By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept

Vaultree Ltd. Data Processing Addendum

Effective Date: 14 November 2024

This Data Processing Addendum, including annexes, (the “Addendum”) governs the Processing of Personal Data by Vaultree Ltd. having a registered business address at 12 South Mall, Centre, Cork, County Cork, T12 RD43, Ireland (“Vaultree”). Vaultree offers products and services in the field of data encryption, processing and storage (collectively, the ““Services). This Addendum governs the Processing of Personal Data on behalf of an entity or individual (the “Client”) using the Services, including but not limited to products and services offered by Vaultree, as well as any related activities where Vaultree processes personal data on behalf of the Client, where Vaultree acts in the capacity of the Data Processor and the Client acts in the capacity of the Data Controller. Vaultree and the Client are hereby collectively referred to as the “Parties” and each individually a “Party”.
The Addendum sets out rights and obligations of the Parties regarding the Processing of Personal Data.
The Addendum becomes effective on the Effective Date specified above and replaces any terms applicable to the Processing of Personal Data by Vaultree.

Definitions

In this Addendum, the following definitions shall apply:
- “Client“ refers to any entity or individual who provides personal data to Vaultree, either by engaging with Vaultree’s services or through other related activities, including, but not limited to, job applicants and other associated individuals.
- “Client’s Data“ shall mean the Personal Data processed through the Services of which the Client is the Data Controller.
- “Contract” shall mean a service agreement concluded between the Parties governing the Services.
- “Data Controller” shall mean a natural or legal person, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- “Data Protection Law” means the statutory data privacy and protection regulations applicable to the Client and the Processor protecting the fundamental rights and freedoms of persons with regard to data privacy and the Processing of the Client’s Data by the Processor, including, without limitation, the GDPR and the UK Data Protection Act 2018.
- “Data Subject” shall mean an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “EU” shall mean European Union.
- “Instruction” shall mean an instruction issued by the Client to Vaultree and directing Vaultree to perform a Processing activity pertaining to the Client’s Data in order to achieve compliance with the Data Protection Law.
- “Personal Data” shall mean any information relating to an identified or identifiable natural person.
- “Data Processor” or “Processor” shall mean a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller;
- “Processing” shall mean any operation which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Sub-processor” shall mean an entity that Processes Personal Data as a subcontractor of the Data Processor.

1. Subject matter of Processing

1.1 Vaultree carries the Processing of the Client’s Data, the categories of which are described in section 4 of this Addendum, pursuant to the terms stated herein.

1.2 Vaultree is a Data Processor and the Client is a Data Controller or Data Processor, as applicable, with regard to the Client’s Data.

1.3 This Addendum applies to all activities within the scope of the Services and the Contract in the context of which Vaultree or any Sub-processor may come into contact with the Client’s Data. 

1.4 To ensure the transparency of the Processing, the Parties must keep records of all Processing activities regarding Personal Data, as required by the Data Protection Law.

2. Scope, nature, and purpose of Processing

2.1 The scope, extent, and nature of the Processing are the sole purpose of facilitation of the provision of Services by Vaultree to the Client. 

2.2 Vaultree shall ensure that any of its officers, directors, employees, consultants, representatives and other natural persons that participate in the Processing of the Client’s Data agree to the same restrictions and conditions as those listed in this Addendum.

2.3 The Client as the Data Controller are responsible for complying with the applicable Data Protection Law, including, but not limited to, the lawfulness of the Processing and the lawfulness of the transmission (if any) of the Client’s Data to Vaultree. 

2.4 Vaultree shall Process the Client’s Data only to the extent required and with the purpose of fulfilling the Vaultree’s obligations under the Contract, to the extent necessary for the provision of the Services, and in accordance with the Instructions. 

2.5 Should Vaultree wish to use the Client’s Data for the purposes that are not specified in this section 3, Vaultree shall request the Client to provide prior consent in writing.

3. Categories of Personal Data

3.1 Vaultree Processes the Client’s Data submitted by the Client within the scope of the Services in an encrypted form. Vaultree does not have access to the Clients’ Data in a form that would allow identifying natural persons. To the extent the Client’s Data contains Personal Data, such data may include any types and categories of personal data.

