Data Processing Agreement

1. Definitions

• “Data Protection Laws” means all laws applicable to the processing of Personal Data under this DPA, including Québec's Act respecting the protection of personal information in the private sector as amended by Loi 25, PIPEDA (Canada), the EU/UK GDPR, and the CCPA/CPRA (California), in each case as applicable.
• “Personal Data” means any information relating to an identified or identifiable natural person that we process on Customer's behalf in providing the service.
• “Customer Data” means all data (including Personal Data) that Customer or its users submit to the service: imported design assets, tags, collections, comments, annotations, and member information.
• “Controller”, “Processor”, “Data Subject”, “Processing” and “Personal Data Breach” have the meanings given in the GDPR, and their equivalents under other Data Protection Laws apply correspondingly.
• “SCCs” means the standard contractual clauses approved by European Commission Implementing Decision (EU) 2021/914.

2. Relationship of the parties

For Customer Data, Customer is the Controller and DesignVault is the Processor. We will:

• process Customer Data only on Customer's documented instructions — namely the Agreement, this DPA, and Customer's configuration of the service (including enabling or disabling AI features) — unless required by law, in which case we will inform Customer unless legally prohibited;
• ensure that persons authorized to process Customer Data are bound by confidentiality obligations;
• not sell Customer Data, nor retain, use, or disclose it for any purpose other than providing the service (including within the meaning of the CCPA/CPRA);
• not voluntarily disclose Customer Data to law enforcement or government agencies; if legally compelled, we will redirect the request to Customer where possible and notify Customer unless prohibited.

We act as an independent Controller for the limited data described in Section 9 (account, billing, and security data).

3. Authorized subprocessors

Customer provides general written authorization for the subprocessors listed at designvault.net/subprocessors (Exhibit B). We impose data protection obligations on each subprocessor that are no less protective than this DPA, and we remain liable for their performance.

We will give organization owners at least 30 days' notice by email before adding or replacing a subprocessor. Customer may object on reasonable, data-protection-related grounds within that period; if we cannot offer a workaround, Customer may terminate the affected subscription and receive a pro-rata refund of prepaid fees.

4. Security

We implement appropriate technical and organisational measures (“TOMs”), including multi-tenant isolation enforced by PostgreSQL Row Level Security, AES-256-GCM application-level encryption of integration tokens, encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, audit logging, and hardened security headers. The current TOMs are described at designvault.net/docs/security and constitute the security annex of this DPA. We may update the TOMs provided the overall level of protection is not reduced.

5. International transfers

Customer Data is primarily stored in Canada (Supabase, AWS ca-central-1). Certain subprocessors process data in the United States (see Exhibit B). For these transfers:

• From the EEA/UK/Switzerland: transfers are made under the SCCs (Module Two — Controller to Processor), which are incorporated into this DPA by reference, or under an adequacy decision where one applies (Canada benefits from an EU adequacy decision for PIPEDA-covered processing; some US subprocessors are certified under the EU–US Data Privacy Framework).
• From Québec: before communicating Personal Data outside Québec, we conduct the assessment required by Loi 25 (s. 17) to confirm the data receives adequate protection.

[TODO — counsel: confirm SCC module completion details (clauses 9, 13, 17, 18), the per-subprocessor mechanism (SCCs vs DPF certification), and the Loi 25 s. 17 assessment record.]

5bis. Customer-directed disclosures (API, MCP, webhooks, sharing)

The service lets Customer transmit Customer Data to third parties of its choosing: API keys (and any tool built on them, including the official DesignVault MCP server used with AI clients such as Claude or Cursor), outbound webhooks to endpoints Customer configures, and public share links Customer creates. Such transmissions are made on Customer's documented instructions within the meaning of Section 2. The recipients (including Customer's AI clients and webhook receivers) act for Customer, are not DesignVault subprocessors, and are governed by Customer's own agreements with them. Customer is responsible for the lawfulness of these disclosures, including where recipients process data outside Canada or the EEA.

6. Data subject rights

Taking into account the nature of the processing, we assist Customer in fulfilling its obligation to respond to Data Subject requests (access, rectification, erasure, portability, objection, restriction). The service provides self-serve tooling: data export (JSON) and account deletion are available in Settings > Privacy. If a Data Subject contacts us directly about Customer Data, we will redirect them to Customer and notify Customer without undue delay.

7. Personal data breach

We will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data, and in any event within 72 hours, providing the information reasonably required for Customer to meet its own notification obligations (including to the CAI under Loi 25 and to supervisory authorities under the GDPR). We will document breaches and remediation measures.

8. Audits, deletion and return

On request (no more than once per year, unless required by a supervisory authority or following a breach), we will make available the information reasonably necessary to demonstrate compliance with this DPA, including summaries of third-party assessments of our subprocessors, and will allow audits conducted in a manner that does not compromise the security of other customers (multi-tenant environment).

Upon termination of the Agreement or deletion of the organization, we will delete Customer Data within 30 days, except where law requires longer retention (financial records: 7 years). Customer may export its data at any time before deletion via Settings > Privacy.

9. DesignVault as controller

We act as an independent Controller for: account registration data (name, email), billing data (Stripe customer reference), security and audit logs (IP address, user agent), and service usage data in aggregated or de-identified form. This processing is described in our Privacy Policy.

10. General

This DPA is governed by the same law and forum as the Agreement (laws of Québec, Canada), except where the SCCs require otherwise for EEA transfers. In case of conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA prevails; the SCCs prevail over both. Liability under this DPA is subject to the limitations of liability in the Agreement.

Exhibit A — Details of processing

• Subject matter and duration: provision of the DesignVault service for the duration of the Agreement, plus the 30-day deletion window.
• Nature and purpose: hosting, storage, display, search (including optional AI auto-tagging and semantic search), and sharing of design assets and related collaboration data.
• Categories of Data Subjects: Customer's users (employees, contractors) and individuals appearing in imported content.
• Categories of Personal Data: names, email addresses, roles, comments and annotations, and any Personal Data contained in imported design assets. No sensitive data is required by the service; Customer is responsible for not importing special categories of data.

Exhibit B — Authorized subprocessors

The current list, with roles and locations, is maintained at designvault.net/subprocessors.

Contact

Privacy Officer: Pascal Potvin, Sherbrooke, Québec, Canada — privacy@designvault.net
[TODO — counsel: confirm legal entity name and complete postal address.]