Data Processing Agreement (DPA)

"Personal Data": any information relating to an identified or identifiable natural person (LGPD art. 5, I and GDPR art. 4(1)).

"Processing": any operation performed on Personal Data.

"Data Subject": the natural person to whom the Personal Data refers.

"Subprocessor": any third party engaged by Vectorspace to process Personal Data on behalf of the Controller.

"Security Incident": any confirmed or suspected event resulting in unauthorized access, loss, destruction, alteration, or disclosure of Personal Data.

With respect to Personal Data of the Controller's end users processed within the Services:

(a) Controller: the CUSTOMER is the Controller, determining the purposes and essential means of processing.

(b) Processor: VECTORSPACE acts as Processor, processing data on behalf of the Controller under its documented instructions and as set out in the Agreement and this DPA.

(c) Representatives and collaborators: regarding data of the CUSTOMER's legal representatives and collaborators who access the platform, VECTORSPACE acts as its own Controller, pursuant to its Privacy Policy.

(a) Nature and purposes: knowledge-base indexing; automated response generation via language models; aggregate analytics; platform operation, monitoring, and security.

(b) Data-subject categories: end users interacting with the widget or Desk; Controller collaborators with access to the Dashboard/Desk.

(c) Personal Data categories: message content, session identifiers, IP address, user-agent, corporate email, name, role.

(d) Duration: for the term of the Agreement, plus the 30-day post-contractual retention and applicable legal periods.

Vectorspace undertakes to:

(a) process Personal Data exclusively in accordance with the Controller's documented instructions and the stated purposes;

(b) ensure its personnel are under a duty of confidentiality;

(c) implement and maintain appropriate technical and organizational measures for data security (LGPD art. 46);

(d) assist the Controller in handling data-subject requests;

(e) assist the Controller in queries and obligations before data-protection authorities;

(f) notify the Controller within 48 hours of becoming aware of any Security Incident affecting its data;

(g) delete or return Personal Data at the end of the Agreement, as instructed by the Controller, except for legally required retention.

(a) General authorization. By accepting this DPA, the Controller grants general authorization for Vectorspace to engage Subprocessors to provide the Services.

(b) Current Subprocessor categories:

– Language model (LLM) provider: response generation, USA.

– Application hosting provider: API execution, USA.

– Managed database provider: storage, authentication, and persistence, USA.

– Transactional email provider: operational email delivery, USA.

– Messaging provider (where applicable to the WhatsApp add-on): message sending and receiving, USA.

– Website hosting provider: site and dashboard delivery, USA.

The detailed Subprocessor list, including legal name, service provided, and region, is communicated to the Controller upon formal request to the DPO (hello@vectorspace.digital), in accordance with LGPD art. 46.

(c) Change notice. Vectorspace will notify the Controller at least 30 days in advance of any addition or replacement of a Subprocessor. The Controller may object in writing, on reasonable data-protection grounds, within that period. If the objection cannot be resolved, the Controller may terminate the Agreement without penalty, limited to the portion of Services directly affected by the contested Subprocessor.

(d) Flow-down. Vectorspace contractually imposes on Subprocessors data-protection obligations no less protective than those in this DPA.

Vectorspace adopts, as a minimum, the following measures:

Access control: federated authentication (email+password + SSO), Role-Based Access Control (RBAC), principle of least privilege.

Encryption: TLS 1.2+ in transit; industry-standard at-rest encryption.

Multi-tenant isolation: each project has an independent knowledge vault, with no data sharing between customers. Database-level access policies enforce scoping.

Audit logs: administrative access logs, configuration changes, and sensitive-data access.

Backups: periodic backups with at least 7 days of retention, managed by the database provider.

Vulnerability management: dependency monitoring, regular updates, reliance on providers with internationally recognized security certifications.

Incident response: documented procedure covering detection, containment, communication, and post-incident analysis.

Vectorspace will provide reasonable assistance to the Controller in handling data-subject requests (access, correction, anonymization, deletion, portability, objection) within a timeframe consistent with applicable law.

Should Vectorspace receive a data-subject request directly from one of the Controller's data subjects, it will forward the request to the Controller without undue delay and will not respond directly to the data subject, unless expressly instructed otherwise.

Personal Data may be transferred to the United States due to the listed Subprocessors. Vectorspace makes efforts to ensure that such transfers comply with LGPD art. 33 and, where applicable, the safeguards required by GDPR (standard contractual clauses or equivalent mechanisms adopted by the Subprocessors).

Upon formal request with at least 30 (thirty) days' prior notice, Vectorspace shall provide the Controller with reasonable information and documentation to demonstrate compliance with this DPA, preferably in the form of questionnaire responses, copies of Subprocessor certifications, and operational reports.

On-site audits are permitted only upon reasonable justification, during business hours, with costs borne by the Controller, and with safeguards that preserve the security of Vectorspace's infrastructure and of other customers' data.

Upon termination of the Agreement, Vectorspace shall retain Personal Data for up to 30 (thirty) days to allow extraction/export by the Controller. After that period, data will be irreversibly deleted from Vectorspace systems and applicable Subprocessors, barring legal retention obligations.

Upon reasonable prior notice from the Controller, Vectorspace shall make the data available in a structured format (CSV, JSON, or similar).

The Parties' liabilities for breach of this DPA are subject to the limits and exclusions set out in the Service Agreement, except for penalties imposed by regulatory authorities for direct breach of obligations proper to each Party as Controller or Processor.

This DPA is in force while the Service Agreement is in effect and survives with respect to obligations of retention, deletion, confidentiality, and incident notification.

In case of conflict between this DPA and the Agreement, the provisions of this DPA prevail with respect to Personal Data processing.