3.2 Special categories of Personal Data as defined in the Data Protection Law may be processed according to this Addendum, provided that the Client submits such data through the Services.

4. Categories of Data Subjects

4.1 The affected Data Subjects include natural persons, Client’s employees, contractors, customers, affiliates, and potential customers.

5. Duration of Processing

5.1 Except where this Addendum expressly stipulates any surviving obligation, this Addendum shall follow the term of the Contract. 

5.2 Vaultree shall Process the Client’s Data for as long as the Client’s Data is necessary for the purpose described in section 3 of this Addendum. 

5.3 Vaultree shall return to the Client or securely erase Client’s Data from its storage systems as soon as the Client’s Data is no longer necessary for the purpose described in section 3 of this Addendum or the Client requests Vaultree to do so. Upon request of the Client, Vaultree shall provide the Client with a proof of erasure of the Client’s Data. 

6. Security of Processing

6.1 Vaultree exercises a reasonable degree of care to protect the Client’s Data from misuse, unauthorised access, disclosure, and transfer to any third parties unauthorised by the Client. Such measures include, without limitation, security measures specified in Annex I to the Addendum.

6.2 Vaultree takes appropriate technical and organisational measures in accordance with the applicable Data Protection Law to keep the Client’s Data secure and protected against unauthorised or unlawful processing and accidental loss, destruction or damage, and undertakes to continue doing so during the term of this Addendum. 

6.3 If, under applicable laws, Vaultree is compelled to disclose the Client’s Data, Vaultree shall inform the Client before any such mandatory disclosure within 24 hours after such a disclosure is requested. 

6.4 Any significant changes to the security measures listed in section 7.1 of the Addendum shall be documented by Vaultree and reported to the Client. 

6.5 For the purpose of documentation, Vaultree may provide evidence for the implementation of security measures by providing up-to-date attestations and reports. 

7. Correction and deletion of Personal Data

7.1 Vaultree agrees to correct, erase and/or block the Client’s Data, if requested by the Client, provided that the functionality of the Services permits such an operation. Vaultree shall not correct, erase or block the Client’s Data, unless instructed by the Client. 

7.2 In the event that a Data Subject does apply directly to Vaultree in writing with a request to exercise Data Subject’s legitimate rights, e.g., to request the correction or deletion of his/her Personal Data, Vaultree shall inform the Client of the same. Upon authorisation of the Client, Vaultree shall be entitled to respond to the Data Subject’s request to the extent Vaultree has access to the Client’s Data in question. 

8. Data Processor’s obligations

8.1 In addition to any other obligations set out in this Addendum, Vaultree agrees to:some text

a) Comply with all laws and regulations applicable to the Vaultree’s business activities;

b) Ensure that persons authorised to Process the Client’s Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c) Ensure that any natural person acting under the authority of Vaultree who has access to the Personal Data does not process them except on instructions from the Client;

d) Make available to the Client all information necessary to demonstrate compliance with Vaultree’s obligations under the Addendum, the Data Protection Law, and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client;

e) Monitor the Processing by way of regular reviews concerning the performance of and compliance with this Addendum, the Contract, and the applicable Data Protection Law;

f) At Client’s written request, reasonably support the Client in dealing with requests from individual Data Subjects and/or a supervisory authority with respect to the Processing of the Personal Data hereunder;

g) Assist the Client with the implementation of appropriate technical and organisational measures in order to respond to applications by the Data Subjects for the exercise of their rights; 

h) Provide at minimum the information by the Data Protection Law in the case of a Personal Data breach; 

i) Communicate the necessary information to the Data Subjects after a Personal Data breach pursuant to the Data Protection Law; and

j) If applicable under the Data Protection Law, conduct prior (i.e., before the start of the processing) data protection impact assessments and, if necessary, consult with a supervisory authority. 

9. Sub-processors

9.1 The Client hereby authorises Vaultree to engage Sub-processors as specified in Annex II to the Addendum, provided that Vaultree remains responsible for any acts or omissions of its Sub-processors in the same manner as for its own acts and omissions hereunder. 

