Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", acting as Controller) and 98M7 Group OÜ ("98M7", acting as Processor). It sets out how 98M7 processes personal data on Customer's behalf in connection with the Services. By accepting the Terms of Service you accept this DPA; no separate signature is required.
1. Definitions
Terms not defined in this DPA have the meanings given in the GDPR. "Customer Personal Data" means personal data that 98M7 processes on Customer's behalf under the Terms. "Applicable Data Protection Law" means the EU General Data Protection Regulation (Regulation (EU) 2016/679), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act / CPRA, and any other equivalent law applicable to the processing.
2. Roles
Customer is the Controller of Customer Personal Data. 98M7 is the Processor. Where the law treats either party as a Joint Controller for any specific processing, the parties will agree the responsibilities required by Article 26 GDPR in writing.
3. Subject matter, duration, nature, purpose, categories
Subject matter and duration. Processing of Customer Personal Data as necessary to provide the Services, for the term of the Terms of Service and any wind-down period.
Nature and purpose. Hosting, transmitting, displaying, storing, securing, supporting and improving the Services for Customer.
Categories of data subjects. Customer's authorised users, Customer's own customers, prospects and contacts whose data Customer chooses to upload, and any other natural persons whose data Customer submits to the Services.
Categories of personal data. Typically: names, contact details, account credentials, professional and employment data, content submitted by users, usage and event data, technical identifiers (IP, device, browser). 98M7 does not require Customer to submit special-category data and Customer should not submit it unless strictly necessary; where Customer does submit it, Customer is responsible for ensuring a valid Article 9 condition.
4. Customer's instructions
98M7 processes Customer Personal Data only on Customer's documented instructions. The Terms of Service, this DPA, and Customer's use of the Services (including configuration choices in the product) constitute Customer's documented instructions. 98M7 will tell Customer if an instruction infringes Applicable Data Protection Law (without prejudice to any obligation 98M7 may have to comply with a legal requirement that overrides Customer's instructions, in which case 98M7 will inform Customer of the requirement before processing where law permits).
5. Confidentiality
98M7 ensures that personnel authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality.
6. Security
98M7 implements appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures are set out in Annex II below and are reviewed periodically. 98M7 may update them provided the overall level of protection is not reduced.
7. Subprocessors
Customer grants 98M7 general written authorisation to engage subprocessors. 98M7 maintains a current list at vector56.com/subprocessors and will give Customer at least 30 days' prior notice of any addition or replacement (by updating the page and, for customers who have subscribed to subprocessor change notifications, by email). Customer may object to a change on reasonable data-protection grounds during the notice period; if the parties cannot agree on a resolution, Customer may terminate the affected Services and receive a refund of unused prepaid credits for those Services.
98M7 binds each subprocessor in writing to data-protection obligations no less protective than those in this DPA, and remains liable to Customer for the acts and omissions of its subprocessors.
8. Data subject rights
98M7 will, taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligation to respond to data subject requests under Chapter III of the GDPR. Where 98M7 receives a request directly from a data subject in relation to Customer Personal Data, 98M7 will forward the request to Customer without responding to its substance.
9. Personal data breach
98M7 will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include, to the extent then known: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.
10. Data protection impact assessment and prior consultation
98M7 will provide reasonable assistance to Customer in carrying out data protection impact assessments and consultations with supervisory authorities under Articles 35 and 36 GDPR, where required and to the extent the information is available to 98M7.
11. Deletion and return of Customer Personal Data
On termination of the Terms of Service, 98M7 will, at Customer's choice, delete or return all Customer Personal Data and delete existing copies, unless EU or Member State law requires storage. Customer may export its data through the Services' export functionality at any time during the term. Backup copies are deleted on the rolling cycle described in 98M7's Privacy Policy.
12. Audits and information
98M7 will make available to Customer all information necessary to demonstrate compliance with Article 28 GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. To minimise disruption and protect confidentiality of other customers, audits are limited to once per twelve-month period (unless required more frequently by an applicable supervisory authority or following a personal data breach), are conducted at Customer's expense during business hours on reasonable prior notice, and may be satisfied by 98M7 providing recent third-party audit reports, certifications or written responses to a reasonable security questionnaire where these are sufficient.
