Data Processing Agreement
Last updated: March 12, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Vaulken ("Processor") and governs the processing of personal data in connection with the Vaulken cloud platform ("Service").
This DPA is established in compliance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
- "Processing" means any operation performed on Personal Data, as defined in Article 4(2) GDPR.
- "Data Subject" means the individual to whom Personal Data relates.
- "Subprocessor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Customer Data" means all files and content uploaded or processed through the Service by the Controller.
2. Scope and Purpose of Processing
| Subject matter | Provision of the Vaulken cloud platform (file storage, search indexing, MCP access) |
| Duration | For the term of the Terms of Service, plus the period needed for data deletion |
| Nature and purpose | Storage, indexing, retrieval, and management of Customer Data via MCP tools and web dashboard |
| Types of Personal Data | Any Personal Data contained within Customer Data uploaded to Vaults (determined by the Controller) |
| Categories of Data Subjects | Determined by the Controller; may include employees, customers, contacts, or other individuals whose data is stored in files |
3. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers outside the EEA (Article 28(3)(a) GDPR).
- Ensure that persons authorized to process Personal Data have committed to confidentiality (Article 28(3)(b) GDPR).
- Implement appropriate technical and organizational measures to ensure security of processing (Article 28(3)(c) GDPR) — see Section 6.
- Not engage another processor without prior written authorization of the Controller (Article 28(3)(d) GDPR) — see Section 5.
- Assist the Controller in fulfilling Data Subject rights requests (Article 28(3)(e) GDPR) — see Section 7.
- Assist the Controller in ensuring compliance with obligations under Articles 32–36 GDPR (security, breach notification, impact assessments).
- At the choice of the Controller, delete or return all Personal Data after the end of the service, and delete existing copies (Article 28(3)(g) GDPR).
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 and allow for audits (Article 28(3)(h) GDPR) — see Section 8.
4. Instructions
The Controller's instructions are defined by the Terms of Service and the configuration of the Service (Vault settings, access permissions, indexing preferences). The Processor shall not process Personal Data for any purpose other than providing the Service as configured by the Controller.
If the Processor believes an instruction infringes GDPR or other data protection law, the Processor shall promptly inform the Controller.
5. Subprocessors
The Controller grants general authorization for the Processor to engage Subprocessors, subject to the conditions below.
5.1 Current Subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| Scaleway SAS | Infrastructure (compute, database, storage, key management) | Paris, France (EU) |
| Scaleway TEM | Transactional email delivery | Paris, France (EU) |
| Mistral AI | Embedding generation for semantic search | Paris, France (EU) |
5.2 Subprocessor Changes
The Processor shall notify the Controller at least 30 days before adding or replacing a Subprocessor, providing the Subprocessor's name, purpose, and location. The Controller may object to the change within 15 days of notification. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected Service.
5.3 Subprocessor Obligations
The Processor shall impose on each Subprocessor data protection obligations no less protective than those in this DPA. The Processor remains fully liable for the performance of its Subprocessors.
6. Technical and Organizational Measures
The Processor implements the following security measures:
Encryption
- In transit: All connections are encrypted using TLS 1.2 or higher.
- At rest: Sensitive data (storage credentials, tokens) is encrypted via a hardware key management service (KMS). Passwords are hashed using industry-standard algorithms and never stored in plaintext.
Access Control
- Tenant isolation with separate storage per Vault and scoped data access per Workspace.
- Industry-standard authorization for MCP clients with configurable permissions (read, write) and path restrictions.
- Rate limiting on authentication endpoints.
Data Minimization
- File contents are never stored in our database — only irreversible search indexes.
- File contents transit in memory during indexing and are not persisted.
- Search indexes cannot be used to reconstruct the original text.
Infrastructure
- All infrastructure hosted in the EU (Paris, France).
- Container-based deployment with automated updates.
- Database backups with point-in-time recovery.
7. Data Subject Rights
The Processor shall assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) by:
- Providing the Controller with the ability to access, modify, and delete Customer Data through the Service
- Promptly notifying the Controller if the Processor receives a request directly from a Data Subject
- Not responding to Data Subject requests directly, unless authorized by the Controller
8. Audits
The Processor shall make available to the Controller, upon reasonable request and with reasonable advance notice, information necessary to demonstrate compliance with this DPA. The Controller may conduct an audit, directly or through a mandated third-party auditor (bound by confidentiality), no more than once per year.
The Processor may satisfy audit requests by providing relevant certifications, audit reports, or compliance documentation.
9. Data Breach Notification
The Processor shall notify the Controller without undue delay (and no later than 48 hours) after becoming aware of a Personal Data breach. The notification shall include:
- The nature of the breach, including categories and approximate number of Data Subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
- Contact details for further information
10. International Transfers
All Personal Data is processed and stored within the European Economic Area (EEA). The Processor does not transfer Personal Data outside the EEA. All Subprocessors are EU-based.
If a transfer outside the EEA becomes necessary in the future, the Processor shall ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decision) and obtain prior authorization from the Controller.
11. Data Deletion and Return
Upon termination of the Terms of Service, the Processor shall:
- Delete all Customer Data and search indexes within 30 days
- At the Controller's request (made before termination), provide a data export in a machine-readable format
- For BYOB Vaults: cease access to the Controller's storage and delete stored credentials
- For Managed Storage: permanently delete all stored files
- Provide written confirmation of deletion upon request
12. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.
13. Term
This DPA is effective for the duration of the Terms of Service. Obligations related to data deletion and confidentiality survive termination.
14. Contact
For questions about this DPA or to exercise rights under it:
- Email: privacy@vaulken.dev
- General inquiries: hello@vaulken.dev