Data Processing Agreement

Last updated: May 13, 2026

1. Definitions

Capitalized terms not defined in this DPA have the meaning given in the Agreement.

“Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including (where applicable) Regulation (EU) 2016/679 (“GDPR”), the United Kingdom General Data Protection Regulation and the UK Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), the Act respecting the protection of personal information in the private sector (Quebec) (“Law 25”), and the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”).

“Customer Data” has the meaning given to “Client Data” in the Agreement.

“Personal Data” means any personal data or personal information contained in Customer Data that is Processed by Vasco on behalf of Customer. For purposes of Law 25, the term “Personal Data” includes “personal information” within the meaning of that statute.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For purposes of Law 25, a Personal Data Breach is a “confidentiality incident”.

“Process” or “Processing” has the meaning given to it under Applicable Data Protection Laws.

“Subprocessor” means any third party appointed by Vasco to Process Personal Data on behalf of Customer.

2. Roles of the Parties

Customer acts as a Controller (or, under Law 25, as the enterprise that collects Personal Data and determines the purposes of its Processing). Vasco acts as a Processor (or, under Law 25, as a service provider acting on behalf of Customer) and Processes Personal Data only on documented instructions from Customer, including to provide the Services under the Agreement.

3. Scope of Processing

The subject matter, nature, purpose, and duration of Processing, as well as the categories of Personal Data and Data Subjects, are described in Annex I.

4. Processor Obligations

Vasco shall:

  • Process Personal Data only on documented instructions from Customer;
  • Ensure personnel authorized to Process Personal Data are bound by confidentiality obligations;
  • Implement appropriate technical and organizational measures as described in Annex II;
  • Assist Customer, taking into account the nature of Processing, with appropriate technical and organizational measures insofar as possible, for the fulfillment of Customer’s obligation to respond to requests for exercising Data Subject rights;
  • Assist Customer in ensuring compliance with obligations relating to security of Processing, breach and confidentiality incident notifications, and (where applicable) data protection impact assessments and prior consultation, taking into account the nature of Processing and information available to Vasco;
  • Notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer’s Personal Data. The initial notification shall include, to the extent then known to Vasco: (i) a description of the nature of the Personal Data Breach; (ii) the categories and approximate number of Data Subjects and Personal Data records concerned; (iii) the likely consequences of the Personal Data Breach; and (iv) the measures taken or proposed to be taken to address the Personal Data Breach and mitigate its possible adverse effects. Where information cannot be provided at the same time, it may be provided in phases without further undue delay. Any such notification shall not be construed as an admission of fault or liability by Vasco;
  • Upon termination or expiration of the Services, and at Customer’s written election made no later than thirty (30) days following the effective date of termination, delete or return all Personal Data in Vasco’s possession or control, unless retention is required by applicable law. Where Customer elects deletion, or where Customer fails to make an election within thirty (30) days of termination, Vasco shall delete the Personal Data within ninety (90) days following termination. Personal Data retained in routine backup media shall be deleted in accordance with Vasco’s standard backup rotation cycle and shall not be restored or used for any purpose during that period. Upon written request, Vasco shall provide Customer with a written certificate of deletion.

5. Subprocessors

Customer authorizes Vasco to engage the Subprocessors listed in Annex III as of the Effective Date.

Vasco will remain responsible for the acts and omissions of its Subprocessors with respect to Personal Data to the same extent Vasco would be responsible if performing the services of each Subprocessor directly under this DPA, and will impose data protection obligations on each Subprocessor that are substantially equivalent to those imposed on Vasco under this DPA.

Vasco will provide Customer with at least thirty (30) days’ prior written notice of the appointment or replacement of any Subprocessor that will Process Personal Data. Customer may subscribe to such notices via the mechanism made available at https://trust.vasco.app or by emailing privacy@vasco.app.

If Customer has a reasonable, documented data protection objection to the appointment or replacement of a Subprocessor, Customer shall notify Vasco in writing within fifteen (15) days of Vasco’s notice, setting out the grounds for the objection. The parties shall work together in good faith to resolve the objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable period not to exceed thirty (30) days, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Services for convenience, with a pro-rata refund of any pre-paid fees applicable to the unused portion of the then-current term.

6. International Transfers

Customer acknowledges that Personal Data is hosted and Processed in the United States. Where required under Applicable Data Protection Laws, Vasco relies on appropriate safeguards for international and cross-border transfers of Personal Data, as set out in Annex IV.

