<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1611884&amp;fmt=gif">

Data Processing Agreement

Updated February 12, 2026

This Data Processing Agreement (“DPA”) amends and forms part of the Terms of Service between Vouched and You (the “Agreement”). This DPA supersedes any existing data protection terms concluded in relation to the Services and prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

1. Definitions

1.1. In this DPA:


    1. Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” have the meaning given to them in Data Protection Law. “Data Subject” includes “Consumer” as that term is defined under U.S. Privacy Laws;

    2. Buyer Personal Data” means Personal Data Processed by Vouched as a Processor on behalf of Buyer or Third Party Controller;

    3. Data Protection Law” means U.S. Privacy Laws, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), including the European Union, and all other data protection laws of the EEA, the United Kingdom (“UK”), and Switzerland, each as applicable, and as may be amended or replaced from time to time;

    4. Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Data Protection Law;

    5. International Data Transfer” means any disclosure of Buyer Personal Data by an organization subject to Data Protection Law to another organization located outside the EEA, the UK, or Switzerland;

    6. Processor” means “Processor,” “Service Provider,” or “Contractor” as those terms are defined in Data Protection Law.

    7. Sale” and “Selling” have the meaning defined in the U.S. Privacy Laws.

    8. Services” means the services provided by Vouched to Buyer under the Agreement;

    9. Share,” “Shared,” and “Sharing” have the meaning defined in the CCPA;

    10. Subprocessor” means a Processor engaged by Vouched to Process Buyer Personal Data;

    11. SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;

    12. Third-Party Controller” means a Controller for which Buyer is a Processor; and

    13. UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

    14. U.S. Privacy Laws” means, collectively, all United States federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals’ Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), or specific demographics (e.g., children). U.S. Privacy Laws include, but are not limited to, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”).


    1. 2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

    1.3. In the event of a conflict in the meanings of defined terms in Data Protection Law, the meaning from the Data Protection Law applicable to the relevant jurisdiction of the Data Subject applies.

 

2. Scope

2.1. This DPA applies to the Processing of Your Personal Data by Vouched subject to Data Protection Law to provide the Services.

2.2. The subject matter, nature and purpose of the Processing, the types of Your Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.

2.3. You appoints Vouched as a Processor on behalf of You. Unless You are a Processor on behalf of a Third-Party Controller, You are responsible for compliance with the requirements of Data Protection Law applicable to Controllers.

2.4. If You are a Processor on behalf of a Third-Party Controller, then You: are the single point of contact for Vouched; must obtain all necessary authorizations from such Third-Party Controller; and undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.

2.5. You acknowledges that Vouched may Process Personal Data, including Your Personal Data, relating to the operation, support, or use of the Services for its own business purposes, such as: (i) to prevent, detect, protect against, investigate, or otherwise respond to data security incidents, theft, harassment, or malicious, deceptive, fraudulent or illegal activity; (ii) benchmarking, (iii) product development, and (iv) compliance with law. Vouched is the Controller for such Processing and will Process such data in accordance with Data Protection Law.

2.6. Vouched shall comply with the obligations of, and provide the level of privacy protection required by, Data Protection Law.

3. Instructions

3.1. Vouched will Process Your Personal Data to provide the Services and in accordance with Your documented instructions.

3.2. The Controller’s instructions are documented in this DPA, the Agreement, and any applicable statement of work or order form.

3.3. You may reasonably issue additional instructions as necessary to comply with Data Protection Law. Vouched may charge a reasonable fee to comply with any additional instructions.

3.4. Except as set forth in section 2.5 of this DPA and as expressly permitted under applicable Data Protection Law, Vouched is prohibited from (i) Selling or Sharing Your Personal Data, (ii) retaining, using, or disclosing Your Personal Data for any purpose other than for the specific purpose documented in the Buyer instructions, (iii) retaining, using, or disclosing Your Personal Data outside of the direct business relationship between You and Vouched, and (iv) combining Your Personal Data with Personal Data obtained from, or on behalf of, sources other than You.

3.5. Vouched certifies that it understands the Processing restrictions set forth in this DPA and will comply with them.

3.6. Unless prohibited by applicable law, Vouched will inform Buyer if Vouched is subject to a legal obligation that requires Vouched to Process Your Personal Data in contravention of Your documented instructions.

4. Personnel

4.1. Vouched will ensure that all personnel authorized to Process Your Personal Data are subject to an obligation of confidentiality.

5. Security and Personal Data Breaches

5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vouched will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Annex II.

5.2. You acknowledges that the security measures in Annex II are appropriate in relation to the risks associated with Your intended Processing and will notify Vouched prior to any intended Processing for which Vouched’s security measures may not be appropriate.

