Data Processing Agreement
Last updated: April 11, 2026
1. Definitions
For the purposes of this Data Processing Agreement ("DPA"), the following terms shall have the meanings set forth below. All capitalized terms not defined herein shall have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Terms of Service.
- "Controller" means the entity that determines the purposes and means of Processing of Personal Data (you, the customer).
- "Processor" means the entity that Processes Personal Data on behalf of the Controller (XDRIP Digital Management LLC, operating as XVaultPro Shop).
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, whether by automated means or not.
- "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope and Purpose
This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the XVaultPro Shop and Aegis subscription services.
3. Categories of Data Subjects
- Individual customers and license holders
- Authorized users within enterprise accounts
- Business contacts and representatives of the Controller
4. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (Art. 32 GDPR)
- Assist the Controller in responding to Data Subject requests (Art. 15–22 GDPR)
- Notify the Controller without undue delay (within 72 hours) upon becoming aware of a Personal Data breach
- Delete or return all Personal Data upon termination of the services, unless retention is required by law
5. Data Retention and Deletion
Upon termination of the services, the Processor shall, at the Controller's election, delete or return all Personal Data within 30 days. The Processor may retain copies only to the extent required by applicable law (e.g., tax obligations for 7 years).
6. Sub-processors
Current Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and fraud prevention | United States |
| Hosting Provider (Self-managed) | Application hosting and data storage | United States |
| Matomo (Self-hosted) | Website analytics (no data shared externally) | United States (same server) |
7. International Transfers
XDRIP Digital Management LLC is based in the United States. For transfers of Personal Data from the EEA/UK to the United States, the Processor relies on:
- Standard Contractual Clauses (SCCs) — as approved by the European Commission (Decision 2021/914)
- Adequacy decisions — where applicable to specific Sub-processor jurisdictions
Copies of applicable SCCs are available upon request at contact@xvaultpro.com.
8. DPIA Assistance
The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) where required under Art. 35 GDPR.
9. Liability and Indemnification
Each party shall be liable for damages caused by its Processing activities that violate applicable data protection law. Liability under this DPA is subject to the limitations set forth in the Terms of Service.
10. Contact
XVaultPro Shop — XDRIP Digital Management LLC
Data Protection Contact
1345 Diana Lane, Colorado Springs, CO 80909, United States
Email: contact@xvaultpro.com