9.2 Vaultree may remove or appoint suitable and reliable other Sub-processor(s) at its own discretion in accordance with the following conditions:some text

a) Vaultree shall inform the Client fourteen (14) days in advance of any envisaged changes to the list of Sub-processors;

b) If the Client has a legitimate data protection related reason to object to Vaultree’s use of Sub-processor(s), the Client shall notify Vaultree within fourteen (14) days after receipt of the Vaultree’s notice;

c) If the Client does not object during this time period, the new Sub-processor(s) shall be deemed accepted;

d) If the Client objects to the use of the Sub-processor(s) concerned, Vaultree shall have the right to cure the objection through one of the following options (to be selected at Vaultree’s sole discretion):

     i) Vaultree will abort its plans to use the Sub-processor(s) with regard to the Client’s Data; or 

     ii) Vaultree will take corrective steps and proceed to use the Sub-processor(s) with regard to the Client’s Data. 

e) If Vaultree decides not to implement option 9.2.d.i or 9.2.d.ii above, Vaultree shall notify the Client without undue delay. In this case, the Client shall be entitled within further fourteen (14) days to notify in writing Vaultree about its termination of the Addendum and any such termination would become effective upon the expiry of the second (2nd) calendar month after Processor’s receipt of the termination notice. 

9.3 Vaultree shall pass on to its subcontractors acting as the Sub-processors Vaultree’s obligations under this Addendum.

9.4 Vaultree shall ensure that, where the Client’s Data is transferred from the territory where the Client is located, appropriate safeguards, including the transfer mechanisms listed in section 14, are applied by Vaultree to ensure that the Client’s Data is further processed in a secure manner compliant with this Addendum and the Data Protection Law. 

10. Personal Data breaches

10.1 Within 24 hours after Vaultree becomes aware of any unauthorised use or disclosure of the Client’s Data, Vaultree shall promptly report the unauthorised use or disclosure of the Client’s Data to the Client. 

10.2 Vaultree shall cooperate with any remediation that the Client, in its discretion, determines is necessary to (i) address any applicable reporting requirements and (ii) mitigate any effects of unauthorised use or disclosure of the Client’s Data.

10.3 In consultation with the Client, Vaultree must take appropriate measures to secure the Client’s Data and limit any possible detrimental effect on the Data Subjects. Where obligations are placed on the Client under the Data Protection Law, Vaultree shall provide commercially reasonable assistance in meeting them.

11. Notifications

11.1 If Vaultree receives a request, subpoena or court order (including through an obligation due to legal provisions or official injunctions from state authorities) requesting to provide any Client’s Data to an authority, Vaultree shall attempt to redirect the relevant authority to request that data directly from the Data Controller, and notify the Client without undue delay. 

11.2 Where the Client’s Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Vaultree’s control, Vaultree shall notify the Client of such action without undue delay.

12. Instructions

12.1 The Instructions to Vaultree are initially laid out in this Addendum. However, the Client shall be entitled to issuing modifications to Instructions and to issue new Instructions, subject to feasibility. 

12.2 The Client shall designate a person competent to issue the Instructions. Modifications or new Instructions shall be issued in writing and shall need to be agreed between the Parties as a contract modification/change request under this Addendum. 

12.3 Vaultree shall not be obligated to perform a comprehensive legal examination and shall in no event render any legal services to the Client. 

12.4 Vaultree shall not be responsible for any consequences of the Instructions issued by the Client and the Client shall indemnify and hold Vaultree harmless against any damages and third-party claims resulting from the Instruction. 

12.5 Unless otherwise agreed, Vaultree shall be entitled to charge any efforts incurred in connection with the Instructions on time and material basis. 

13. Transfer mechanisms

13.1 Vaultree makes available the transfer mechanisms, namely, concluding EU or UK Standard Contractual Clauses, which apply to any transfers of the Client’s Data under this Addendum from the EU, the European Economic Area and/or their member states, Switzerland, and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of the GDPR.