13. International transfers
To the extent that processing under this DPA involves transfer of Customer Personal Data from the EEA, UK or Switzerland to a country that does not benefit from an adequacy decision, the parties incorporate by reference the European Commission's Standard Contractual Clauses (Decision 2021/914) as follows:
Module. Module 2 (Controller to Processor) where Customer is Controller and 98M7 is Processor; Module 3 (Processor to Processor) where Customer is itself a Processor and 98M7 is its Subprocessor.
Optional clauses. Clause 7 (Docking) — included. Clause 11 (Independent dispute resolution) — not included. Clause 17 (Governing law) — the law of Estonia. Clause 18 (Forum) — the courts of Estonia.
Annexes. Annex I.A (parties), Annex I.B (description of transfer), Annex II (technical and organisational measures), and Annex III (list of subprocessors) are completed by Annex A, B and II of this DPA and by the live subprocessors page.
UK transfers. The parties additionally incorporate the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018), with the Tables in Part 1 completed as set out in Annex A below and Table 4 (Ending the Addendum when the Approved Addendum Changes) selecting that neither party may end the Addendum.
Swiss transfers. The SCCs apply with the adjustments necessary for processing governed by the Swiss Federal Act on Data Protection, including treating the Swiss Federal Data Protection and Information Commissioner as the supervisory authority.
14. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability where such limitation would be prohibited by Applicable Data Protection Law.
15. Order of precedence
In the event of any conflict, the order of precedence is: (1) the SCCs (and UK Addendum where applicable); (2) this DPA; (3) the Terms of Service.
Annex A — Parties and description of transfer
Data exporter. Customer, as identified in its account information. Role: Controller (or Processor where Customer is itself a Processor of its own customers' data).
Data importer. 98M7 Group OÜ, Tallinn, Estonia. Contact via the contact page. Role: Processor.
Categories of data subjects, categories of personal data, special categories, frequency, nature and purpose, retention. As described in section 3 of this DPA, the Privacy Policy and the Services configuration. Frequency: continuous, for the term of the Services. Retention: as set out in the Privacy Policy, this DPA and the Terms.
Competent supervisory authority for SCCs Annex I.C. The Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
Annex B — Subprocessors
The current list of subprocessors is published at vector56.com/subprocessors and forms part of this DPA. The page identifies each subprocessor's name, processing purpose, categories of data processed, hosting location, country of incorporation, and transfer mechanism where applicable.
Annex II — Technical and organisational measures
Without limiting the description in section 8 of the Privacy Policy, 98M7's measures include:
Encryption. TLS 1.2 or later for data in transit; encryption at rest (AES-256 or equivalent) for production data stores and backups.
Pseudonymisation. Used where compatible with Service functionality, particularly in non-production environments.
Confidentiality, integrity, availability and resilience. Role-based access controls, least-privilege defaults, multi-factor authentication for administrative accounts, time-bound access tokens, network segregation, regular dependency patching, separation of production and non-production environments, automated backups with documented restore tests.
Recovery. Documented incident-response plan; recovery objectives proportionate to the Service tier.
Testing. Periodic security review of the production environment; logged access to sensitive systems; dependency vulnerability monitoring.
User identification and authorisation. Unique credentials per user, password hashing, session management, MFA available for end users where supported by the Service.
Protection of data during transmission and storage. Encrypted transmission, encrypted storage, no transmission of plaintext credentials.
Physical security. Provided by infrastructure subprocessors (Cloudflare, etc.) under their certified data-centre security programmes.
Events logging. Administrative actions and security-relevant events are logged with timestamps.
Governance. Personnel under written confidentiality obligations; written subprocessor agreements; this DPA; periodic review of measures.
Contact
98M7 Group OÜ — Tallinn, Estonia. DPA queries: contact us.