Vantaca Data Processing Addendum

Last updated December 2025  

Vantaca Data Processing Addendum

This Data Processing Addendum (“DPA”) amends and forms part of the Vantaca Terms of Service (the “Terms of Service”) between the Customer and Vantaca, LLC (“Vantaca”) (collectively, “the parties”). This DPA governs Vantaca’s Processing of Personal Data in connection with the Services provided under the Terms of Service and any applicable Order (collectively with the Terms of Service, the “Agreement”). To the extent there is a conflict between the Agreement and this DPA with respect to the Processing of Personal Data, this DPA takes precedence but does not otherwise modify the Agreement.

Customer is the entity that determines the purposes and means for which Personal Data is Processed (“Data Controller”), and Vantaca Processes Personal Data on the Data Controller’s behalf and in accordance with the Data Controller’s written instructions (“Data Processor”), where “Processing” (including its cognate “Process”) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Personal Data” means any information that reasonably relates, directly or indirectly, to an identified or identifiable natural person that Vantaca may Process on Customer’s behalf in performing the services under the Agreement. The terms “Data Controller” and “Data Processor” shall have the same meaning as those similar concepts used in any applicable laws and regulations that apply to the Processing of Personal Data under the Agreement, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and all other privacy and data protection laws of the European Economic Area, and their respective Member States, Switzerland and the United Kingdom (“UK”), and the laws and regulations of the United States and its states, as amended from time to time, to the extent such laws and regulations apply to the relevant party (“Data Protection Laws”). Vantaca and Customer each agree to comply with their respective obligations under Data Protection Laws.

1. Personal Data Processing Requirements. Vantaca agrees to use Personal Data solely for the nature, purpose, and duration of the Processing identified in the Agreement and in this For clarity, as Data Processor, Vantaca will not sell or share Personal Data, nor will Vantaca use, disclose, retain, or otherwise process Personal Data (i) for a purpose other than the specific purpose of providing the Services; (ii) outside of the direct business relationship between Vantaca and Customer and the written instructions received from Customer; and (iii) in a manner inconsistent with applicable Data Protection Laws. The parties agree that any Personal Data exchanged between them in connection with the Agreement is not consideration from either party to the other with respect to the Agreement or otherwise. Where the Personal Data is subject to the California Privacy Rights Act of 2020 (“CCPA”), Vantaca will not: (i) “Sell” or “Share” personal data (each as such term is defined under the CCPA); (ii) process personal data outside the direct business relationship between the parties or for any purpose other than to provide the services in accordance with the Agreement; or (iii) combine any customer data with any personal data or personal information as defined under applicable Data Protection Laws that Vantaca receives from or on behalf of another party, or collects from its own interactions with individuals, except as otherwise permitted under the CCPA. The foregoing sentence does not apply to Personal Data that has been anonymized, aggregated, or de-identified to the extent the Agreement permits or instructs Vantaca to process or use Personal Data that is anonymized, aggregated, or de-identified. In such cases, Vantaca will (i) adopt reasonable measures to prevent such de-identified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) not make attempts to re-identify the information, except solely for the purpose of determining whether its de-identification process function as designed; and (iii) before sharing de-identified data with any other party, contractually obligate such recipients to comply with the requirements of this provision.
   
   
2. Subprocessors. Vantaca may disclose Personal Data to Vantacaʼs sub-processors as necessary to deliver the Services or to help satisfy its obligations in accordance with this DPA (“Subprocessor”), and Customer hereby consents to the use of such Vantaca will enter into contractual arrangements with each Subprocessor binding them to provide a comparable level of data protection to that provided for in the Agreement and this DPA. Vantaca agrees to be liable for the acts and omissions of its Subprocessors to the same extent Vantaca would be liable under the terms of the DPA if it performed such acts or omissions itself, subject to the limitations of liabilities set forth in the Agreement.
   
   
3. Notifications to Customer. Vantaca will inform Customer if Vantaca determines that an instruction from Customer violates any applicable Data Protection Laws and/or if Vantaca can no longer meet its obligations under this DPA, unless it is prohibited from doing so by law on important grounds of public interest. If Vantaca is required by Data Protection Laws to process any Personal Data for reasons outside of the Agreement, Vantaca will inform Customer in advance of any such processing, unless prohibited by law. Vantaca will provide Customer prompt notice if Vantaca becomes aware of a binding or non-binding request for disclosure of Personal Data to law enforcement authorities, courts or any government body, unless prohibited by
   
   
4. Data Subject Rights. If Customer’s data subjects submit a complaint or request with respect to access to or the rectification, erasure, restriction, portability, objection, blocking, or deletion of Personal Data directly to Vantaca, Vantaca will inform the Customer and will not respond to such a request without Customer’s prior written authorization. Vantaca will provide reasonable assistance to Customer to provide information necessary to respond to such requests, taking into account the nature of the Processing and the information available to Vantaca.
   