5.3. Vouched will notify You without undue delay after becoming aware of a Personal Data Breach involving Your Personal Data. If Vouched’s notification is delayed, it will be accompanied by reasons for the delay.

6. Subprocessing

6.1. You hereby authorizes Vouched to engage Subprocessors. A list of Vouched’s current Subprocessors is included in Annex III.

6.2. Vouched will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law.

6.3. Vouched will notify You to a change to Subprocessors. You may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Vouched’s notification. You and Vouched will work together in good faith to address Your objection. If Vouched chooses to retain the Subprocessor, Vouched will inform You and either party may immediately discontinue providing or using the relevant parts of the Services, as applicable, and may terminate the relevant parts of the Services within thirty (30) days.

7. Assistance

7.1. Taking into account the nature of the Processing, and the information available to Vouched, Vouched will assist You, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Your own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.

7.2. Vouched may charge a reasonable fee for assistance under this Section 7. If Vouched is at fault, Vouched and You shall each bear their own costs related to assistance.

7.3. Upon receiving notice from Vouched that it is unable to comply with Data Protection Law or this DPA, You may direct Vouched to take reasonable and appropriate steps to stop and remediate unauthorized Processing of Your Personal Data.

8. Audit

8.1. Upon reasonable request, Vouched will make available to You all information necessary to demonstrate compliance with the obligations of this DPA. The parties agree that Buyer shall first look to third-party reports or certifications (e.g., SSAE 16-Type II, SOC 2, ISO 27001, or ISO 27701 reports) provided by Vouched or its Subprocessors to satisfy any audit requirements under this DPA or Data Protection Law. Requests for these third-party reports or certifications can be made by sending a request to https://trust.vouched.id. If, and only to the extent that, such reports or certifications do not satisfy Your legally mandated audit obligations under Data Protection Law, Vouched will allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested no more than once per year by You, and performed by an independent auditor as agreed upon by You and Vouched. Any such audit or inspection shall only extend to those documents and facilities relevant and material to the Processing of Your Personal Data and shall be conducted during normal business hours and in a manner that causes minimal disruption to Vouched’s operations.

8.2. Vouched will inform You if Vouched believes that Your instruction under Section 8.1 infringes Data Protection Law. Vouched may suspend the audit or inspection or withhold requested information until You have modified or confirmed the lawfulness of the instructions in writing.

8.3. Vouched and You each bear their own costs related to an audit.

9. International Data Transfers

9.1. You hereby authorizes Vouched to perform International Data Transfers to any country deemed to have an adequate level of data protection by the European Commission or the competent authorities, as appropriate; on the basis of adequate safeguards in accordance with Data Protection Law; or pursuant to the SCCs and the UK Addendum referred to in Sections 9.2 and 9.3.

9.2. By signing this DPA, Vouched and You conclude Module 2 (controller-to-processor) of the SCCs, to the extent You are a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, and to the extent the parties are independent Controllers Module 1 (Controller-to-Controller) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is You; the “data importer” is Vouched; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is ten (10) days; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Ireland; Annex I and II to Modules 1, 2 and 3 of the SCCs are Annex I and II to this DPA respectively. For International Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.

9.3. By signing this DPA, Vouched and You conclude the UK Addendum, which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is You and the “Importer” is Vouched, their details are set forth in this DPA, and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 9.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Annex I and II respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

9.4. If Vouched’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Vouched’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then You and Vouched will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities, Vouched reserves the right to amend the Agreement and this DPA by adding to or replacing, the standard contractual clauses or UK standard contractual clauses that form part of it at the date of signature in order to ensure continued compliance with Data Protection Law.

10. Notifications

10.1. You will send all notifications, requests and instructions under this DPA to Vouched’s Legal via email to legal@vouched.id

10.2. Vouched will send all notifications under this DPA to Your contact set forth in the Agreement.

11. Liability

11.1. Where Vouched has paid compensation, damages or fines, Vouched is entitled to claim back from You that part of the compensation, damages or fines, corresponding to Your part of responsibility for the compensation, damages or fines.

12. Termination and return or deletion

12.1. This DPA is terminated upon the termination of the Agreement.

12.2. You may request return of Your Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Vouched will delete all remaining copies of Your Personal Data within one hundred eighty (180) days after returning Your Personal Data to Buyer.

13. Applicable law and jurisdiction

13.1. This DPA is governed by the laws set forth in the Agreement. Any disputes relating to this DPA will be subject to the exclusive jurisdiction of the courts set forth in the Agreement.