7. Audits

Customer may request information reasonably necessary to demonstrate Vasco’s compliance with this DPA. Any audit rights are limited as follows:

  • Audits may occur no more than once per twelve (12) months;
  • Audits shall be limited to document reviews or written responses, unless a higher level of audit is required by Applicable Data Protection Laws;
  • Where Vasco makes available a recent independent third-party security or compliance report (including its SOC 2 Type 2 report), Customer agrees to accept such report in lieu of conducting an audit;
  • On-site audits are excluded unless expressly required by a competent supervisory authority;
  • Audits must be conducted during normal business hours, subject to reasonable advance notice, and must not unreasonably interfere with Vasco’s business operations;
  • Customer shall bear all costs associated with any audit.

8. Canadian Privacy Law

8.1 General. Vasco HQ Inc. is incorporated in Quebec, Canada, and is subject to Law 25 and (where applicable) PIPEDA. This Section 8 supplements, and does not limit, the obligations of Vasco set out elsewhere in this DPA.

8.2 Person in charge of the protection of personal information. Vasco has designated a person in charge of the protection of personal information as required by Law 25. The contact details are: Sebastien Rothlisberger, Chief Technology Officer and Data Protection Officer, privacy@vasco.app.

8.3 Confidentiality incidents. A Personal Data Breach as defined in this DPA constitutes a “confidentiality incident” for purposes of Law 25 and a “breach of security safeguards” for purposes of PIPEDA. Vasco shall notify Customer of any such incident in accordance with Section 4 in order to support Customer’s compliance with its own notification obligations to the Commission d’acces a l’information du Quebec (“CAI”), the Office of the Privacy Commissioner of Canada (“OPC”), and affected individuals. Vasco shall maintain a register of confidentiality incidents as required by section 3.8 of Law 25, and shall make the relevant entries of that register available to Customer or to the CAI upon lawful request.

8.4 Privacy impact assessments. Where Customer is required to conduct a privacy impact assessment (“PIA”) under Law 25 — including in connection with the communication of Personal Data outside Quebec under section 17 of Law 25 — Vasco shall provide reasonably available information regarding its technical and organizational measures, Subprocessors, hosting locations, and applicable transfer safeguards to support that PIA.

8.5 Communication outside Quebec. The parties acknowledge that Customer Data is hosted in the United States. The safeguards applicable to such communication are described in Annex IV.D.

8.6 Cooperation with supervisory authorities. Vasco shall provide reasonable cooperation, taking into account the nature of Processing and the information available to Vasco, in connection with inquiries or investigations by the CAI, the OPC, or any other competent Canadian supervisory authority relating to Customer’s Processing of Personal Data through the Services.

9. Liability

This DPA does not create additional liability beyond what is set out in the Agreement.

10. Order of Precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection and privacy matters. In the event of any conflict between this DPA and the Standard Contractual Clauses incorporated under Annex IV.A, the Standard Contractual Clauses shall prevail.

11. Governing Law

This DPA is governed by the law specified in the Agreement, except where Applicable Data Protection Laws or the Standard Contractual Clauses require otherwise.

Annex I — Details of Processing

Subject matter: Provision of the Vasco platform and related services.

Duration: For the term of the Agreement.

Nature of Processing: Hosting, storage, structuring, analysis, and presentation of Customer Data; user access and administration; support and maintenance.

Categories of Data Subjects:

  • Customer employees
  • Customer prospects, leads, and contacts

Categories of Personal Data:

  • Contact information (name, email, role)
  • CRM and engagement metadata
  • Usage and activity data

Purpose of Processing:

  • Provision, maintenance, and support of the Services

Customer responsibility and data restrictions: Customer determines the scope and content of Personal Data submitted to the Services and is responsible for ensuring that such Processing complies with Applicable Data Protection Laws. The Services are not designed to Process, and Customer shall not submit, any special categories of personal data or other highly sensitive data, including without limitation health data, payment card information, government-issued identification numbers, biometric data, or criminal records, unless expressly agreed in writing by Vasco.

Annex II — Technical and Organizational Measures

Vasco implements appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are aligned with industry best practices and are informed by Vasco’s internal security policies, including information security, encryption, incident response, access management, logging and monitoring, vulnerability management, business continuity, and data retention.

