Data processing addendum

Definitions

Capitalised terms not defined in this DPA have the meaning given in the GDPR. "Customer" means the legal entity that has accepted the Terms of use and is the controller of the Personal Data processed under this DPA. "Vidimus" means VIDIMUS SASU, acting as processor.

Subject matter, duration, nature and purpose

• Subject matter: provision of the Vidimus assurance platform — intake, classification, probe synthesis, monitoring, and evidence-pack export — as described in the Terms of use.
• Duration: the term of the agreement between Customer and Vidimus, plus any period during which Vidimus continues to process Personal Data on documented instructions to comply with a legal obligation or to facilitate transition.
• Nature of processing: hosting, storage, retrieval, structuring, analysis, and disclosure to authorised recipients, in support of the service.
• Purpose: enabling Customer to assess, document, and demonstrate compliance of AI agents under the EU AI Act, GDPR, DORA, and equivalent regimes.

Categories of data and data subjects

The categories of Personal Data and of data subjects depend on Customer's use of the platform and are determined by Customer in its capacity as controller. By default they may include:

• Identifiers and professional contact details of Customer's personnel (account, audit-log actors);
• Content submitted by Customer (agent intake declarations, evidence documents, uploaded files) which may incidentally contain personal data of data subjects chosen by Customer;
• Technical telemetry (IP address, user-agent) of Customer personnel using the platform.

Special-category data (Article 9 GDPR) is not contemplated by default. Customer shall not upload special-category data unless previously agreed in writing.

Documented instructions

Vidimus processes Personal Data solely on the documented instructions of Customer. These instructions are constituted by (i) the Terms of use, (ii) this DPA, (iii) the configuration choices Customer makes in the platform, and (iv) any further written instruction given through the support or DPO channels. Vidimus will inform Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection law (Article 28(3) GDPR).

Confidentiality of personnel

Vidimus ensures that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Security measures (Article 32 GDPR)

Vidimus implements technical and organisational measures appropriate to the risk, including:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest;
• Tenant isolation enforced through Postgres row-level security, in addition to application checks;
• Authentication, role-based access control, secret rotation, and least-privilege personnel access;
• An append-only audit trail of approval decisions, overrides, and exports;
• Vulnerability management, security testing, and a responsible-disclosure programme (security@vidimus.eu);
• Business-continuity and disaster-recovery measures, with periodic restoration tests.

Sub-processors

Customer authorises Vidimus to engage sub-processors to support the service. As of the date above, the active sub-processors include:

• Supabase (Postgres database, authentication, object storage) — hosted via AWS in eu-central-1 (Frankfurt).
• Vercel (frontend hosting and serverless functions) — Customer data processed by serverless functions is routed to EU regions.
• Mistral AI (LLM provider) — EU-based, EU-hosted by default for Vidimus workloads.
• Langfuse (observability of LLM calls) — EU region.

Vidimus shall inform Customer of any intended addition or replacement of sub-processors at least thirty (30) days in advance, giving Customer the opportunity to object on reasonable grounds. Sub-processors are bound by the same data-protection obligations as those set out in this DPA, by written contract.

International transfers

Vidimus is configured to keep Personal Data inside the European Economic Area. Where a transfer outside the EEA is unavoidable for a strictly ancillary purpose, it shall be governed by Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) supplemented by any further safeguards required by Schrems II, including transfer-impact assessment and any technical or organisational supplementary measures.

Assistance with data-subject requests

Taking into account the nature of the processing, Vidimus assists Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of Customer's obligation to respond to requests for exercising data subjects' rights under Chapter III of the GDPR.

Personal data breach notification

Vidimus notifies Customer without undue delay, and in any event within seventy-two (72) hours after becoming aware of a Personal Data breach, providing the information required by Article 33(3) GDPR to enable Customer to comply with its own notification obligations.

DPIA and prior consultation

Vidimus provides reasonable assistance to Customer with any data-protection impact assessment and any prior consultation of the supervisory authority that Customer is required to perform under Articles 35 and 36 GDPR, where this relates to the use of the Vidimus platform.

Audit rights

Vidimus makes available to Customer all information necessary to demonstrate compliance with Article 28 GDPR, and allows for and contributes to audits, including inspections, conducted by Customer or another auditor mandated by Customer, no more than once per year unless required by a regulator, on reasonable advance notice, and subject to confidentiality. Vidimus may satisfy audit requirements by providing relevant independent third-party attestations where reasonably equivalent.

Return or deletion at end

At the choice of Customer, Vidimus shall return or delete all Personal Data after the end of the provision of the services relating to processing, and delete existing copies unless Union or Member State law requires storage. Deletion is completed within thirty (30) days from termination unless a longer period is required by law.

Liability

Each party's liability under this DPA is subject to the limitation of liability set out in the Terms of use or, where applicable, the Master Services Agreement. Nothing in this DPA limits any liability that cannot be limited under applicable data-protection law.

Order of precedence

In case of conflict between this DPA and the Terms of use or any other agreement between the parties on the subject of personal-data processing, this DPA prevails. Mandatory provisions of applicable data-protection law prevail over this DPA.