Data Processing Agreement
This Data Processing Agreement ("DPA") applies where Vadom processes personal data on behalf of a customer, and forms part of the agreement between us. It reflects Article 28 of the GDPR.
1. Parties and roles
The Customer is the data controller. Vadom, an independent software project based in Ireland, is the data processor. Vadom processes personal data only to provide the service and only on the Customer's documented instructions, including the agreement and these terms.
2. Subject matter and duration
Processing lasts for the duration of the service agreement, plus any period required to return or delete data. The subject matter is the provision of the Vadom maintenance management service.
3. Nature and purpose of processing
Hosting, storing and processing maintenance records and the personal data of the Customer's users, so that the Customer can dispatch breakdowns, track downtime and keep auditable records.
4. Types of personal data and data subjects
- Data subjects: the Customer's employees and contractors who use the service (operators, engineers, supervisors, administrators).
- Personal data: names, email addresses, role, authentication data, and the activity, notes, photos and e-signatures those users create in the system.
5. Vadom's obligations
- Process personal data only on the Customer's documented instructions, unless required otherwise by law.
- Ensure personnel authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (Annex B).
- Respect the conditions for engaging sub-processors (Annex A).
- Assist the Customer, taking account of the nature of processing, in responding to data subject requests.
- Assist the Customer with security, breach notification, and data protection impact assessments.
- On termination, delete or return the personal data at the Customer's choice, and delete existing copies unless retention is required by law.
- Make available the information needed to demonstrate compliance and allow for and contribute to audits.
6. Personal data breaches
Vadom will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and provide the information the Customer reasonably needs to meet its own notification obligations.
7. Sub-processors
The Customer authorises Vadom to engage the sub-processors listed in Annex A. Vadom imposes data protection obligations on each sub-processor that are no less protective than this DPA, and remains liable for their performance. Vadom will give reasonable notice of any intended addition or replacement, allowing the Customer to object on reasonable grounds.
8. International transfers
Personal data is hosted in the EU (Ireland). Where any processing involves a transfer outside the EEA (for example, certain push-notification processing), Vadom ensures an appropriate safeguard is in place, such as an adequacy decision or Standard Contractual Clauses.
9. Liability and governing law
Liability under this DPA is subject to the limitations in the main agreement. This DPA is governed by the laws of Ireland.
Annex A, Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting and storage | EU (Ireland) |
| Google Firebase | Push notifications to the mobile app | EU / global, under safeguards |
Annex B, Technical and organisational measures
- Encryption of data in transit (TLS / HTTPS).
- Passwords stored as one-way bcrypt hashes; time-limited session tokens.
- Role-based access control enforced server-side.
- Append-only, attributable, timestamped audit trail.
- Automated daily backups with rolling retention.
- Hosting on certified AWS infrastructure (ISO 27001, SOC 2) in the EU.
Full detail is on our Trust & Security page.