Data Processing Agreement (DPA)

Standard Contractual Clauses pursuant to Art. 28 GDPR

Last updated: February 6, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and VantarGroup LLC ("Processor") and governs the processing of personal data in accordance with the General Data Protection Regulation (GDPR).

1. Parties and Scope

This DPA applies when the Controller uses Matproof services to process personal data. The Processor agrees to process personal data only on documented instructions from the Controller.

2. Subject Matter and Duration

The subject matter of data processing is the provision of the Matproof compliance automation platform. The duration corresponds to the term of the service agreement.

3. Nature and Categories of Data

Types of personal data processed:

  • Employee data (names, email addresses, job titles)
  • User account information
  • Compliance and audit documentation
  • Communication records

Categories of data subjects: Employees, contractors, and authorized users of the Controller.

4. Processor Obligations (Art. 28 GDPR)

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Engage sub-processors only with prior written consent
  • Assist the Controller in fulfilling data subject rights requests
  • Assist with security breach notifications and impact assessments
  • Delete or return personal data upon termination of services
  • Make available all information necessary to demonstrate compliance

5. Technical and Organizational Measures

The Processor implements the following security measures:

  • Encryption of data at rest and in transit (AES-256, TLS 1.3)
  • Access controls and authentication (MFA, RBAC)
  • Regular security assessments and penetration testing
  • Incident response and business continuity procedures
  • EU data residency (all data stored in German data centers)
  • SOC 2 Type II certified security controls

6. Sub-Processors

The Controller authorizes the Processor to engage the following sub-processors:

  • Neon (PostgreSQL hosting - EU)
  • Upstash (Redis caching - EU)
  • AWS (File storage - EU region)
  • Resend (Email delivery - EU)

The Processor will inform the Controller of any changes to sub-processors with at least 30 days notice. The Controller may object to new sub-processors.

7. Data Subject Rights

The Processor will assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) within 72 hours of receiving such requests.

8. Personal Data Breach Notification

The Processor will notify the Controller without undue delay (within 24 hours) after becoming aware of a personal data breach affecting the Controller's data.

9. Audit Rights

The Controller may audit the Processor's compliance with this DPA once per year upon reasonable notice. The Processor's SOC 2 Type II report may satisfy this requirement.

10. Deletion or Return of Data

Upon termination of services, the Processor will delete or return all personal data to the Controller within 30 days, unless EU law requires continued storage.

Questions or DPA Requests

For DPA signature requests or questions, please contact:

Email: legal@matproof.com