Sign In (Soon)

Data Processing Agreement

Last updated:

xthAB Limited, England and Wales

1. Scope

This Data Processing Agreement ("DPA") supplements the Terms of Service and applies where xthAB Limited ("Processor") processes personal data on behalf of the Customer ("Controller") in the provision of the Villip Service.

2. Definitions

Terms not defined here have the meanings given in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. "Customer Personal Data" means personal data processed by Villip on behalf of the Customer through the Service.

3. Processing Instructions

Villip shall process Customer Personal Data only on the documented instructions of the Controller, including as specified in this DPA and the Terms of Service, unless required to do so by applicable law.

4. Security Measures

Villip implements appropriate technical and organisational measures to protect Customer Personal Data, including encryption in transit (TLS 1.3) and at rest (AES-256), access controls, audit logging, and regular security assessments.

5. Sub-processing

The Customer authorises Villip to engage the sub-processors listed in the Subprocessor List. Villip shall notify the Customer of any intended changes to sub-processors, providing the Customer 30 days to object.

6. Data Subject Rights

Villip shall assist the Controller in responding to data subject requests (access, rectification, erasure, portability) by providing appropriate technical and organisational support through the API and dashboard.

7. Data Breach Notification

Villip shall notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a personal data breach affecting Customer Personal Data, providing sufficient detail to enable the Controller to meet its notification obligations under UK GDPR Article 33.

8. International Transfers

Where Customer Personal Data is transferred outside the UK, Villip ensures compliance through the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses, as appropriate.

9. Deletion and Return

Upon termination of the Service, Villip shall delete or return all Customer Personal Data within 30 days, unless retention is required by applicable law.

10. Audit Rights

Villip shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or an independent auditor, subject to reasonable notice and confidentiality requirements.