14. Modification of this DPA

14.1. This DPA may only be modified by a written amendment signed by both Vouched and You.

15. Invalidity and severability

15.1. If any provision of this DPA is found by any court or administrative body of a competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

 

ANNEX I

DESCRIPTION OF THE TRANSFER

A. LIST OF PARTIES

Data exporter:

      • Name: You
      • Address:
      • Contact person’s name, position and contact details:
      • Activities relevant to the data transferred under these Clauses: You receive Vouched’s services as described in the Agreement and You provide Personal Data to Vouched in that context.
      • Signature and date:
      • Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller

Data importer:

      • Name: Vouched
      • Address:
      • Contact person’s name, position and contact details:
      • Activities relevant to the data transferred under these Clauses: Vouched provides its services to You as described in the Agreement and Processes Personal Data on behalf of You in that context, or as a separate controller in limited cases.
      • Signature and date:
      • Role (controller/processor): Processor on behalf of You, or Subprocessor on behalf of Third-Party Controller, or separate Controller

B. DESCRIPTION OF INTERNATIONAL DATA TRANSFER

    • Categories of Data Subjects whose Personal Data is transferred:

      # Category of Data Subjects
      1 Your end users
      2 Your personnel, staff and contractors
    • Categories of Personal Data:

      # Category of Personal Data
      1 Name, Title, Work Phone, Work Email 
      2 Name, Legal Name, Email, Phone, Physical Address, Government ID date of issuance, Government ID date of expiration, Age, Date of Birth, IP Address, Geolocation, Unknown client supplied PII
    • Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
      # Category of Sensitive Data Applied Restrictions and Safeguards
      1

      Social Security Number, Individual Tax Identification Number, Biometric data, Driver’s License #, Passport #, National ID #

      		 Vouched does not store Social Security Numbers or Individual Tax Identification Number. All biometrics data and government identification documents are stored in Google Cloud Platform with limited access
    • The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): On a continuous basis.
    • Nature of the processing: The Personal Data will be processed and transferred as described in the Agreement, including but not limited to fraud prevention and identity verification.
    • Purpose(s) of the data transfer and further processing: The Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement.
    • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
    • For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.


C. COMPETENT SUPERVISORY AUTHORITY

    • The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority a) of Your country of establishment, or, where not applicable, b) of the country where Your EU data protection representative is located, or, where not applicable, c) of one of the EEA countries where the Data Subjects are located.
    • The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
    • The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.



ANNEX II


TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Vouched has organized and implemented technical and organizational measures for personal data protection according to ISO 27001 and ISO 27701 to support its data protection program. The measures include the following types of controls:

Information Security Policies

    • Provides management direction and support for information security in accordance with business requirements, and relevant laws and regulations.

Organization of Information Security

    • Establishes a framework for initiating and controlling information security implementation and operations at Vouched.

Enterprise Risk Management

    • Defines the methodology for the assessment and treatment of risks associated with the loss of confidentiality, integrity, and availability of information, and defines the acceptable risk level.

Human Resource Security

    • Designed to ensure that all workforce members are well suited for, and understand, their roles and responsibilities.
    • Designed to ensure that potential workforce hires undergo background checks.
    • Designed to ensure that workforce members sign non-disclosure agreements and commit to acceptable use policies.
    • Designed to ensure that all workforce members are aware of, and fulfill, their information security responsibilities and obligations, such as adhering to Vouched’s password policies.
    • Designed to ensure that workforce members who handle personal data receive additional privacy and security training to better understand their responsibilities and obligations.
    • Designed to ensure that the organization’s interests are protected throughout the employment process, from pre-employment to termination.

Asset Management

    • Identifies and classifies Vouched’s information assets, defines and assign appropriate responsibilities for ensuring their protection, and sets their retention schedules.
    • Designed to ensure an appropriate level of protection for information assets in accordance with their sensitivity level and importance to the organization.
    • Designed to prevent the unauthorized disclosure, modification, removal, or destruction of information stored on media.

Access Control

    • Sets forth management principles governing information security and cybersecurity to secure information in any form information in any for.
    • Establishes governing principles for the protection of all Vouched’s information and to reduce the risk of unauthorized access to Vouched’s information.
    • Provides the framework for user, system and application access control and management, and user responsibilities.
    • Limits access to information and information processing facilities.
    • Designed to ensure authorized user access and prevent unauthorized access to systems and services.
    • Makes users accountable for safeguarding their authentication information.
    • Designed to prevent unauthorized access to systems and applications.

Cryptography

    • Designed to ensure proper and effective use of cryptography in order to protect the confidentiality, authenticity, and integrity of information.
    • Provides guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively.
    • Establishes procedures on proper encryption for data in motion encryption, data at rest encryption and key management.
    • Uses end-to-end encryption and encrypts data in transit and at rest.

