SEE MATPROOF ON YOUR STACK — BOOK A 30-MINUTE DEMO

Data Processing Agreement (DPA)

Standard Contractual Clauses pursuant to Art. 28 GDPR

Last updated: May 20, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and VantarGroup LLC ("Processor") and governs the processing of personal data in accordance with the General Data Protection Regulation (GDPR).

1. Parties and Scope

This DPA applies when the Controller uses Matproof services to process personal data. The Processor agrees to process personal data only on documented instructions from the Controller.

2. Subject Matter and Duration

The subject matter of data processing is the provision of the Matproof compliance automation platform. The duration corresponds to the term of the service agreement.

3. Nature and Categories of Data

Types of personal data processed:

  • Employee data (names, email addresses, job titles)
  • User account information
  • Compliance and audit documentation
  • Communication records

Categories of data subjects: Employees, contractors, and authorized users of the Controller.

4. Processor Obligations (Art. 28 GDPR)

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Engage sub-processors only with prior written consent
  • Assist the Controller in fulfilling data subject rights requests
  • Assist with security breach notifications and impact assessments
  • Delete or return personal data upon termination of services
  • Make available all information necessary to demonstrate compliance

5. Technical and Organizational Measures

The Processor implements the following security measures:

  • Encryption of data at rest and in transit (AES-256, TLS 1.3)
  • Access controls and authentication (MFA, RBAC)
  • Regular security assessments and penetration testing
  • Incident response and business continuity procedures
  • EU data residency for persistent customer data (application and database hosting in EU data centres). Third-country transfers only through sub-processors with seat or processing in third countries that are named in the sub-processor list and safeguarded by EU Standard Contractual Clauses (SCC 2021/914).
  • ISO 27001-aligned security controls and annual penetration testing

6. Sub-Processors

The Controller authorizes the Processor to engage the following sub-processors:

  • Full and current list: matproof.com/privacy#subprocessors (section 'Sub-processors').
  • All sub-processors are bound by data processing agreements under Article 28 GDPR; third-country providers are additionally safeguarded by EU Standard Contractual Clauses (SCC 2021/914) under Article 46 GDPR and supplementary technical and organisational measures.
  • For LLM inference providers, the Processor contractually requires that submitted content is not used to train models (zero-data-retention API, where offered by the provider).
  • Third-country transfers are documented by the Processor in an internal Transfer Impact Assessment (TIA) per provider.

The Processor will inform the Controller of any changes to sub-processors (addition, replacement, removal) at least 30 days in advance via email to the contact address on file. The Controller may object to new sub-processors within 30 days on legitimate grounds. In case of a legitimate objection, the parties will negotiate in good faith for a mutually acceptable solution; if none can be reached, either party may terminate the affected service under the master agreement with reasonable notice.

7. Data Subject Rights

The Processor will assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) within 72 hours of receiving such requests.

8. Personal Data Breach Notification

The Processor will notify the Controller without undue delay (within 24 hours) after becoming aware of a personal data breach affecting the Controller's data.

9. Audit Rights

The Controller may audit the Processor's compliance with this DPA once per year upon reasonable advance notice (at least 30 days) during normal business hours, either directly or through an independent auditor bound to confidentiality. Audit rights cover relevant security and compliance documentation, technical and organisational measures, and records of processing activities to the extent required to fulfil obligations under Article 28 GDPR. The Processor satisfies this requirement primarily through (a) the annual independent penetration test report, (b) the ongoing ISO 27001 compliance roadmap with documented controls, and (c) a security whitepaper provided on request. On-site audits are only available where the foregoing evidence does not satisfy the Controller's legitimate audit interest.

10. Deletion or Return of Data

Upon termination of services, the Processor will delete or return all personal data to the Controller within 30 days, unless EU or Member State law requires continued storage. The return format (e.g. JSON export, CSV) will be specified by the Controller in the request; absent specification, the Processor's standard format applies. Backup copies are overwritten in the regular backup cycle (at the latest after 90 days).

11. International data transfers

Where the Processor engages sub-processors based or processing data outside the EU/EEA (in particular USA, United Kingdom, and EU subsidiaries of US-parent groups), transfers rely on the following safeguards under Articles 44 et seq. GDPR: (a) for the United Kingdom: the EU adequacy decision of 28 June 2021; (b) for the USA and other third countries: EU Standard Contractual Clauses (Implementing Decision 2021/914, Module 2 or 3 as applicable); (c) supplementary technical and organisational measures including in-transit and at-rest encryption, pseudonymisation where possible, zero-data-retention arrangements with AI providers, and contractual purpose limitation. The Processor maintains a Transfer Impact Assessment (TIA) for each third-country sub-processor, made available in summary form on request.

12. Liability

Liability between the parties arising from or in connection with this DPA is governed by the master agreement between the Controller and the Processor. In addition: damages claims between the parties arising from breaches of this DPA remain unaffected by any liability cap in the master agreement only to the extent permitted under Article 82 GDPR and other mandatory law. In the external relationship with data subjects, each party is independently liable under Article 82 GDPR; in the internal relationship, each party bears the share corresponding to its degree of fault.

Questions or DPA Requests

For DPA signature requests or questions, please contact:

Email: [email protected]