Data Processing Agreement
This DPA forms part of the agreement between you (the Customer) and VantaSupport Pte. Ltd. (the Processor) whenever we process personal data of your server members on your behalf. It satisfies Article 28 GDPR and the equivalent UK and Swiss requirements.
1. Definitions
- Applicable Data Protection Law means the GDPR, the UK GDPR and the Data Protection Act 2018, the Swiss FADP, the California Consumer Privacy Act as amended by the California Privacy Rights Act, and any other data protection or privacy law applicable to the processing under this DPA.
- Customer Personal Datameans personal data that VantaSupport processes on the Customer's behalf in providing the service.
- Controller, Processor, Sub-processor, Data Subject, Personal Data, and Processing have the meanings given in the GDPR.
- SCCsmeans the Standard Contractual Clauses adopted by European Commission Implementing Decision (EU) 2021/914, plus the UK International Data Transfer Addendum issued by the Information Commissioner's Office.
2. Roles and scope
The Customer is the Controller of Customer Personal Data and VantaSupport is the Processor. For CCPA purposes VantaSupport is a Service Provider. This DPA applies for the period during which VantaSupport processes Customer Personal Data.
3. Processing instructions
VantaSupport will process Customer Personal Data only on documented instructions from the Customer, including with regard to international transfers, unless required to process by law. The Customer's instructions are the use of the service in accordance with the Terms of Service, the configuration choices the Customer makes in the dashboard, and any further written instructions agreed in writing.
VantaSupport will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law, and may refuse to act on it pending clarification.
Customer warranties
- The Customer warrants that it has a lawful basis under Applicable Data Protection Law for the processing it instructs VantaSupport to perform, and that it has provided any notices and obtained any consents required from Data Subjects (including server members) before causing their personal data to be processed.
- The Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it acquired it.
- Where required, the Customer will conduct its own data protection impact assessment and transfer impact assessment for the processing it carries out using the service.
4. Subject matter, duration, nature, and purpose
The subject matter is the processing necessary to provide the VantaSupport service. The duration is the term of the underlying agreement plus the retention windows in our Privacy Policy. The nature is automated and manual processing including collection, storage, transmission, analysis, and deletion. The purpose is to deliver tickets, moderation, AI replies, billing, support, and related operational functions. See Annex I for the categories of data subjects and personal data.
5. Confidentiality
VantaSupport will ensure that any person authorized to process Customer Personal Data is bound by a written confidentiality obligation or under a statutory obligation of confidentiality.
6. Security
VantaSupport will implement and maintain the technical and organizational measures set out in Annex II. The measures are designed to ensure a level of security appropriate to the risk taking into account the state of the art, the nature, scope, context, and purposes of processing, and the rights of Data Subjects.
7. Sub-processors
The Customer grants VantaSupport a general authorization to engage sub-processors. Annex III lists current sub-processors. VantaSupport will:
- Impose written terms on each sub-processor that are no less protective than this DPA, including the relevant SCCs where required.
- Remain liable to the Customer for the acts and omissions of each sub-processor as if they were its own.
- Provide at least thirty days advance notice by email to the account admin of any intended addition or replacement of a sub-processor that handles Customer Personal Data. The Customer may object on reasonable data-protection grounds during the notice period. If the parties cannot resolve the objection in good faith, the Customer may terminate the affected portion of the service with a pro-rata refund of pre-paid fees.
8. Data subject rights
Taking into account the nature of the processing, VantaSupport will provide reasonable technical and organizational measures, insofar as possible, to help the Customer respond to requests from Data Subjects to exercise their rights of access, rectification, erasure, restriction, portability, and objection. Where a Data Subject contacts VantaSupport directly we will refer them to the Customer unless the request relates to VantaSupport's own controller processing.
9. Audits and assistance
- On reasonable written request, no more than once per twelve-month period, VantaSupport will make available the information needed to demonstrate compliance with this DPA, including the most recent third-party audit reports (such as SOC 2 Type II) where available.
- The Customer may conduct an on-site audit only where required by a supervisory authority and only on thirty days advance notice, during business hours, without disrupting our service, and subject to a written confidentiality agreement. The Customer bears its own costs.
- VantaSupport will assist the Customer with data protection impact assessments and prior consultations with supervisory authorities to the extent reasonably required.
10. Personal data breach
VantaSupport will notify the Customer without undue delay, and within seventy-two hours of becoming aware, of any personal data breach affecting Customer Personal Data. The notification will include the information required by Article 33(3) GDPR to the extent it is then known, and will be updated as more information becomes available.
11. Return and deletion
On termination or expiry of the underlying agreement, VantaSupport will, at the Customer's choice, delete or return all Customer Personal Data, and delete existing copies, unless retention is required by law. Backups are deleted on the rolling thirty day schedule in our Privacy Policy.
12. Government and law-enforcement requests
- VantaSupport will require a valid legal process (subpoena, court order, warrant, or equivalent foreign instrument) before disclosing Customer Personal Data to a government authority, except where an emergency disclosure is needed to prevent imminent risk of death or serious physical harm.
- VantaSupport will challenge requests it believes to be overbroad, unlawful, or inconsistent with international human rights standards, including by exhausting available judicial remedies before disclosure where reasonable.