Physical and Environmental Security (if applicable given Vouched has no physical offices)

    • Establishes procedures for properly defining secure areas, entry, threat protection, equipment security, secure disposal, clear desk and clear screen policies, and visitor access in order to prevent (1) unauthorized physical access, damage, and interference with Vouched’s information and information processing facilities; and (2) loss, damage, theft, or compromise of Vouched’s assets, and interruption of its operations.

Operations Security

    • Establishes procedures on the proper management of IT systems, including change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, and audit controls
    • Designed to ensure that information and information processing facilities are operated securely and protected from malware and loss of data.
    • Designed to ensure that security events are recorded appropriately.
    • Designed to maintain operational system integrity and avoid exploitation of technical vulnerabilities.

Communications Security

    • Establish controls related to network security, network segregation, network services, transfer of information internally and externally, messaging, and more.

System Acquisition, Development, and Maintenance

    • Establishes security requirements for the procurement and deployment of technology solutions, as well as the requirements for internal development and support processes.

Supplier Relationships

    • Provides a framework for Vouched to perform vendor risk management, including due diligence, identification of contractually required privacy and security controls, and the management and monitoring of third-party suppliers (i.e., vendors, service providers, and processors) from onboarding to offboarding to ensure proper information security and service delivery.

Information Security Incident Management

    • Establishes policies to reduce the impact of security incidents to the confidentiality, integrity, and availability of Vouched’s technology resources, services and information.
    • Enables Vouched to provide consistent, repeatable, and measurable guidance that reduces or eliminates the ambiguity and questions that would otherwise commonly appear and result in inconsistent processes

Information Security Aspects of Business Continuity Management

    • Establishes a business continuity framework and defines how Vouched should recover its IT architecture and IT services within set deadlines in the event of a disaster or other disruptive incident.
    • Designed to ensure data backup for cloud-hosted implementations.
    • Designed to maintain a business continuity plan and support annual technical and tabletop tests.

Compliance

    • Designed to support Vouched’s compliance with respect to the organization’s internal policies and procedures and contractual obligations related to information privacy and security, and applicable privacy, information security, and data protection laws and regulations.



Other Industry Standard Security Controls

    • Penetration Testing
    • Vulnerability Management
    • Application Password Policy
    • OAuth-based Authorization
    • API Security

ANNEX III

LIST OF SUBPROCESSORS

You authorizes Vouched to engage the following Subprocessors:

Entity Name Service Location Registered Address Contact Task Performed
Google Cloud USA 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA privacy.google.com
google.privacy/business		 Infrastructure, Image Processing
AWS USA 11000 Equity Drive, Suite 300, Houston, TX 77041, USA privacyshield@amazon.com Image Processing
Microsoft USA One Microsoft Way, Redmond, WA 98052, USA privacy@microsoft.com Image Processing
Labelbox USA 510 Treat Ave, San Francisco, CA 94110, USA security@labelbox.com Image Processing
Fivetran USA 405 14th Street, Suite 1050, Oakland, CA 94612, USA privacy@fivetran.com Data Processing and ETL
Snowflake USA 106 East Babcock Street, Suite 3A, Bozeman, MT 59715, USA privacy@snowflake.com Database Services
DataDog USA 620 8th Avenue, 45th Floor, New York, NY 10018, USA privacy@datadoghq.com Infrastructure Monitoring
Zendesk USA 1019 Market Street, San Francisco, CA 94103, USA privacy@zendesk.com Customer Support Ticketing
Sentry USA 45 Fremont St, San Francisco, CA 94105, USA compliance@sentry.io Analytics on JS Plug-in
Amplitude USA 201 3rd Street, Suite 200, San Francisco, CA 94103, USA privacy@amplitude.com Analytics on JS Plug-in
Atlassian (Jira/Confluence) USA 350 Bush Street, Floor 13, San Francisco, CA 94104, USA privacy@atlassian.com
eudatarep@atlassian.com		 Ticket Tracking and Documentation
Linear USA 2261 Market Street, San Francisco, CA 94114, USA hello@linear.app Ticket Tracking
Salesforce USA Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA privacy@salesforce.com CRM
HubSpot USA 25 1st Street, Cambridge, MA 02141, USA preferences.hubspot.com/privacy Marketing Automation
Twilio USA 1801 California St, Suite 500, Denver, CO 80202, USA privacy@twilio.com Communication APIs (Phone Numbers, SMS)
Stripe USA 354 Oyster Point Blvd, South San Francisco, CA 94080, USA privacy@stripe.com Payments Processing