Effective Date: 1st March, 2026

Version: 1.0

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the agreement between Vawlt Technologies, S.A. (“Vawlt”) and the entity agreeing to the applicable terms (the “Customer”) governing Customer’s use of Vawlt’s services (the “Principal Agreement”, and together with the DPA, the “Agreement”). This DPA applies only to the extent Vawlt processes Personal Data as a Processor on behalf of Customer in connection with the Services.

 

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the GDPR or the Principal Agreement. For purposes of this DPA:

• “Applicable Data Protection Law” means the GDPR and any other data protection laws applicable to the Processing of Personal Data under this DPA.

• “Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject”, and “Personal Data Breach” have the meanings set out in Applicable Data Protection Law.

• “Control-Plane Data” means Personal Data processed within the Vawlt platform under Vawlt’s control for service administration, such as user/account identifiers (name, email), company name, VAT number (where it constitutes Personal Data), authentication/access metadata, and service administration data.

• “Customer Data” means data stored, transmitted, or otherwise processed by or on behalf of Customer through the Services via the Vawlt software agent deployed in infrastructure controlled by Customer or its designated partner(s). Customer Data is processed and stored in encrypted form, and Vawlt does not hold Customer decryption keys or access Customer Data in intelligible form.

• “Sub-processor” means a third party engaged by Vawlt to process Personal Data on behalf of Customer in connection with the Services.

 

2. Scope and Roles

2.1 Customer Data

Customer is the Controller of Customer Data. To the extent Vawlt processes Personal Data within Customer Data on behalf of Customer, Vawlt acts as a Processor with a limited technical role, restricted to encrypted handling, routing, orchestration, and other functions necessary to provide the Services. Customer acknowledges that due to the Services’ zero-knowledge encryption design and Customer-controlled infrastructure, Vawlt does not access Customer Data in intelligible form and cannot identify specific Data Subjects or content within Customer Data.

2.2 Control-Plane Data

To the extent Control-Plane Data is processed by Vawlt solely to provide the Services to Customer (e.g., account administration, authentication, access logging), Vawlt acts as Processor on behalf of Customer. Where Vawlt processes data for its own independent purposes (e.g., invoicing, compliance with legal obligations, fraud prevention, platform security), Vawlt acts as an independent Controller and such processing is governed by Vawlt’s Privacy Policy and Applicable Data Protection Law, not by Processor obligations under Article 28 GDPR.

 

3. Customer Instructions

Vawlt shall process Personal Data only on documented instructions from Customer, including as set out in the Agreement. Customer’s use and configuration of the Services (including user permissions, policies, and service settings) constitutes documented instructions. Vawlt may decline to comply with any instruction that is unlawful or technically infeasible, including due to Vawlt’s inability to access Customer Data in intelligible form.

 

4. Customer Obligations

Customer will:

1. ensure it has a lawful basis to process Personal Data and to instruct Vawlt to process Personal Data on its behalf;

2. be responsible for the content of Customer Data (including any Personal Data contained in it) and for providing appropriate notices to Data Subjects where required;

3. be responsible for managing, accessing, modifying, and deleting Customer Data through Customer’s tools and configuration, including management of encryption keys and credentials; and

4. be responsible for selecting, contracting with (directly or indirectly), configuring, and securing the infrastructure providers and environments designated by Customer for Customer Data storage, except to the extent an issue arises from Vawlt-controlled components.

 

5. Confidentiality

Vawlt will ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.

 

6. Security

Taking into account the nature of the Processing, the state of the art, implementation costs, and the risk to individuals, Vawlt will implement appropriate technical and organizational measures designed to protect Personal Data processed under this DPA. Customer acknowledges that Customer Data is protected by the Services’ zero-knowledge end-to-end encryption and that Customer is responsible for encryption key and credential management.

 

7. Sub-processing

7.1 General Authorization

Customer provides Vawlt with general authorization to engage Sub-processors for the Services.

7.2 Sub-processor List

The current list of Sub-processors is set out in Annex B.

