Data Processing Agreement
1. Definitions
Capitalised terms used but not defined here have the meanings given in the Terms of Service. The terms "personal data", "processing", "data subject", "controller", "processor", "sub-processor", "personal data breach", and "supervisory authority" have the meanings given in the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018"), together "UK Data Protection Law".
"Customer Personal Data" means personal data processed by Vectro on behalf of the Customer through the Service, as further described in Annex 1.
"Sub-processor" means any third party engaged by Vectro to process Customer Personal Data, as listed in Annex 3.
2. Roles of the Parties
2.1 The Customer is the controller of Customer Personal Data and Vectro is the processor.
2.2 Each party shall comply with its respective obligations under UK Data Protection Law.
2.3 The Customer is responsible for ensuring it has a lawful basis for the processing of Customer Personal Data and for providing all required notices and obtaining all required consents from data subjects.
3. Scope and Subject of Processing
Vectro processes Customer Personal Data only on documented instructions from the Customer, including with regard to transfers to a third country, unless required to do so by law (in which case Vectro will inform the Customer of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest).
The Customer's instructions are set out in this DPA, the Terms of Service, the Privacy Policy, and the configuration choices made by the Customer within the Service. The subject matter, duration, nature, purpose, and categories of personal data and data subjects are set out in Annex 1.
4. Confidentiality
Vectro ensures that all personnel authorised to process Customer Personal Data have committed themselves to confidentiality (or are under an appropriate statutory obligation of confidentiality) and have received appropriate training on their data protection responsibilities.
5. Security of Processing
Vectro implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Annex 2. Vectro will assist the Customer, taking into account the nature of the processing and the information available to Vectro, in ensuring compliance with the security obligations under UK GDPR Article 32.
6. Sub-Processors
6.1 The Customer provides general written authorisation for Vectro to engage sub-processors, subject to the requirements of this clause.
6.2 Vectro maintains a current list of sub-processors in Annex 3. Vectro will provide reasonable advance notice (typically 30 days) of any intended changes to that list, giving the Customer the opportunity to object on reasonable data-protection grounds. If the Customer reasonably objects, Vectro will work in good faith to address the objection; if no resolution is reached, the Customer may terminate the affected portion of the Service.
6.3 Vectro imposes data protection obligations on each sub-processor that are no less protective than those in this DPA, by means of a written contract.
6.4 Vectro remains liable to the Customer for the acts and omissions of its sub-processors as if they were its own.
7. International Transfers
7.1 Where Vectro or its sub-processors transfer Customer Personal Data outside the UK, Vectro ensures that the transfer is made subject to one of the following safeguards:
- The destination country benefits from a UK adequacy decision; or
- The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses is in place between the parties (or relevant sub-processors); or
- Another lawful transfer mechanism under UK GDPR Chapter V applies.
7.2 Where required, Vectro applies supplementary measures (including encryption in transit and at rest) to ensure an essentially equivalent level of protection.
8. Data Subject Rights
Taking into account the nature of the processing, Vectro will assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from data subjects exercising their rights under UK GDPR Chapter III (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).
If Vectro receives a request directly from a data subject relating to Customer Personal Data, Vectro will not respond directly (other than to acknowledge receipt and direct the request to the Customer) and will forward the request to the Customer without undue delay.
9. Personal Data Breach
9.1 Vectro will notify the Customer without undue delay (and in any event within 48 hours of becoming aware) of any personal data breach affecting Customer Personal Data.
9.2 The notification will, to the extent reasonably available, describe: the nature of the breach; the categories and approximate number of data subjects and records affected; the likely consequences; the measures taken or proposed to address the breach and mitigate adverse effects; and a contact point for further information.
9.3 Vectro will provide reasonable assistance to the Customer in fulfilling its obligations to notify the supervisory authority (under UK GDPR Article 33) and affected data subjects (under UK GDPR Article 34).
10. Data Protection Impact Assessments
Vectro will provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities required under UK GDPR Articles 35 and 36, taking into account the nature of the processing and the information available to Vectro.
11. Deletion and Return of Data
11.1 On termination of the Service or on the Customer's written request, Vectro will, at the Customer's choice, delete or return all Customer Personal Data, and delete existing copies, unless retention is required by applicable law.
11.2 The Customer may export Customer Personal Data via the export functions provided in the Service at any time before termination and for thirty (30) days after termination.
11.3 Backup copies of Customer Personal Data may persist on encrypted backup storage for up to thirty (30) days after the active data is deleted, after which they are overwritten on a rolling basis.
12. Audits and Information
12.1 Vectro will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including a description of the technical and organisational measures (Annex 2) and the current sub-processor list (Annex 3).