13.2 For any other cross-body transfers of Personal Data, Vaultree shall take steps necessary to ensure the compliance with the applicable data protection rules and regulations.

14. Miscellaneous

14.1 This Addendum takes precedence over any conflicting provisions of the Contract. 

14.2 This Addendum commences on the Effective Date and continue for the term of the Contract, unless terminated earlier by either Party.

14.3 Upon expiration or termination of this Addendum or on Client’s request, Vaultree agrees to:

a) Promptly securely delete or return any Client’s Data available to Vaultree and any other information and documents, provided by the Client; and

b) Deliver to the Client a certificate confirming Vaultree’s compliance with the destruction obligation under this section 14.3.

14.4 Neither Party may assign this Addendum or any of their rights or obligations under this Addendum without the other Party’s prior consent.

14.5 The Parties agree to attempt to resolve any dispute arising out of or relating to this Addendum in a good faith through negotiations between senior executives of the Parties, who have authority to settle the same. If the matter is not resolved by negotiation within thirty (30) days of receipt of a written invitation to negotiate, the dispute shall be resolved by using binding arbitration services.

14.6 The headings used in this Addendum and its division into sections, schedules, exhibits, appendices, and other subdivisions do not affect its interpretation.

14.7 If there is any inconsistency between the terms of this Addendum and those in any document entered into under this Addendum, the terms of this Addendum shall prevail. The Parties agree to take all necessary steps to conform the inconsistent terms to the terms of this Addendum.

Attached:

Annex I: Technical and organisation security measures deployed by Vaultree

Annex II: List of Sub-processors

Annex III: Cross-border Personal Data Transfer Mechanisms

Annex I

Technical and organisation security measures deployed by Vaultree

Vaultree implements organisational and technical information security measures (the “Measures”) to protect the Client’s Data from loss, misuse, unauthorised access, and disclosure, including, without limitation:

  1. Undertaking an analysis of the risks presented by the processing of personal data conducted by Vaultree, and using this to assess the appropriate level of security data importer needs to put in place.
  2. When deciding on the Measures to be implemented, Vaultree takes account of the state of the art and costs of implementation.
  3. Organisational management and dedicated staff responsible for the development, implementation, review, and maintenance of data importer’s information security program and policies.
  4. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Vaultree, monitoring and maintaining compliance with Vaultree’s policies and procedures, and reporting the condition of its information security and compliance to senior internal management.
  5. Maintenance of information security policies and making sure that policies and measures are regularly reviewed and, where necessary, improved.
  6. Vaultree utilises cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, Vaultree follows a multi-tiered model which provides the ability to apply security controls between each layer.
  7. Data security controls which include logical segregation of data, restricted (e.g. role-based) access and monitoring, and, where applicable, utilisation of commercially available and industry-standard encryption and pseudonymisation technologies.
  8. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
  9. Password controls designed to manage and control password strength, and usage including prohibiting users from sharing passwords.
  10. System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
  11. Physical and environmental security of areas containing confidential information designed to:  (i) protect information assets from unauthorised physical access; (ii) manage, monitor and log movement of persons into and out of the Vaultree’s facilities; and (iii) guard against environmental hazards such as heat, fire and water damage.
  12. Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from data importer’s possession.
  13. Changing management procedures and tracking mechanisms designed to test, approve and monitor all changes to Vaultree’s information assets.
  14. Incident / problem management policies and procedures designed to (i) allow Vaultree to investigate, respond to, mitigate and notify of events related to Vaultree’s technology and information assets, (ii) restore access to personal data in the event of any incidents, such as establishing an appropriate backup process, and (iii) assess incidents.
  15. Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
  16. Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

Annex II

List of Sub-processors

The Client has authorised Vaultree to use of the following sub-processors:

Annex III

Cross-border Personal Data Transfer Mechanisms

  1. Vaultree uses the following cross-border Personal Data transfer mechanism: Standard Contractual Clauses (EU) or Standard Contractual Clauses (UK), as applicable. 
  2. A copy of Standard Contractual Clauses (EU) or Standard Contractual Clauses (UK) for signature may be received by email at legal@vaultree.com.