7.3 Changes to Sub-processors

Vawlt will inform Customer of intended additions or replacements of Sub-processors by updating Annex B (or an online sub-processor list referenced in Annex B). Sub-processor changes will become effective no earlier than 30 days after the update is posted, except where earlier implementation is required for security, urgent operational reasons, or legal/regulatory requirements, in which case Vawlt may implement the change sooner and will update the list accordingly.

7.4 Objection

Customer may object to a new or replacement Sub-processor on reasonable data protection grounds by notifying Vawlt within the applicable notice period. If the Parties cannot resolve the objection within a reasonable time, Customer may terminate the affected Services as its sole and exclusive remedy (to the extent permitted by the Principal Agreement).

7.5 Flow-down

Vawlt will impose data protection obligations on Sub-processors consistent with this DPA, as applicable.

7.6 Customer-Selected Infrastructure (Clarification)

Infrastructure providers selected and configured by Customer (or its partners) for Customer Data storage are not Sub-processors of Vawlt solely by reason of such selection or use.

 

8. International Transfers

Vawlt will not transfer Personal Data processed under this DPA outside the EEA unless it has implemented an appropriate transfer mechanism as required by Applicable Data Protection Law (e.g., adequacy decision or Standard Contractual Clauses).

 

9. Personal Data Breach

Vawlt will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed by Vawlt as Processor under this DPA and will provide information reasonably necessary to support Customer’s compliance obligations. Customer acknowledges that Vawlt’s ability to detect or assess incidents affecting the content of Customer Data may be limited due to encryption and Customer-controlled infrastructure.

 

10. Assistance

Taking into account the nature of the Processing and information available to Vawlt, Vawlt will provide commercially reasonable assistance to Customer in responding to Data Subject requests and in meeting Customer’s obligations under Applicable Data Protection Law (including Articles 32–36 GDPR), to the extent Vawlt is able and such assistance relates to Processing covered by this DPA. Customer acknowledges that Vawlt cannot access or locate specific Personal Data within encrypted Customer Data content.

 

11. Compliance Information

Upon request, Vawlt will make available reasonable information to demonstrate compliance with this DPA, including providing its current ISO/IEC 27001 certificate and reasonable summaries. On-site audits are not required unless mandated by law or a competent authority.

 

12. Return and Deletion

Upon termination or expiry of the Principal Agreement, Vawlt will delete or return Personal Data processed under this DPA within a reasonable time, subject to (a) Customer’s export requests, (b) residual retention in backups (not actively processed) until overwritten or deleted in accordance with backup rotation, and (c) mandatory legal retention requirements.

 

13. Liability

Liability under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement, to the extent permitted by Applicable Data Protection Law.

 

14. Order of Precedence

If there is a conflict between this DPA and the Principal Agreement regarding the Processing of Personal Data by Vawlt as Processor, this DPA prevails.

 

15. Contact

Privacy contact: privacy@vawlt.io

Vawlt address: Rua António Champalimaud, Lote 1, 1600-514 Lisboa, Portugal

Annex A — Processing Details

Subject matter: Provision of the Services under the Principal Agreement.

Duration: For the term of the Principal Agreement and thereafter only as needed for deletion from backups and/or legal retention.

Categories of Data Subjects: Customer users/admins and billing contacts; any individuals whose Personal Data may be included in Customer Data.

Categories of Personal Data: Control-Plane Data (names, emails, company name, VAT where applicable, authentication/access metadata); Customer Data content unknown to Vawlt (encrypted).

Nature of Processing: Control-Plane Data administration; encrypted handling/routing/orchestration of Customer Data as necessary to provide the Services.

Purpose: Provide, secure, maintain, and support the Services.

Annex B — Sub-processors (Control-Plane)

Vawlt engages the following Sub-processors for Control-Plane Data hosting and supporting infrastructure within EU regions:

1. Amazon Web Services (AWS) — EU regions (e.g., Ireland/Frankfurt)

2. Microsoft Azure — EU regions (e.g., West Europe/North Europe)