Data Processing Agreement (DPA)

1. Parties

Data Processor: DAMIAN KUSIK, ul. 21 Stycznia 20/60 14-100 Ostróda, Poland.

Data Controller: The Customer (organization using VantaGate).

2. Subject Matter

VantaGate processes personal data strictly on behalf of the Controller for the sole purpose of providing asynchronous human-in-the-loop decision infrastructure. The Controller bears ultimate and exclusive legal responsibility for the legality, accuracy, and legal basis of all data transmitted to the Processor's API under the GDPR and applicable laws.

3. Nature of Processing

Processing operations are strictly limited to: automated collection, AES-256 ephemeral encryption, transient storage, deletion ("The Purge"), and transmission of metadata. Payload data is processed strictly "as is" without integrity guarantees, and is irrevocably destroyed the exact moment a human decision is recorded, permanently absolving the Processor of further data retention liabilities.

4. Processor Obligations & Exclusions (Art. 28(3))

• Process data exclusively on documented instructions from the Controller, assuming no liability for the content processed.
• Ensure persons authorized to process data are bound by strict statutory or contractual confidentiality obligations.
• Implement technical and organizational security measures strictly on a commercially reasonable, "as available" basis, without absolute guarantees against novel cyber threats, zero-day exploits, or unauthorized third-party breaches.
• Assist the Controller, insofar as technically possible given the Zero-Retention architecture, in fulfilling data subject rights requests, acknowledging that purged data cannot be recovered.
• Automatically and irrevocably delete all payload data continuously upon decision execution or service termination.
• Make available information necessary to demonstrate compliance, strictly limited to documentation that does not compromise system security or trade secrets.

5. Sub-processors

The Controller explicitly provides general written authorization for VantaGate to engage the following sub-processors: Supabase (database), Hetzner (hosting), Stripe (payments), Resend (email). VantaGate expressly disclaims any and all financial or legal liability for data breaches, outages, or compliance failures originating within the infrastructure of these independent third-party sub-processors.

6. Security Measures & Acknowledgement of Risk

• Standard AES-256-GCM encryption for payload data at rest, provided without absolute immunity against sophisticated cryptographic attacks.
• Argon2id hashing for API keys to mitigate, but not entirely eliminate, the risk of credential compromise.
• HMAC-SHA256 implementation for identity proofs and webhook signatures.
• Row Level Security (RLS) policies implemented within the PostgreSQL database layer.
• Zero-Retention Protocol: payload is physically deleted after decision, serving as our primary liability mitigation measure against data exfiltration.
• TLS 1.2+ for data in transit; however, VantaGate accepts no liability for data intercepted across public internet networks prior to reaching our servers.