   
5. Security and Breach Prevention. Vantaca will maintain reasonable and appropriate physical, organizational and technical security measures to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Personal Data, and protect the rights of the Personal Data, appropriate to the risk, which include the technical and organizational measures required by applicable Data Protection Law. Appropriate safeguards will be taken to confirm that Vantaca personnel are protecting the security, privacy, and confidentiality of Personal Data consistent with the requirements of this DPA, and require that persons employed by Vantaca and other persons engaged to perform on its behalf to be subject to a duty of confidentiality with respect to the Personal Data and to comply with the data protection obligations applicable to Vantaca under the Agreement and this Vantaca will inform Customer without undue delay if Vantaca becomes aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Personal Data processed by Vantaca for Customer (“Security Incident”) by Vantaca, its Subprocessors, or any other third parties acting on Vantacaʼs behalf. Vantaca will provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfil its data breach reporting obligations under applicable Data Protection Law.
   
   
6. Customer Assistance, Audits, and Assessments. Vantaca will cooperate with assessments or audits performed by or on behalf of Customer to confirm that Vantaca is processing Personal Data in a manner consistent with this DPA and Data Privacy Laws (“Audits”) on the condition that: (i) the Audit is required by law; (ii) where permitted by law, Vantaca may first provide a summary of the results of a third-party audit or certification report (“Third-Party Certification”) to demonstrate compliance; (iii) the Audit occurs if such Third-Party Certification is not sufficient to demonstrate Vantacaʼs compliance with the obligations set out in this DPA and Data Privacy Laws; (iv) Vantaca is given at least thirty (30) days advance written notice of the Audit; (v) the parties mutually agree upon the scope, time, and duration of the Audit; (vi) the Audit is at the Customer’s sole expense; and (vii) the Audit is conducted in a manner that is minimally disruptive to Vantacaʼs The results of such Audits and any Third-Party Certifications provided to Customer shall be the Confidential Information of Vantaca. Where required by law, Vantaca grants Customer the right to stop and remediate unauthorized use of Personal Data. Vantaca will provide commercially reasonable assistance to Customer for the preparation of data protection impact assessments with respect to the Processing of Personal Data by Vantaca, and where necessary, provide consultations with any supervisory authority with jurisdiction over such processing.
   
   
7. Customer Obligations. Customer represents and warrants that it (i) has and will maintain throughout the term all necessary rights, consents, and authorizations under applicable Data Protection Law for Vantaca to lawfully Process Personal Data for the purposes contemplated by the Agreement, (ii) make appropriate use of the services to ensure a level of security appropriate to the particular content of the Personal Data, (iii) comply with all Data Protection Law applicable to the collection of Personal Data and the transfer of such Personal Data to Vantaca, and (iv) ensure its processing instructions comply with applicable laws (including applicable Data Protection Law). Customer authorizes Vantaca to use, disclose, retain, and otherwise process Personal Data as contemplated by the Agreement, this DPA, and/or other processing instructions provided by Customer to Customer acknowledges and agrees that Customer, not Vantaca, is responsible for certain design and configuration decisions related to the Services, and the secure implementation of these decisions that complies with applicable Data Protection Laws.
   
   
8. Restricted Data Transfers. In the event that Customer is subject to European Data Protection Law and the transfer of Personal Data to Vantaca would be restricted in the absence of the Standard Contractual Clauses, the Parties agree that the Standard Contractual Clauses shall be incorporated into this DPA with Customer as the “data exporter” and Vantaca as the “data importer.” The Standard Contractual Clauses are further completed as follows: the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; the governing law in Clause 17 is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; and Annex 1, 2 and 3 to the Standard Contractual Clauses are Paragraph 3, 4, and 5 of this DPA respectively. To the extent required by Data Protection Law in the UK, Part 1, tables 1, 2 and 3 of the UK SCCs will be deemed to be completed like its equivalent provisions in the EU SCCs. For the purpose of Part 1, Table 4, the party that may end the UK SCCs in accordance with Section 19 of the UK Addendum is the importer.
   
   
9. Term and Termination. This DPA will remain in effect for as long as Vantaca is processing Personal Data on Customer’s behalf, or until the termination of the Agreement, and all Personal Data has been returned or deleted in accordance with this DPA. Upon termination of this DPA, Vantaca will direct each Subprocessor to delete Personal Data within thirty (30) days of the termination, unless prohibited by law.
   
   
10. General.

• If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Personal Data.
• If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
• Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.
• This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.