Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Vibranius Terms of Service between Eveleone LTD ("Processor") and the customer entity ("Controller" or "you").

1. Parties

Data Controller

Customer Entity: [Your Company Name]
Address: Address available on request (contact [email protected])
Representation: By accepting the Vibranius Terms of Service, you confirm that you have the authority to bind your entity to this DPA.

Data Processor

Company: Eveleone LTD
Registered in: Cyprus (European Union)
Registration Number: [To be added]
Address: Address available on request (contact [email protected])
Contact: [email protected]

2. Subject Matter and Duration

2.1. Subject Matter

This DPA covers the processing of personal data in connection with the provision of the Vibranius self-hosted workspace service, including:

Deployment and management of dedicated server infrastructure
Provision of software modules for business productivity
Technical support and maintenance
Billing and account management

2.2. Duration

This DPA commences on the Effective Date and continues for the duration of the Vibranius Terms of Service, unless terminated earlier in accordance with Section 8.

3. Nature and Purpose of Processing

3.1. Categories of Data

Processor processes the following categories of personal data on behalf of Controller:

Account Data: Names, email addresses, phone numbers, company information
Billing Data: Payment information, invoices, tax identifiers
Usage Data: Login timestamps, IP addresses, feature usage metrics
Support Data: Support emails, error logs (if provided for troubleshooting)

3.2. Purpose

Processing is performed for the following purposes:

Providing the Vibranius service
Managing user accounts and authentication
Processing payments and subscriptions
Providing technical support
Maintaining service security and performance
Complying with legal obligations

3.3. Data Subjects

Data subjects include:

Controller's employees and contractors
Controller's customers and business contacts
Individuals whose data is stored within the Vibranius workspace

4. Processor Obligations

4.1. Acting on Instructions

Processor shall process Personal Data only on documented instructions from Controller, unless required to do so by EU or Member State law to which Processor is subject. In such case, Processor shall inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4.2. Confidentiality

Processor shall ensure that persons authorized to process Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3. Security Measures

Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Pseudonymization and encryption of personal data
The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures

Specific measures include:

AES-256 encryption at rest
TLS 1.3 encryption in transit
Automated daily backups with configurable retention (30-180 days)
Access logging and monitoring
Two-factor authentication (2FA)
Regular security updates and patches

4.4. Sub-processor Engagement

Processor may engage sub-processors only with Controller's prior authorization, which shall not be unreasonably withheld. For details, see Section 5 and the Sub-processor List.

4.5. Data Breach Notification

Processor shall notify Controller without undue delay after becoming aware of a personal data breach. Notification shall include:

Description of the breach
Categories and approximate number of data subjects concerned
Name and contact details of data protection officer
Likely consequences of the breach
Measures taken or proposed to address the breach

Notification shall be made without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.

4.6. Data Subject Rights

Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Controller's obligation to respond to requests for exercising the data subject's rights under GDPR (Articles 15-22).

4.7. Data Deletion and Return

Upon termination of the Services, Processor shall:

Delete all Personal Data processed on behalf of Controller within 30 days, or
Return all Personal Data to Controller in a commonly used format, or
Securely destroy Personal Data and certify to Controller that destruction has occurred

This obligation does not apply to Personal Data that Processor is required to store under EU or Member State law.

4.8. Audit Rights

Controller shall have the right to conduct an audit of Processor's compliance with this DPA, subject to reasonable notice and business confidentiality constraints. Controller may also require Processor to provide a summary of Processor's security practices and any relevant certifications (e.g., ISO 27001).

5. Sub-processor List

Processor uses the following sub-processors:

Hetzner Online GmbH (Germany, EU) — Dedicated server infrastructure. View details
Stripe Inc. (USA) — Payment processing. View details
Let's Encrypt (USA) — SSL/TLS certificates. View details

Controller's authorization for these sub-processors is granted by accepting this DPA. Processor shall notify Controller of any intended change concerning the addition or replacement of sub-processors at least 30 days in advance.

Controller may object to such changes by giving written notice to Processor. In such case, Processor may either: (a) not engage the new sub-processor, or (b) terminate the Services with 30 days' notice.

6. International Data Transfers

Personal Data may be transferred to countries outside the European Economic Area ("EEA") only if:

The European Commission has issued an adequacy decision for that country, or
Appropriate safeguards are in place (e.g., Standard Contractual Clauses), or
One of the exceptions for specific situations under GDPR Article 49 applies

For transfers to the United States, Processor relies on the European Commission's Standard Contractual Clauses (Commission Decision (EU) 2021/914).

7. Liability

Processor shall be liable to Controller for damages caused by Processor's breach of this DPA or GDPR obligations relating to processing. The aggregate liability under this section shall be limited as set forth in the Vibranius Terms of Service.

8. Termination

Either party may terminate this DPA by giving at least 30 days' written notice to the other party. Upon termination:

Processor shall cease processing Personal Data on behalf of Controller
Processor shall delete or return Personal Data as set forth in Section 4.7
All other rights and obligations shall survive termination

9. Governing Law

This DPA shall be governed by the laws of the Republic of Cyprus and the European Union. Any disputes shall be resolved in the courts of Nicosia, Cyprus.

10. Entire Agreement

This DPA, together with the Vibranius Terms of Service and Privacy Policy, constitutes the entire agreement between the parties regarding data processing. In case of conflict, this DPA prevails.

11. GDPR Provisions

This DPA incorporates the requirements of GDPR Articles 28 (Processor) and reflects Standard Contractual Clauses as required by GDPR Article 28(7) and Commission Decision (EU) 2021/914.

12. Contact

For questions regarding this DPA:

Data Protection Officer: [email protected]
Legal: [email protected]
Company: Eveleone LTD, Address available on request (contact [email protected]), Cyprus

By using the Vibranius service, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.