Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the agreement between VaultXchange LLC ("VaultXchange") and the business customer that uses the Service ("Customer") and governs the processing of personal data that VaultXchange processes on Customer's behalf in connection with the Service.
If there is a conflict between this DPA and the Terms of Service, this DPA controls with respect to personal data processed on behalf of Customer.
1. Roles of the Parties
To the extent VaultXchange processes personal data on behalf of Customer:
- Customer acts as controller, business, or equivalent role under applicable law, as applicable; and
- VaultXchange acts as processor, service provider, vendor, or equivalent role, as applicable.
Customer determines the purposes and means of the processing of personal data it submits to the Service, subject to the functionality of the Service and applicable law.
2. Processing Instructions
VaultXchange will process personal data only:
- to provide, maintain, support, secure, and improve the Service;
- as instructed by Customer through use of the Service or documented agreement;
- as required by applicable law; or
- as otherwise permitted by this DPA or the Terms.
Customer instructs VaultXchange to process personal data for the following purposes:
- account creation and administration;
- store-credit ledger maintenance;
- trade-in processing;
- sales and operational workflows;
- reporting and analytics;
- security and fraud prevention;
- support and troubleshooting; and
- related business operations.
3. Customer Responsibilities
Customer represents and warrants that:
- it has provided all required notices and obtained all required rights, consents, and authorizations to disclose personal data to VaultXchange;
- its instructions comply with applicable law;
- it will not use the Service to process personal data in violation of law; and
- it will not submit personal data for which it lacks a lawful basis to disclose.
Customer is solely responsible for the accuracy, quality, and legality of personal data and for the means by which Customer acquired the data.
4. Confidentiality
VaultXchange will ensure that persons authorized to process personal data are subject to confidentiality obligations appropriate to their role.
5. Security Measures
VaultXchange will implement and maintain reasonable administrative, technical, and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Security measures may include:
- role-based access controls;
- password hashing;
- network and application security controls;
- logging and monitoring;
- access limitation principles;
- vendor management; and
- backup and recovery procedures.
6. Subprocessors
Customer authorizes VaultXchange to engage subprocessors to support the Service, including hosting, storage, email delivery, scheduling, payment processing, analytics, and related services.
Current or anticipated subprocessors may include:
- Vercel;
- Supabase;
- Calendly;
- Google Workspace / Gmail;
- Stripe;
- PriceCharting;
- eBay;
- PSA;
- CGC;
- EasyPost; and
- other vendors reasonably necessary to operate the Service.
VaultXchange will use commercially reasonable efforts to impose appropriate data protection obligations on subprocessors.
7. Data Subject Requests
To the extent legally required and operationally feasible, VaultXchange will reasonably assist Customer in responding to valid data subject, consumer, or end-user requests relating to personal data processed under the Service.
Customer is responsible for verifying the identity of the requesting individual and for deciding whether to honor any request.
8. Deletion and Return
Upon termination of the Service or Customer's account, VaultXchange may delete or anonymize personal data in accordance with its retention practices, unless retention is required by law, dispute preservation obligations, security needs, or legitimate business purposes.
If Customer requests deletion or return of data and such request is feasible, VaultXchange may provide export or deletion services subject to technical limitations, legal requirements, and reasonable administrative fees, if permitted by law.
9. Data Breach Notice
If VaultXchange becomes aware of a confirmed unauthorized acquisition, disclosure, or access involving personal data processed under this DPA, VaultXchange will notify Customer without undue delay and, where required by law, within a commercially reasonable time after confirming the incident.
Customer remains responsible for any statutory notices to regulators, affected individuals, or others, except to the extent VaultXchange is legally required to provide such notices directly.
10. Audit
Customer may request reasonable information necessary to demonstrate compliance with this DPA, subject to:
- confidentiality;
- security;
- privilege;
- third-party restrictions;
- reasonable frequency limits; and
- operational burden.
Any on-site audit right must be expressly agreed in writing and may be subject to strict limitations.
11. Cross-Border Transfers
To the extent personal data is transferred across borders, the parties will rely on lawful transfer mechanisms as applicable. Customer authorizes such transfers to the extent necessary to operate the Service.
12. Liability
VaultXchange will not be liable for:
- Customer's failure to provide adequate notices or obtain valid consent;
- Customer's unlawful instructions;
- Customer's misuse of the Service;
- Customer's failure to honor its own privacy obligations; or
- matters outside VaultXchange's reasonable control.
Any liability relating to this DPA is subject to the limitations of liability in the Terms, except where prohibited by law.
13. Term and Survival
This DPA remains in effect for so long as VaultXchange processes personal data on Customer's behalf. Sections concerning confidentiality, deletion, liability, and dispute resolution survive termination to the extent necessary.
14. Miscellaneous
This DPA may be updated to reflect changes in law, regulatory guidance, or the Service. If a material change is required, VaultXchange may provide notice and, where required, Customer's continued use of the Service after notice will constitute acceptance.
15. Contact
VaultXchange LLC
PO Box 284
Winchester, KY 40391
Support@creditvaultapp.com