Data Processing Addendum

Customer is the controller of the personal data Customer instructs Vestry to process via the Service. Vestry is the processorwith respect to that data and processes it only on Customer's documented instructions, which include (a) the Agreement, (b) configuration choices Customer makes in the dashboard, and (c) the act of uploading content or directing end users to the Widget.

Vestry is an independent controller with respect to data covered by the Privacy Policy at /legal/privacy (e.g., contact information of Customer's administrators and Vestry's own operational logs). The Privacy Policy governs that processing; this DPA does not.

The subject matter of the processing is the audio, video, text documents, web content, and end-user questions Customer submits to the Service, plus the answers and citations the Service generates in response. The duration is the term of the Agreement plus the deletion window described in Section 9. The nature is hosting, transcription, embedding, retrieval, AI-generated synthesis, logging, and analytics. The purpose is to provide Customer with the Service.

Categories may include the names, email addresses, IP-derived identifiers, and institutional roles of (a) Customer's administrators, (b) end users (listeners) who interact with the Widget, and (c) any individuals whose voices, words, or images appear in the content Customer uploads. Customer must not upload special categories of personal data (health, genetic, biometric, racial, religious, political, sexual orientation, children under 13, or other “special category” data under GDPR Art. 9 / UK GDPR / similar laws) without separate written agreement with Vestry, since the Service is not designed for that data class.

Vestry will process personal data only on Customer's documented instructions. Customer represents that it has the lawful basis required by applicable data-protection law to instruct Vestry to process the personal data it submits, including obtaining any necessary consents and providing any required notices to data subjects.

Vestry will ensure that personnel authorized to process personal data are bound by confidentiality obligations and are trained on Vestry's privacy and security practices.

Vestry implements appropriate technical and organizational measures to protect personal data, including:

• Encryption in transit. TLS 1.2+ on every public endpoint (dashboard, API, Widget, MCP).
• Encryption at rest. AES-256 at the storage layer for every named sub-processor (Cloudflare R2, Supabase Postgres, Pinecone).
• Access controls. Production system access is gated on individual SSO with required two-factor authentication; shared service accounts are not used.
• Audit logs. Production data reads and writes are recorded to a tamper-evident log; database mutations are captured via Supabase audit infrastructure.
• Network isolation. Database endpoints are not exposed publicly; connections originate from the API worker and the ingestion worker through sub-processor pooler endpoints.
• Secrets management. Production credentials live as encrypted secrets on Cloudflare Workers, Fly.io, and Vercel; never committed to source control.
• Vulnerability management. Dependencies are tracked via lockfiles; CI runs lint, typecheck, and tests on every change; production runtime is monitored for error rate and latency anomalies.

Vestry uses the following sub-processors to provide the Service. Each is contracted to process personal data only as needed to perform its function and is bound to security and confidentiality obligations no less protective than those in this DPA.

Vestry will provide Customer with notice at least thirty (30) days before adding a new sub-processor or materially changing the role of an existing one. Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection within thirty (30) days, Customer may terminate the affected portion of the Service and receive a pro-rated refund of prepaid unused fees.

To the extent personal data of data subjects in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country not the subject of an adequacy decision, the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two: controller-to-processor) are incorporated into this DPA by reference, with Customer as data exporter and Vestry as data importer. For UK-specific transfers, the UK International Data Transfer Addendum to the SCCs applies. Vestry will assist Customer with transfer impact assessments on request.

During the term, Vestry retains personal data as long as needed to provide the Service and as configured in the dashboard. Within thirty (30) days after termination or expiration of the Agreement, Vestry will delete or, at Customer's written request, return Customer's personal data, except where Vestry is required by applicable law to retain a portion (in which case Vestry will continue to protect it under this DPA). Backup copies that are not readily-accessible are subject to a rolling deletion window and are not retained beyond ninety (90) days.

Vestry will, taking into account the nature of the processing, assist Customer with requests from data subjects exercising rights of access, rectification, erasure, restriction, portability, and objection. End-user-facing requests received by Vestry directly will be routed to Customer for response, except where Vestry is the controller of the request subject matter.

Vestry will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting personal data processed under this DPA. The notification will include the information reasonably required for Customer to comply with its own notification obligations: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures Vestry has taken or proposes to take to address it.

On reasonable written notice no more than once per twelve (12) months — or more frequently if required by a supervisory authority or following a personal data breach — Vestry will make available to Customer the information necessary to demonstrate compliance with this DPA. Where Customer requires an on-site audit, the parties will agree on the scope, timing, and any reasonable costs; audits will be conducted in a manner that does not interfere with Vestry's normal operations.

Each party's liability arising out of or related to this DPA is subject to the limitations of liability in the Agreement, including the aggregate cap at twelve (12) months of fees paid. To the extent applicable law limits the ability of a party to limit liability for a particular kind of damages, those limitations apply to the maximum extent permitted by that law. The DPA does not create any separate or additional liability cap beyond what the Agreement provides.

If there is a conflict between this DPA and the Agreement, this DPA controls with respect to the subject matter of this DPA. Sections 9 (Retention and deletion), 10 (Data subject requests), 11 (Breach notification), and 12 (Audits) survive termination of the Agreement for so long as Vestry holds personal data subject to this DPA.

The Vestry point of contact for data-protection matters is privacy@vestryai.com.