Data processing agreement

Effective 15 May 2026 · Version 1.0

This Data Processing Agreement ("DPA") forms part of the agreement between Vorhaven Ltd ("Vorhaven", "we", "us") and the customer ("Customer", "you") under which Vorhaven provides a software product (the "Service") to the Customer (the "Principal Agreement").

This is a published template. A countersigned, customer-specific version is available on request from legal@vorhaven.com. Where this published version and a countersigned version differ, the countersigned version prevails.

1. Parties and roles

Where Vorhaven processes personal data on behalf of the Customer in connection with the Service, the Customer is the controller and Vorhaven is the processor, as those terms are defined in the UK GDPR and (where applicable) the EU GDPR.

2. Definitions

Capitalised terms not defined here have the meanings given in the Principal Agreement or in Applicable Data Protection Laws. "Applicable Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, the EU GDPR, and any other data-protection or privacy laws applicable to the processing.

3. Subject matter, duration, nature and purpose

1. Subject matter: the processing of personal data necessary for Vorhaven to provide the Service to the Customer.
2. Duration: the term of the Principal Agreement, plus any further period during which Vorhaven retains personal data as set out in clause 12.
3. Nature and purpose: hosting, transmission, analysis, and presentation of personal data within the Service, as required to deliver the functionality the Customer has subscribed to.
4. Types of personal data and categories of data subjects: as described in Schedule 1.

4. Vorhaven's obligations as processor

Vorhaven will:

• Process personal data only on the Customer's documented instructions — including those set out in the Principal Agreement and this DPA — unless required to process otherwise by law, in which case Vorhaven will notify the Customer first unless that law forbids notification;
• Ensure that personnel authorised to process personal data are under appropriate confidentiality obligations;
• Implement and maintain appropriate technical and organisational measures as set out in Schedule 2;
• Assist the Customer in fulfilling its obligations to respond to data-subject requests, conduct data-protection impact assessments, and consult the supervisory authority where required;
• Make available to the Customer information necessary to demonstrate compliance with this DPA and Article 28 of the UK GDPR.

5. Confidentiality

Vorhaven will treat personal data as the Customer's confidential information and protect it in accordance with the confidentiality terms of the Principal Agreement.

6. Security

Vorhaven will implement and maintain the technical and organisational measures set out in Schedule 2, having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of natural persons.

7. Sub-processors

1. The Customer authorises Vorhaven to engage the sub-processors listed in Schedule 3, and any further sub-processors notified to the Customer at least thirty (30) days in advance, to assist in providing the Service.
2. Vorhaven will impose on each sub-processor contractual data-protection obligations no less protective than those in this DPA, and will remain liable to the Customer for the acts and omissions of its sub-processors.
3. The Customer may reasonably object to a proposed new sub-processor. If the parties cannot reach agreement, either party may terminate the affected element of the Service without penalty.

8. International transfers

Where Vorhaven or any sub-processor transfers personal data outside the United Kingdom or the European Economic Area, the transfer will be carried out under appropriate safeguards — including, as applicable, an adequacy decision, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses.

9. Data-subject rights

Vorhaven will, taking into account the nature of the processing and by appropriate technical and organisational measures (insofar as this is possible), assist the Customer in fulfilling its obligations to respond to data-subject requests. If a data subject contacts Vorhaven directly, Vorhaven will, without undue delay, refer the data subject to the Customer.

10. Personal-data breaches

Vorhaven will notify the Customer without undue delay, and in any event within seventy-two (72) hours, of becoming aware of a personal-data breach affecting the Customer's personal data. The notification will, at minimum, describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it.

11. Records and audits

1. Vorhaven will maintain records of processing activities carried out on behalf of the Customer as required by Article 30(2) of the UK GDPR.
2. Once per twelve-month period, on at least thirty (30) days' written notice, the Customer (or an independent third-party auditor mandated by the Customer and reasonably acceptable to Vorhaven) may audit Vorhaven's compliance with this DPA at the Customer's cost. Audits will be conducted during normal business hours, will minimise disruption, and will not require access to other customers' data.

12. Return or deletion of personal data

On termination or expiry of the Principal Agreement, Vorhaven will, at the Customer's choice, return or delete all personal data processed on the Customer's behalf, except where retention is required by law. Vorhaven will, at the Customer's request, confirm in writing that this has been done.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement.

14. Term and termination

This DPA takes effect on the effective date of the Principal Agreement and continues for as long as Vorhaven processes personal data on behalf of the Customer. Termination of the Principal Agreement automatically terminates this DPA, subject to obligations that survive by their nature.

15. Governing law

This DPA is governed by the law specified in the Principal Agreement. If none is specified, it is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction.

Schedule 1 — Categories of data

The categories of personal data and data subjects are determined by the Customer's use of the Service. They typically include identifiers and account data of the Customer's own users, and — where the Service crawls or analyses public-facing web content on the Customer's instructions — identifiers contained in that content.

Schedule 2 — Technical and organisational measures

Vorhaven applies industry-standard security measures including, without limitation:

• Encryption of personal data in transit (TLS 1.2 or higher);
• Encryption of personal data at rest where supported by underlying infrastructure;
• Role-based access control with least-privilege defaults;
• Multi-factor authentication for administrative access;
• Centralised logging and anomaly detection;
• Regular vulnerability scanning and patching of Service components;
• Regular backups and tested restore procedures;
• Personnel data-protection and security training;
• Documented incident-response procedures.

Schedule 3 — Authorised sub-processors

As of the effective date of this DPA, Vorhaven engages the following sub-processors:

• DigitalOcean, LLC — application hosting and managed databases;
• Cloudflare, Inc. — DNS, content delivery, and edge security;
• Stripe Payments Europe Ltd / Stripe, Inc. — subscription billing and payment processing (where applicable);
• Anthropic, PBC and other AI infrastructure providers — selective AI processing (where applicable, and only where the Customer has enabled AI features).

Vorhaven will update this list in line with clause 7.2 of this DPA.

Requesting a signed copy

To request a signed, customer-specific copy of this DPA, please email legal@vorhaven.com with your company name, registered address, jurisdiction, and the Vorhaven product covered.