Data Processing Agreement

“Personal data” has the meaning given in GDPR Article 4(1).

“Controller” means the Customer, who determines the purposes and means of processing personal data through VendorTrace.

“Processor” means LINA Solutions AB, registered in Sweden, operating VendorTrace.

“Sub-processor” means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.

“GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).

“Services” means the VendorTrace platform as described in the Terms of Service.

This DPA applies to all personal data processed by the Processor in connection with providing the Services to the Controller.

The Processor processes personal data only as a data processor acting on behalf of the Controller. The Controller is the data controller for the personal data of its end users submitted to the Services.

The Processor shall:

• Process personal data only on documented instructions from the Controller (which include the Terms of Service and this DPA), unless required by applicable law.
• Ensure that persons authorised to process personal data are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures as described in Section 7.
• Assist the Controller in responding to requests from data subjects exercising their rights under Chapter III of GDPR.
• Assist the Controller in meeting obligations under GDPR Articles 32-36 (security, breach notification, DPIA, prior consultation).
• Delete or return all personal data upon termination of the Services, at the Controller's choice, unless retention is required by applicable law.
• Make available all information necessary to demonstrate compliance with this DPA and cooperate with audits requested by the Controller (with reasonable notice).

The Controller instructs the Processor to process personal data as necessary to provide the Services described in the Terms of Service and this DPA.

The Controller warrants that it has a lawful basis under GDPR for processing the personal data it submits to the Services (for example, legitimate interest or contract performance for its own employees).

The Controller provides general authorisation for the Processor to engage sub-processors. The current list of sub-processors, their locations, data categories, and transfer safeguards is published at: vendortrace.io/subprocessors.

The Processor will notify the Controller at least 30 days before adding a new sub-processor or making a material change to an existing one. Notification is sent by email to the account holder. Any Controller may object in writing within 30 days of notification. If the Processor cannot accommodate the objection without materially altering the Services, either party may terminate the affected Services with 30 days' notice and the Controller will receive a pro-rata refund for any prepaid period.

The Processor imposes data protection obligations on all sub-processors equivalent to those in this DPA and remains liable for their performance.

The Processor implements the technical and organisational measures described in the Security overview, including:

• TLS 1.2+ for all data in transit with HSTS enforcement
• AES-256 encryption at rest for all stored data (AWS-managed keys)
• Session tokens held in httpOnly, SameSite=Strict cookies (refresh tokens) and browser memory only (access tokens)
• Strict Content Security Policy preventing unauthorised script execution
• Least-privilege IAM roles for all infrastructure components
• MFA required for production infrastructure access
• Customer data isolated by account ID in DynamoDB
• JWT validation at the API Gateway layer before any data handler executes

Where personal data is transferred to a sub-processor outside the EEA, the Processor ensures the transfer is subject to an appropriate safeguard under GDPR Chapter V. The safeguards used are:

• Standard Contractual Clauses: EU Commission Decision 2021/914. Module 2 (Controller to Processor) applies to Stripe, where LINA Solutions AB acts as data controller for billing and subscription data. Module 3 (Processor to Sub-Processor) applies to Tavily, Resend, and Google LLC (when the Google Workspace integration is active), where LINA Solutions AB acts as data processor on behalf of the Customer.
• EU-US Data Privacy Framework: where the sub-processor participates (currently Stripe).

Full transfer details are published at vendortrace.io/subprocessors.

The Processor will forward any data subject request received that relates to the Controller's processing to the Controller without undue delay. The Processor will assist the Controller in fulfilling such requests to the extent the Processor has access to the relevant data.

Data subjects may exercise rights directly by contacting info@vendortrace.io.

The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach that affects Customer data. Notification will be sent to the account holder email address and will include:

• A description of the nature of the breach
• The categories and approximate number of individuals and records affected
• The likely consequences of the breach
• Measures taken or proposed to address the breach

The Processor will provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA. The Processor will allow for and contribute to audits, including inspections, by the Controller or a mandated auditor, on reasonable prior written notice (minimum 30 days) and at the Controller's cost. Audits are conducted during normal business hours and may not unreasonably disrupt operations.

The Processor may satisfy audit requests by providing current third-party audit reports (e.g. AWS SOC 2 reports available via AWS Artifact) where applicable.

On termination of the Services, the Processor will, at the Controller's choice, delete or return all personal data processed on behalf of the Controller. Deletion will be completed within 30 days of the end of the Services term, except where retention is required by applicable law (e.g. billing records).

The Controller may request an export of their data before termination. Export requests should be submitted to info@vendortrace.io.

This DPA is governed by the laws of Sweden. Disputes are subject to the exclusive jurisdiction of the courts of Sweden. Nothing in this clause limits the Controller's right to lodge a complaint with a supervisory authority in any EU member state.

Data controller contact for privacy and DPA matters: LINA Solutions AB, info@vendortrace.io

To request a signed PDF version of this DPA, email with subject line “DPA request”.