12.2 The Customer may request an audit no more than once per year, on at least 30 days' written notice. Audits must be conducted during business hours, must not unreasonably interfere with Vectro's operations, and must be subject to confidentiality obligations. The Customer bears its own audit costs and Vectro's reasonable costs of cooperation.
12.3 In place of an on-site audit, Vectro may satisfy this clause by providing third-party certifications or attestations (where applicable) and by responding in writing to reasonable security questionnaires.
13. Liability
The liability of each party arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits any liability that cannot be limited by law.
14. Term and Termination
This DPA takes effect on the date the Customer accepts the Terms of Service or first uses the Service, whichever is earlier, and remains in force for as long as Vectro processes Customer Personal Data.
15. Order of Precedence
In the event of any conflict between this DPA and the Terms of Service or Privacy Policy regarding the processing of Customer Personal Data, this DPA prevails.
16. Governing Law
This DPA is governed by the laws of England and Wales. Disputes are subject to the dispute resolution and jurisdiction provisions of the Terms of Service.
Annex 1 — Description of the Processing
| Item | Description |
|---|---|
| Subject matter | Provision of the Vectro SaaS platform for managing leads, customers, quotes, appointments, products, suppliers, orders, internal team scheduling, and outbound communications with end customers and suppliers. |
| Duration | For the term of the Customer's subscription, plus a 30-day post-termination retention window and applicable backup rotation. |
| Nature and purpose | Storing, retrieving, modifying, displaying, and transmitting Customer Personal Data as required to deliver the Service features (CRM, quoting, scheduling, order processing, communication with end customers and suppliers, analytics on Customer's own data, bulk marketing emails composed by the Customer). |
| Categories of data subjects | The Customer's own end customers (e.g. homeowners purchasing window coverings); the Customer's authorised users (employees, contractors); the Customer's suppliers and supplier contacts. |
| Categories of personal data | Names, postal addresses, phone numbers, email addresses, appointment times and locations, quote details, internal notes recorded by the Customer, file attachments uploaded by the Customer (which may include photos and documents containing personal data), authentication credentials of authorised users, role and team-membership information for authorised users, working-day patterns and recurring schedule blocks, absence records for authorised users (including holiday, sick, personal, training and similar), a per-lead activity log of changes made by authorised users, content of marketing emails composed by the Customer and the corresponding recipient list and send results, supplier email addresses and the body of order communications, IP addresses and login timestamps for security. |
| Special categories | Absence records categorised as "sick" relate to the health of the Customer's authorised user and may, on a case-by-case basis, constitute special category data under UK GDPR Article 9. The Customer is the controller and is responsible for identifying its lawful basis under Article 9 (typically Article 9(2)(b) — employment obligations — in the UK supported by Schedule 1 of the Data Protection Act 2018). Vectro processes only the minimum required to operate the absence-tracking feature (category label, dates, optional free-text note, approval status), does not require diagnoses or medical detail, and applies the security measures set out in Annex 2. Aside from sick-leave records, the Customer must not upload special category data (e.g. biometric data, racial or ethnic origin) into free-text or attachment fields without an appropriate lawful basis under UK GDPR Article 9. |
| Frequency of processing | Continuous, on demand whenever the Customer or an end customer (e.g. via a quote view link) interacts with the Service. |
Annex 2 — Technical and Organisational Measures
Vectro maintains the following measures, as updated from time to time to reflect best practice and the evolving threat landscape:
Encryption
- All data in transit between users and the Service is protected by TLS 1.2 or higher (HTTPS).
- Database storage is encrypted at rest.
- Daily database backups are encrypted before being written to backup storage.
Access control
- User passwords are hashed using bcrypt with appropriate work factors; plaintext passwords are never stored.
- Authentication uses signed, expiring JWT tokens.
- Role-based access controls within each Customer account (admin, regular user, etc.).
- Access to production infrastructure is restricted to authorised Vectro personnel and protected by strong authentication.
- Each Customer's data is logically segregated by company identifier; queries enforce this isolation.
Resilience and availability
- Daily encrypted backups with 30-day rolling retention on EU-located storage.
- Hosted on managed infrastructure with built-in redundancy.
Operational security
- Code review and testing before deployment to production.
- Logging of authentication events and key administrative actions for audit purposes.
- Personnel are bound by confidentiality obligations and trained on data protection.
Incident response
- Documented procedure for identifying, containing, investigating, and notifying personal data breaches in line with UK GDPR Articles 33–34.
Annex 3 — Sub-Processors
The current list of sub-processors used by Vectro to process Customer Personal Data is published at /subprocessors and forms part of this DPA. The list is updated as sub-processors change; subscribers are notified by email or in-app notice of new sub-processors at least 30 days before they begin processing Customer Personal Data, in accordance with clause 6.