Legal
Legal
Overview
This Data Processing Agreement ("DPA") forms part of the VODR Terms of Service between Vodr ("Processor") and the customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the VODR Nexus service.
For Starter and Pro customers, acceptance of this DPA is included in the nexus init consent flow. For Team customers requiring a countersigned copy, contact privacy@vodr.ai.
Section 1
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
"Processing" means any operation performed on Personal Data, as defined in GDPR Article 4(2).
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
Section 2
The Controller determines the purposes and means of processing Personal Data by using the Service. The Processor processes Personal Data solely on behalf of the Controller and in accordance with the Controller's documented instructions.
For Vodr's own data collection (account data, API call logs), Vodr acts as an independent data controller. That processing is governed by the VODR Privacy Policy, not this DPA.
Section 3
3.1 Subject Matter
Processing of repository metadata and system descriptions provided by the Controller through the Service for the purposes of regulatory classification, compliance tracking, vulnerability scanning, PII pattern detection, and AI-BOM generation.
3.2 Duration
This DPA applies for the duration of the Controller's subscription and the 90-day post-cancellation data retention period. For systems classified as high-risk under the EU AI Act, audit trail data is retained for 3 years per Article 12 record-keeping requirements.
3.3 Types of Personal Data Processed
The Processor does not process the actual personal data contained in the Controller's databases — only field names, table names, and descriptive text.
3.4 Categories of Data Subjects
The Controller's employees and authorized users who register systems and manage compliance through the Service. Indirectly, the data subjects referenced by field names in the Controller's database schema — but the Processor never accesses, receives, or processes their actual personal data.
Section 4
4.1 Processing Instructions
The Processor shall process Personal Data only in accordance with the Controller's documented instructions: to extract metadata signals from connected repositories, classify systems against regulatory frameworks, detect PII patterns in database schemas, scan dependencies for vulnerabilities, generate AI-BOMs, track compliance progress, and provide regulatory intelligence outputs.
4.2 Confidentiality
All persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security
The Processor implements appropriate technical and organizational measures including: encryption at rest and in transit (TLS 1.3), API key hashing with salt, role-based database access, automated security updates, intrusion prevention (Fail2ban), DDoS protection (Cloudflare), and tamper-evident audit trail with hash chain verification. Full security measures are documented at vodr.ai/security.
4.4 No Sale or Misuse
The Processor shall not sell, share, or use Personal Data outside the direct business relationship with the Controller. The Processor shall not use Personal Data for any purpose other than providing the Service. The Processor shall not use repository data or system descriptions to train AI models.
Section 5
| Sub-Processor | Location | Function | Data Received |
|---|---|---|---|
| Hetzner Online GmbH | Falkenstein, Germany (EU) | Cloud hosting | All customer data |
| Stripe, Inc. | United States | Payment processing | Email, subscription tier, payment method |
| Anthropic PBC | United States | AI inference for classification | System descriptions (paid tiers, when confidence is low) |
| GitHub / GitLab / Bitbucket | Various | Repository access | Repository contents via Controller's OAuth grant |
Google LLC (OSV API) receives only package names, ecosystem identifiers, and version strings — no personal data. It is not a sub-processor for the purposes of this DPA.
The Processor shall notify the Controller of any intended changes to Sub-Processors at least 30 days before the change takes effect. The Controller may object to a new Sub-Processor within 14 days. A current list of Sub-Processors is maintained at vodr.ai/sub-processors.
Section 6
All customer data is stored in the European Union (Hetzner, Falkenstein, Germany). Data is transferred outside the EU only in the following circumstances:
For all EU-US transfers, appropriate safeguards are in place including Standard Contractual Clauses approved by the European Commission and, where applicable, the EU-US Data Privacy Framework.
Section 7
The Processor shall notify the Controller of any personal data breach without undue delay and in any event within 48 hours of becoming aware of the breach. The notification shall include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
The Processor shall notify the relevant supervisory authority within 72 hours per GDPR Article 33 where required.
Section 8
The Processor shall assist the Controller in responding to data subject requests to the extent technically feasible. The Service provides:
nexus export — complete data export in JSON formatnexus delete — permanent deletion of all data for a system (GDPR Article 17)nexus disconnect — stops repository analysis while retaining compliance dataSection 9
Upon termination, the Controller may export all data via nexus export during the 90-day post-cancellation retention period. After 90 days, all Personal Data is permanently deleted, except high-risk system audit trail data (retained 3 years per EU AI Act Article 12) and records required by applicable tax or legal obligations.
The Processor provides written confirmation of deletion upon request.
Section 10
The Controller may request evidence of the Processor's compliance with this DPA. The Processor shall provide: security documentation and policies, audit trail exports for the Controller's systems, responses to reasonable written information requests, and evidence of Sub-Processor compliance.
The Processor is audited annually by external auditors. Audit reports are available upon request under NDA. On-site audits may be arranged at the Controller's expense with reasonable notice.
Section 11
The Processor shall: maintain a record of processing activities per GDPR Article 30(2); cooperate with supervisory authorities per GDPR Article 31; assist the Controller with data protection impact assessments per GDPR Article 35 where relevant; and assist the Controller with prior consultation per GDPR Article 36 where relevant.
Section 12
This DPA shall remain in effect for the duration of the Agreement and until all Personal Data has been deleted or returned in accordance with Section 9.
Section 13
Data Protection Contact: privacy@vodr.ai
This DPA is incorporated by reference into the VODR Terms of Service. For Starter and Pro customers, acceptance is included in the nexus init consent flow. For Team customers requiring a countersigned copy, contact privacy@vodr.ai.