- Unless prohibited by law, VantaSupport will notify the Customer of any binding request for Customer Personal Data before disclosure, in time for the Customer to seek a protective order or other appropriate remedy.
- VantaSupport will provide the Customer with the information required to demonstrate compliance with Section 14 (Local laws) of the SCCs on request.
13. International transfers
Where VantaSupport transfers Customer Personal Data outside the EEA, the UK, or Switzerland to a recipient in a country not covered by an adequacy decision, the SCCs apply as follows:
- Module Two (Controller-to-Processor) applies where the Customer is a Controller.
- Module Three (Processor-to-Processor) applies where the Customer is itself a Processor on behalf of a third-party controller.
- The optional docking clause is included. The independent dispute resolution body option is selected.
- The governing law in Clause 17 is the law of the Republic of Ireland.
- The courts in Clause 18(b) are the courts of Ireland.
- The UK Addendum applies to UK transfers and is treated as executed concurrently with this DPA.
- For Swiss transfers the SCCs are read in line with the Swiss FADP.
- Annex I and Annex II of this DPA are deemed to populate the corresponding annexes of the SCCs. Annex III lists sub-processors.
Transfer impact assessment (Schrems II)
VantaSupport has carried out a transfer impact assessment covering its receiving countries (primarily the United States and India). The assessment, the supplementary measures applied (including encryption in transit and at rest, access logging, and the government-request policy in section 12), and the latest sub-processor risk reviews are available to the Customer on request to legal@vantasupport.com under a non-disclosure agreement.
14. Liability
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the underlying agreement. Nothing in this DPA limits a Data Subject's rights under the SCCs or any rights that cannot be limited under Applicable Data Protection Law.
15. Governing law
This DPA is governed by the laws of the Republic of Singapore, except for the SCCs which are governed as set out in Clause 17 above. Disputes are resolved under the dispute resolution clause of the underlying agreement.
16. Order of precedence
If there is a conflict between this DPA and the underlying agreement, this DPA controls. If there is a conflict between this DPA and the SCCs, the SCCs control.
Annex I: Description of processing
Categories of data subjects
- The Customer's administrators, moderators, and staff who use the dashboard.
- Members of Discord servers in which the Customer has installed the bot.
- End users who open tickets or interact with bot commands.
Categories of personal data
- Discord identifiers, usernames, display names, avatar URLs, and email addresses.
- Server, channel, role, and configuration metadata.
- Message content provided to AI features, ticket transcripts, attachments uploaded to a ticket.
- Knowledge base documents and FAQ content uploaded by the Customer.
- Audit logs of admin actions.
- Billing email, plan, country, and tokenized payment identifier.
- Operational logs including IP address, user agent, and request metadata.
Special categories
VantaSupport does not request or require any special category data. Customers must not configure the bot in a way that intentionally collects such data, and members must not be induced to share it.
Frequency and duration
Continuous for the term of the agreement and the retention windows in the Privacy Policy.
Annex II: Technical and organizational measures
| Category | Controls |
|---|---|
| Access control | Two-factor authentication and least-privilege, role-based access for all VantaSupport personnel. Production access is restricted and logged. |
| Encryption | TLS 1.2 or higher in transit. OAuth tokens and secrets encrypted with AES-256-GCM using a key supplied through our secret configuration. Off-site backups encrypted. |
| Network security | Database and cache are bound to a private internal network and not exposed to the public internet. TLS terminates at the edge reverse proxy. Outbound fetches from the crawler are restricted to public hosts. |
| Application security | Code review on every change. Static analysis. Dependency scanning. An independent third-party penetration test before we accept enterprise contracts. |
| Logging and monitoring | Application and error logging (Sentry) with alerting. Audit log of admin and dashboard actions. |
| Backup and recovery | Encrypted off-site backups taken daily on a rolling retention window. Restores are tested periodically. Contractual RPO/RTO targets are offered only under Enterprise agreements. |
| Personnel | Security and privacy practices appropriate to a small team. Confidentiality obligations in every contractor agreement. |
| Vendor management | Risk assessment for every sub-processor before onboarding. Annual review of high-risk sub-processors. |
| Incident response | Documented incident response plan. The Customer is notified without undue delay after we become aware of a personal data breach. |
| Business continuity | Daily encrypted off-site backups with a documented recovery procedure. Higher-availability multi-host deployment is on the roadmap. |
Annex III: Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Discord, Inc. | Source platform the bot operates on | United States |
| VibeGAMES B.V. | Application, PostgreSQL database, and Redis hosting | Netherlands (EU) |
| Cloudflare, Inc. | Encrypted off-site database backups (R2 object storage) | Global |
| OpenAI, L.L.C. | AI embeddings, and replies when selected | United States |
| Anthropic, PBC | AI replies | United States |
| Stripe, Inc. | Payment processing and tax | United States |
| Resend, Inc. | Transactional and notification email | United States |
| Sentry (Functional Software, Inc.) | Error monitoring | United States |
The current Annex III is always available at this URL. Material additions or replacements are notified to account admins by email at least thirty days in advance.
Contact
For DPA questions, signed copies, or sub-processor objections, write to legal@vantasupport.com.