Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Vysion BV ("Processor") and you, the customer ("Controller"), and governs the processing of personal data by the Processor on behalf of the Controller in connection with the Vysion email security service ("Service").

This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
• "Processing" means any operation performed on Personal Data, as defined in Article 4(2) GDPR.
• "Controller" means the customer who determines the purposes and means of the processing of Personal Data.
• "Processor" means Vysion BV, who processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data.

3. Scope of Processing

3.1 Subject Matter

The Processor processes Personal Data to provide the email security service, including threat detection, IBAN fraud baseline tracking, and breach monitoring.

3.2 Categories of Data Subjects

• Employees and team members of the Controller's organization
• Individuals who send emails to the Controller's organization

3.3 Types of Personal Data

• Email addresses (sender and recipient)
• Names (as appearing in email headers)
• Email metadata (subject lines, timestamps, message IDs)
• Email body content (processed in real-time, not stored)
• IBAN numbers found in emails (stored for fraud baseline)
• IP addresses and device information (for authentication and logging)
• Organization and account information

3.4 Duration

Processing continues for the duration of the Controller's active subscription. Upon termination, the Processor shall delete or return all Personal Data within 30 days, as specified in Section 10.

4. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the EEA, unless required to do so by EU or Belgian law
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 7)
• Assist the Controller in fulfilling its obligation to respond to data subject requests (access, rectification, erasure, portability, etc.)
• Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation)
• At the Controller's choice, delete or return all Personal Data after the end of the provision of services
• Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits

5. Controller Obligations

The Controller shall:

• Ensure it has a lawful basis for the processing of Personal Data and for instructing the Processor to process data on its behalf
• Ensure that relevant data subjects have been informed of the processing in accordance with Articles 13 and 14 GDPR
• Provide documented instructions to the Processor regarding the processing of Personal Data

6. Sub-processors

6.1 Authorized Sub-processors

The Controller provides general written authorization for the Processor to engage the following sub-processors:

6.2 New Sub-processors

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds, the parties shall discuss in good faith to resolve the matter.

6.3 Sub-processor Agreements

The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA, through a written contract in accordance with Article 28(4) GDPR.

7. Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

7.1 Technical Measures

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest
• Secure OAuth 2.0 authentication (no password storage)
• Rate limiting and abuse prevention mechanisms
• Automated security scanning and dependency monitoring
• Real-time email content is processed in memory and not persisted

7.2 Organizational Measures

• Role-based access control (Owner/Admin/Member)
• Audit logging of sensitive operations
• Access limited to authorized personnel only
• Regular security reviews and code audits
• Incident response procedures

8. Data Breach Notification

In the event of a personal data breach (as defined in Article 4(12) GDPR), the Processor shall:

• Notify the Controller without undue delay, and in any case within 72 hours after becoming aware of the breach
• Provide the Controller with sufficient information to meet its obligation to notify the supervisory authority (Article 33 GDPR), including:
  • Nature of the breach, categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
• Cooperate with the Controller in investigating and mitigating the breach
• Document the breach, including its effects and remedial actions taken

9. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor ensures appropriate safeguards are in place through:

• EU Standard Contractual Clauses (SCCs) as adopted by the European Commission
• EU-US Data Privacy Framework certifications (where applicable)
• Adequacy decisions by the European Commission

The Processor shall inform the Controller of any transfer and the safeguards applied. Transfer Impact Assessments are conducted where required.

10. Data Deletion on Termination

Upon termination or expiry of the Service agreement, the Processor shall:

• Within 30 days, delete all Personal Data processed on behalf of the Controller, unless EU or Belgian law requires storage
• Upon request, provide the Controller with a copy of their data in a structured, commonly used, machine-readable format before deletion
• Provide written confirmation of deletion upon the Controller's request

Billing data may be retained as required by Belgian tax law (up to 7 years) and will be clearly separated from other Personal Data.

11. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR. The Controller (or an appointed third-party auditor) may conduct audits of the Processor's data processing activities, subject to:

• Reasonable advance notice (at least 30 days)
• Audits conducted during normal business hours
• The auditor being bound by confidentiality obligations
• A maximum of one audit per year, unless a data breach has occurred

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. This DPA does not limit either party's liability for breaches of data protection law where such limitation is not permitted by applicable law.

13. Governing Law

This DPA is governed by and construed in accordance with the laws of Belgium. Any disputes shall be submitted to the exclusive jurisdiction of the courts of Belgium.

14. Amendments

This DPA may be amended by the Processor to reflect changes in data protection law or the Service. Material changes will be communicated to the Controller at least 30 days in advance. Continued use of the Service after notification constitutes acceptance.

15. Contact

For questions about this DPA or data processing matters, contact us at:

• Email: privacy@vysion.be
• General inquiries: info@vysion.be
• Company: Vysion BV, Belgium