Key measures include:

  • Access controls: Role-based access, least-privilege principles, multi-factor authentication for administrative access, and formal joiner/mover/leaver processes.
  • Encryption: Encryption in transit using TLS 1.2+ and encryption at rest using industry-standard algorithms.
  • Monitoring & logging: Centralized logging, monitoring, and alerting for security-relevant events with restricted access to logs. Automated detection and redaction of personal data within log streams.
  • Vulnerability management: Periodic vulnerability scanning, remediation based on risk prioritization, and annual independent penetration testing.
  • Incident response: Documented incident response procedures, escalation paths, post-incident reviews, and an annual incident response simulation covering platform outage, third-party component failure, and data-breach scenarios.
  • Data lifecycle controls: Defined data retention and deletion processes aligned with contractual requirements.
  • Business continuity: Documented business continuity and disaster recovery planning, with periodic testing.
  • Independent assessment: Annual SOC 2 Type 2 audit covering the Security and Availability Trust Services Criteria.

These measures are reviewed periodically and updated as necessary to maintain an appropriate level of security.

Annex III — Subprocessors

Vasco’s current Subprocessors are listed at: vasco.app/legal/subprocessors

Annex IV — International Data Transfer Mechanisms

A. European Economic Area (EU SCCs)

Where Personal Data subject to the GDPR is transferred from the EEA to Vasco in the United States, the parties incorporate by reference the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 (“EU SCCs”), Module Two (Controller to Processor), with the following selections:

  1. Clause 7 (Docking Clause): included.
  2. Clause 9 (Use of Sub-processors): Option 2 (general written authorization) applies. The notice period for changes to Sub-processors is thirty (30) days, as set out in Section 5 of this DPA.
  3. Clause 11 (Redress): the optional independent dispute resolution body is not selected.
  4. Clause 17 (Governing Law): the EU SCCs are governed by the laws of Ireland.
  5. Clause 18 (Choice of Forum and Jurisdiction): disputes arising from the EU SCCs shall be resolved by the courts of Ireland.

For the purposes of the EU SCCs, Customer is the “data exporter” and Vasco HQ Inc. is the “data importer.” The Annexes of this DPA serve as the Annexes of the EU SCCs as follows:

  • Annex I.A (List of Parties): as identified in the Agreement.
  • Annex I.B (Description of Transfer): as set out in Annex I of this DPA.
  • Annex I.C (Competent Supervisory Authority): the Irish Data Protection Commission, except where Customer is established in an EEA member state, in which case the competent supervisory authority of that member state.
  • Annex II (Technical and Organizational Measures): as set out in Annex II of this DPA.
  • Annex III (List of Sub-processors): as set out in Annex III of this DPA.

In the event of any conflict between the EU SCCs and the remainder of this DPA, the EU SCCs shall prevail.

B. United Kingdom (UK Addendum)

Where Personal Data subject to the UK GDPR is transferred from the United Kingdom to Vasco in the United States, the parties incorporate by reference the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office under section 119A of the UK Data Protection Act 2018 (“UK Addendum”). The information required by Table 1 of the UK Addendum is as set out in the Agreement and this DPA. With respect to Table 4 of the UK Addendum, neither party may end the UK Addendum as set out in Section 19 of the UK Addendum.

C. Switzerland (FADP)

Where Personal Data subject to the FADP is transferred from Switzerland to Vasco in the United States, the EU SCCs apply with the following modifications, consistent with guidance from the Swiss Federal Data Protection and Information Commissioner (“FDPIC”):

  • references to the GDPR shall be read as references to the FADP, and references to specific GDPR articles shall be read as references to the equivalent provisions of the FADP;
  • references to EEA member state supervisory authorities shall be read as references to the FDPIC;
  • the courts and law of Switzerland shall apply to disputes brought under Clauses 17 and 18 in respect of transfers governed solely by the FADP.

D. Quebec — Communication of Personal Information Outside Quebec (Law 25, s. 17)

Where Customer is established in Quebec or otherwise subject to Law 25 in respect of Personal Data communicated to Vasco, the parties acknowledge that the communication of Personal Data to Vasco in the United States constitutes a communication of personal information outside Quebec for purposes of section 17 of Law 25.

Vasco confirms that it implements the technical and organizational measures described in Annex II to maintain a level of protection of Personal Data that is consistent with the principles applicable in Quebec under Law 25, including:

  • encryption in transit and at rest;
  • role-based access controls and least-privilege principles;
  • contractual obligations imposed on its Subprocessors that are substantially equivalent to those imposed on Vasco under this DPA;
  • documented incident response procedures and a register of confidentiality incidents;
  • an annual independent security assessment under SOC 2 Type 2 (Security and Availability).

Vasco shall, upon written request and within a reasonable period, provide Customer with information reasonably necessary to support Customer’s privacy impact assessment of the communication of Personal Data outside Quebec under section 17 of Law 25, including information on hosting locations, Subprocessors, applicable safeguards, and the legal framework of the destination jurisdiction to the extent known to Vasco.