Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the W9Vault Terms of Service and applies to business customers who process personal data of EU residents using our services. This DPA ensures GDPR compliance and establishes the data protection obligations between W9Vault and our business customers.

1. Definitions

For the purposes of this DPA, the following definitions apply:

• "Controller" means the entity that determines the purposes and means of processing personal data (typically our customer)
• "Processor" means W9Vault, which processes personal data on behalf of the Controller
• "Personal Data" has the meaning given in GDPR Article 4(1)
• "Processing" has the meaning given in GDPR Article 4(2)
• "Data Subject" has the meaning given in GDPR Article 4(1)
• "Sub-processor" means any processor engaged by W9Vault to process personal data

2. Scope and Application

2.1 Applicability

This DPA applies when and to the extent that W9Vault processes personal data on behalf of the customer in the course of providing the W9Vault services, and such personal data is subject to GDPR.

2.2 Data Processing Activities

W9Vault processes personal data for the following purposes:

• Secure collection and storage of W-9 and related tax documents
• Email notifications and reminders to vendors
• Document encryption, storage, and secure delivery
• Audit logging and compliance reporting

3. Data Controller and Processor Obligations

3.1 Controller Responsibilities

The Controller (customer) shall:

• Ensure lawful basis for processing under GDPR Article 6
• Provide clear privacy notices to data subjects
• Obtain necessary consents where required
• Respond to data subject rights requests
• Notify W9Vault of any restrictions on processing

3.2 Processor Responsibilities

W9Vault (as Processor) shall:

• Process personal data only on documented instructions from the Controller
• Implement appropriate technical and organizational measures
• Assist with data subject rights requests
• Notify Controller of personal data breaches without undue delay
• Delete or return personal data upon termination of services

4. Categories of Data and Data Subjects

4.1 Categories of Data Subjects

• Vendors and contractors providing services to the Controller
• Employees of vendor companies
• Independent contractors and freelancers

4.2 Categories of Personal Data

• Contact Information: Names, email addresses, business addresses
• Tax Information: Tax identification numbers (SSN, EIN), tax forms
• Business Information: Company names, business addresses, business classifications
• Communication Data: Email correspondence, upload confirmations

5. Technical and Organizational Measures

5.1 Security Measures

W9Vault implements the following security measures:

• Encryption: Client-side AES-256 encryption for all documents, TLS 1.3 for data in transit
• Access Controls: Multi-factor authentication, role-based access, principle of least privilege
• Data Minimization: Automatic 30-day document deletion, minimal data collection
• Monitoring: Real-time security monitoring, audit logging, breach detection

5.2 Organizational Measures

• Regular security training for all personnel
• Data protection impact assessments for new features
• Incident response procedures and breach notification protocols
• Regular third-party security audits and assessments

6. Sub-processing

6.1 Authorized Sub-processors

The Controller provides general authorization for W9Vault to engage the following sub-processors:

• Supabase: Database hosting and authentication services
• Stripe: Payment processing services
• Resend: Email delivery services
• Vercel: Application hosting and content delivery
• Sentry: Error monitoring and performance tracking

6.2 Sub-processor Obligations

W9Vault ensures that all sub-processors:

• Are bound by data protection obligations equivalent to this DPA
• Implement appropriate technical and organizational measures
• Provide sufficient guarantees regarding GDPR compliance
• Are subject to regular compliance monitoring and audits

7. International Data Transfers

7.1 Transfer Mechanisms

Personal data may be transferred to and processed in the United States. W9Vault ensures adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable (e.g., Stripe payment processing)
• Additional safeguards including encryption and access controls

7.2 Standard Contractual Clauses

The Standard Contractual Clauses for processors (Module 2) are incorporated by reference and form an integral part of this DPA. These clauses take precedence in case of any conflict with other provisions of this DPA.

8. Data Subject Rights

8.1 Assistance with Rights Requests

W9Vault will assist the Controller in responding to data subject rights requests by:

• Providing access to personal data within our systems
• Implementing corrections or updates as instructed
• Deleting personal data upon request
• Restricting processing where legally required
• Providing data in portable format where technically feasible

8.2 Response Timeframes

• Acknowledgment of rights requests: Within 72 hours
• Provision of requested data or actions: Within 30 days
• Complex requests may require up to 60 days with notification

9. Personal Data Breaches

9.1 Breach Notification

In the event of a personal data breach, W9Vault will:

• Notify the Controller without undue delay and within 72 hours of becoming aware
• Provide all relevant information about the breach
• Assist with breach assessment and regulatory notifications
• Implement immediate containment and remediation measures

9.2 Breach Information

Breach notifications will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Categories and approximate number of records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

10. Data Protection Impact Assessments

W9Vault will assist the Controller with data protection impact assessments (DPIAs) by providing:

• Information about our processing activities
• Details of technical and organizational measures
• Risk assessments for our processing operations
• Consultation on risk mitigation measures

11. Audits and Compliance

11.1 Audit Rights

The Controller may audit W9Vault's compliance with this DPA through:

• Review of third-party audit reports and certifications
• Questionnaires and compliance assessments
• On-site audits (with reasonable notice and at Controller's expense)

11.2 Compliance Documentation

W9Vault maintains records of processing activities and makes available information necessary to demonstrate compliance with this DPA and GDPR obligations.

12. Data Deletion and Return

12.1 End of Processing

Upon termination of services, W9Vault will:

• Delete all personal data within 90 days of termination
• Provide confirmation of deletion upon request
• Return personal data if requested before deletion
• Ensure sub-processors also delete or return personal data

12.2 Legal Retention Requirements

W9Vault may retain personal data to the extent required by applicable law, with appropriate safeguards to ensure the data is used only for the purposes for which it was retained.

13. Liability and Indemnification

13.1 Liability Allocation

Each party shall be liable for damages caused by its processing that infringes GDPR. W9Vault shall not be liable for damages caused by the Controller's failure to comply with its obligations under GDPR or this DPA.

13.2 Cooperation

The parties agree to cooperate in good faith to address any claims or regulatory inquiries related to the processing of personal data under this DPA.

14. Term and Termination

This DPA remains in effect for as long as W9Vault processes personal data on behalf of the Controller. Upon termination, the data deletion and return provisions in Section 12 shall apply.

15. Governing Law and Disputes

This DPA is governed by the same law as the main service agreement. Any disputes arising from this DPA shall be resolved through the dispute resolution mechanisms specified in the main agreement.

16. Contact Information

For questions about this DPA or to exercise rights under it:

• Legal Team: legal@w9vault.com
• Security Team: security@w9vault.com
• Response Time: Within 72 hours