Delete or return data. At the Controller's choice, delete or return all personal data after the end of the provision of services, and delete existing copies unless applicable law requires retention. The Controller has 30 days from termination to request data export. Following the close of the export window, the Processor will delete personal data from active systems within 30 days (i.e. within 60 days of termination) and from backup systems within 90 days of termination, unless retention is required by applicable law.

4. Sub-processors

The Controller provides general authorisation for the Processor to engage sub-processors to assist in providing the Services. The Processor currently uses the following categories of sub-processors:

• Cloud infrastructure provider — database hosting, file storage, authentication (EU)
• Edge hosting provider — application delivery (US/Global)
• Email delivery service — transactional emails (US)
• Error monitoring service — application diagnostics (US)
• Rate limiting service — security and abuse prevention (UK)
• Payment processor — subscription billing (US/EU)
• Translation tool integrations — CAT tool connectivity when enabled by the Controller's organisation (EU)

A complete list of sub-processors with their identities and locations is available on request.

The Processor will notify the Controller of any intended changes to sub-processors (additions or replacements) at least 30 days in advance. The Controller may object to a new sub-processor on reasonable grounds within that 30-day period. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected services.

The Processor ensures that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

In accordance with Article 28(4) of UK GDPR, the Processor remains fully liable to the Controller for the performance of each sub-processor's obligations. Where a sub-processor fails to fulfil its data protection obligations, the Processor shall be liable to the Controller for the sub-processor's failure.

5. International transfers

Where personal data is transferred outside the United Kingdom, the Processor ensures appropriate safeguards are in place in accordance with UK GDPR:

• UK adequacy regulations — where the UK Secretary of State has made regulations recognising that the destination country provides an adequate level of data protection.
• UK International Data Transfer Agreement (IDTA) — the transfer mechanism approved by the Information Commissioner under section 119A of the Data Protection Act 2018.
• EU Standard Contractual Clauses with UK Addendum — where appropriate, EU SCCs supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the ICO.

The Processor conducts transfer risk assessments where required to ensure that personal data receives a level of protection substantially equivalent to that guaranteed under UK GDPR.

6. Security measures

The Processor implements and maintains the following technical and organisational measures to protect personal data:

• Encryption — data encrypted at rest and in transit using industry-standard encryption protocols (TLS 1.2+ for transit, AES-256 for storage).
• Access controls — role-based access control with the principle of least privilege. Multi-factor authentication available for all users.
• Tenant isolation — strict logical separation between customer data using Row Level Security (RLS) policies enforced at the database level, ensuring that no customer can access another customer's data.
• Backups — automated daily backups with point-in-time recovery capability. Backups are encrypted and stored in a geographically separate location.
• Monitoring — real-time error monitoring and alerting. Automated rate limiting and abuse detection.
• Incident response — documented incident response procedures with defined escalation paths and communication protocols.
• Staff security — access to production systems is limited to authorised personnel on a need-to-know basis.

7. Audit rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA.

The Controller (or a mandated third-party auditor, subject to confidentiality obligations) may conduct an audit of the Processor's data processing activities, subject to the following conditions:

• The Controller provides at least 30 days' written notice.
• Audits are conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
• No more than one audit per 12-month period, unless required by a supervisory authority or following a personal data breach.
• The Controller bears the costs of any audit, except where the audit reveals material non-compliance by the Processor.

8. Liability

The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Service.

9. Governing law

This DPA is governed by and construed in accordance with the laws of England and Wales. To the extent not addressed in this DPA, the provisions of the Terms of Service apply.