Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between the Customer and Vatengi Systems LLC ("Processor," "we," or "us") when the Customer uses the Service and Processor processes Personal Data on the Customer's behalf. This DPA applies where GDPR, UK GDPR, or equivalent law requires a written processor agreement.

1. Roles of the parties

Customer as Controller. For Personal Data that Customer uploads, generates, or instructs us to process in the workspace (for example, contact lists, campaign data, mailbox content, and user account information within Customer's organization), Customer is the controller and Vatengi Systems LLC is the processor.

Dual role for Directory Data. For professional contact information in our business directory that we collect and determine how to use independently, we act as an independent controller, as described in our Privacy Policy. This DPA does not make Processor the controller of Directory Data.

2. Subject matter and duration

Processor will process Customer Personal Data to provide the Service for the duration of the subscription and until deletion or return in accordance with this DPA and the Terms.

3. Nature and purpose of processing

Processing includes storage, organization, retrieval, enrichment, export, CRM synchronization, email sequence delivery, analytics, security monitoring, and support as configured by Customer through the Service.

4. Categories of data subjects and data

• Data subjects: Customer's employees, contractors, prospects, and contacts whose data Customer places in the workspace.
• Categories: identifiers, professional information, contact details, communication content, usage logs, and other data Customer submits or generates.

5. Processor obligations

Processor will:

• Process Personal Data only on documented instructions from Customer, including through configuration of the Service, unless required by law (in which case Processor will inform Customer unless prohibited).
• Ensure personnel authorized to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organizational measures as described in Section 7.
• Not engage another processor without Customer's general authorization via our subprocessor program; Processor will maintain a subprocessor list and provide notice of material changes where required.
• Assist Customer, considering the nature of processing, with data subject requests and regulatory inquiries relating to Customer-controlled Personal Data, using appropriate technical and organizational measures.
• Notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer-controlled Personal Data, and provide information reasonably available to support Customer's obligations.
• At Customer's choice, delete or return Customer-controlled Personal Data upon termination of the Service, subject to legal retention requirements.
• Make available information reasonably necessary to demonstrate compliance and allow audits as described in Section 10.

6. Customer obligations

Customer will:

• Ensure a lawful basis for processing and transferring Personal Data to Processor.
• Provide required notices to data subjects and honor their rights.
• Configure the Service and integrations responsibly and in compliance with applicable law.
• Not submit special categories of data unless expressly agreed in writing.

7. Security measures

Processor maintains measures including access controls, authentication, encryption of sensitive credentials, tenant isolation, audit logging, and vulnerability management. Details may be provided upon request or through security documentation made available to enterprise customers.

8. Subprocessors

Customer authorizes Processor to use subprocessors for hosting, infrastructure, payments, email delivery, enrichment, analytics, and support. Processor imposes data protection obligations on subprocessors substantially similar to those in this DPA. A current subprocessor list is published in our Trust Center. You may also request updates by contacting privacy@vatengi.com.

9. International transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to countries without an adequacy decision, the parties will execute Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two or Module Three as applicable) or the UK International Data Transfer Addendum, incorporated by reference into this DPA. Supplementary measures will be applied where required by applicable guidance.

10. Audits

Upon reasonable written request no more than once per year, Customer may request information or summaries of Processor's compliance (for example, SOC reports or security questionnaires). On-site audits may be conducted only with mutual agreement, subject to confidentiality, and at Customer's expense, unless required by a supervisory authority.

11. Liability

Liability arising from this DPA is subject to the limitations and exclusions in the Terms of Use, except where prohibited by applicable data protection law.

12. Order of precedence

If there is a conflict between this DPA and the Terms regarding processing of Customer-controlled Personal Data, this DPA controls. If there is a conflict between this DPA and the Privacy Policy, this DPA controls for processor processing and the Privacy Policy controls for Processor's independent controller activities.

13. Acceptance

This DPA is effective when a workspace administrator accepts it in workspace settings or when Customer continues to use the Service after we make the DPA available. Version: 2026-06-09.

14. Governing law

This DPA is governed by the laws of the State of Illinois, United States, without regard to conflict-of-law principles. For disputes relating to this DPA that are not subject to arbitration under the Terms of Use, exclusive jurisdiction and venue lie in the state courts located in Cook County, Illinois, and for federal claims, in the U.S. District Court for the Northern District of Illinois.

Contact us

Company

Vatengi Systems LLC

980 N Michigan Ave Ste 1090
PMB 705344
Chicago, Illinois 60611-4521

Phone 1-312-942-0505

Website vatengi.com

Email

• Compliance compliance@vatengi.com
• Privacy privacy@vatengi.com
• Legal legal@vatengi.com
• Abuse abuse@vatengi.com
• Support support@vatengi.com

Privacy request form · Directory opt-out