Skip to main content

Data Processing Agreement (DPA)

Effective Date: March 3, 2026

Version: 1.0

This DPA forms part of the Vortex Files Terms of Service for enterprise customers and applies where GDPR/UK GDPR is relevant.

Download PDF templateView Terms of Service

1. Parties, Roles, and Scope

This DPA is between QVXX Ltd. (Vortex Files)as Processor and the customer entity as Controller (or Processor, where applicable). It governs processing of personal data carried out to provide the Vortex Files platform.

  • Subject matter: Hosting, transfer, access management, and collaboration on project files.
  • Duration: For the term of service use, including limited retention periods required for security, legal obligations, and backup integrity.
  • Purpose: Delivering and securing the service, including authentication, logging, and customer support.

2. Categories of Data and Data Subjects

  • Data subjects: Customer users, collaborators, invited clients, support contacts.
  • Personal data: Name, email, account IDs, auth/session logs, IP address, user-agent, project/file metadata, optional message content and comments.
  • Special categories: Not intentionally required by Vortex Files. Controller remains responsible for lawful handling if uploaded.

3. Processor Obligations (GDPR Art. 28)

  • Process data only on documented customer instructions.
  • Ensure confidentiality commitments for personnel handling personal data.
  • Implement appropriate technical and organizational security measures (encryption in transit/at rest, access controls, logging, and monitoring).
  • Assist the Controller with data subject rights requests and DPIA support where processing information is needed.
  • Make information available to demonstrate compliance and enable audits as described below.

4. Subprocessors and Consent Model

Controller provides general authorization for subprocessors used to operate Vortex Files. Current subprocessors are listed in the Privacy Policy at /legal/privacy#subprocessors.

Vortex Files will provide notice of material subprocessor changes through legal updates. Controller may object on reasonable data-protection grounds and both parties will work in good faith on a remediation path.

5. International Transfers and SCCs

Where personal data is transferred outside the UK/EU/EEA and no adequacy decision applies, Vortex Files will rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and/or UK transfer addenda, with supplementary measures where required.

6. Security and Breach Notification

  • Security controls are described inthe Privacy Policyand maintained under a risk-based security program.
  • If Vortex Files becomes aware of a confirmed personal data breach affecting Controller data, Vortex Files will notify Controller without undue delay and provide relevant incident details as they become available.

7. Audit Rights and Evidence

Upon reasonable written notice and no more than once per year (unless required by law or following a security incident), Controller may request compliance information or an audit process proportionate to risk and confidentiality obligations.

8. Deletion or Return of Data

On termination of services, Controller may request return or deletion of personal data, subject to legal retention requirements, fraud-prevention needs, and backup lifecycle constraints.

9. Contact

For DPA requests, signed annexes, or enterprise review, contactcompliance_vortexfiles@qvxx.ai.