Vessels — Data Processing Agreement

DRAFT — NOT YET LEGAL ADVICE. This Data Processing Agreement ("DPA") is written to reflect how Vessels actually processes data and to give a lawyer an accurate Article 28 / APP starting point. It must be reviewed and finalised by a qualified lawyer before it is offered to or signed with customers. Every [BRACKETED] value is a placeholder. Nothing here is legal advice.

Effective date: [EFFECTIVE DATE]

This DPA forms part of the agreement between the customer ("Customer", "you") and [LEGAL ENTITY NAME] (ABN [ABN]) ("Vessels", "we", "us") for use of the Vessels service (the "Agreement" / "Terms"). It governs our processing of Personal Data on your behalf. If there is a conflict between this DPA and the Terms on the subject of data protection, this DPA prevails.

It is designed to satisfy Article 28 of the EU/UK GDPR where that law applies to your use of the Service, and to support compliance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

1. Definitions

Terms such as Controller, Processor, Data Subject, Personal Data, Processing, Personal Data Breach, and Supervisory Authority have the meanings given in the GDPR. "Customer Personal Data" means Personal Data within Customer Content (the messages, cards, interactions, attachments, and metadata your agent sends through the Service) that we process on your behalf. "Sub-processor" means a third party engaged by us to process Customer Personal Data. "Applicable Data Protection Law" means the GDPR, the UK GDPR, the Privacy Act 1988 (Cth), and any other data protection law applicable to a party's processing under the Agreement.

2. Roles of the parties

For Customer Personal Data, you are the Controller (or a processor acting for your own customer) and we are the Processor (or sub-processor). Each party will comply with its obligations under Applicable Data Protection Law. You are responsible for the lawfulness of the Customer Personal Data and of your instructions, and for having all necessary consents, notices, and lawful bases to provide it to us.

(For account and billing data about you, we act as an independent Controller as described in our Privacy Policy; that processing is governed by the Privacy Policy, not this DPA.)

3. Scope and instructions

We will process Customer Personal Data only:

• to provide, secure, maintain, and support the Service in accordance with the Agreement;
• in accordance with your documented instructions (the Agreement, this DPA, your configuration and use of the Service, and any further written instructions you give); and
• as required by law that applies to us — in which case we will inform you of that legal requirement before processing, unless the law prohibits it.

We will tell you if, in our opinion, an instruction infringes Applicable Data Protection Law. We will not "sell" Customer Personal Data and will not process it for our own purposes, for advertising, or to build profiles of Data Subjects.

4. Confidentiality

We ensure that personnel authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality and access it only on a need-to-know basis to provide the Service.

5. Security

We implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, having regard to the state of the art, the costs of implementation, and the nature, scope, and purposes of processing. Those measures are described in Annex 2 and in our Security overview.

6. Sub-processors

You provide general authorisation for us to engage Sub-processors to process Customer Personal Data, subject to this section. Our current Sub-processors are listed in Annex 3.

• We impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance.
• We will give you at least [30] days' notice of any intended addition or replacement of a Sub-processor (by updating Annex 3 and/or by email if you subscribe to notifications). If you reasonably object on data protection grounds within that period, we will work with you in good faith to address the concern; if we cannot, you may terminate the affected part of the Service as your sole remedy.

7. Assistance to the Controller

Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance to help you:

• respond to Data Subject requests to exercise their rights (access, rectification, erasure, restriction, portability, objection). If we receive such a request directly, we will not respond except on your instructions, and will forward it to you without undue delay where it relates to your Customer Personal Data;
• comply with your security, breach-notification, and data protection impact assessment obligations (GDPR Articles 32–36); and
• demonstrate compliance with this DPA (see §10).

The Service also provides self-service tooling (message and vessel deletion, workspace deletion) that lets you action many such requests directly.

8. Personal Data Breach

We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to us to help you meet your own notification obligations (including under the Notifiable Data Breaches scheme and GDPR Articles 33–34). Our notice is not an acknowledgement of fault.

9. Return and deletion

On termination or expiry of the Agreement, or earlier on your written request, we will delete or return Customer Personal Data and delete existing copies, unless retention is required by law. Deletion of a workspace destroys its per-workspace encryption key, which cryptographically renders that workspace's content unrecoverable. Routine backups are overwritten on their ordinary cycle.

10. Audit

We will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior written notice and subject to confidentiality, allow for and contribute to audits conducted by you or an auditor you mandate, no more than once per 12 months (or as required by a Supervisory Authority). Where available, we may satisfy this by providing third-party certifications or reports.

11. International transfers

We and our Sub-processors may process Customer Personal Data outside the country where it was collected, including outside Australia and the EEA. Where Applicable Data Protection Law requires a transfer mechanism, the parties agree that the appropriate safeguards apply — including the EU Standard Contractual Clauses (and the UK Addendum) for restricted transfers under the GDPR/UK GDPR — which are incorporated by reference and completed using the details in the Annexes. For the APPs, we take reasonable steps to ensure overseas recipients handle the data consistently with the APPs.

12. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability in the Agreement.

13. Governing law and term

This DPA is governed by the law stated in the Agreement ([Queensland, Australia] absent another choice) and continues for as long as we process Customer Personal Data on your behalf.

Annex 1 — Details of processing

• Subject matter: provision of the Vessels service (delivery, rendering, notification, and debugging of agent-to-human communications).
• Duration: for the term of the Agreement and until deletion under §9.
• Nature and purpose: receiving, storing (encrypted at rest), transmitting, rendering, and notifying on Customer Content so a human operator can read and respond; producing conversation traces for your debugging.
• Types of Personal Data: as determined by you and contained in Customer Content — may include names, contact details, and other identifiers or content your agent sends, plus end-user/operator identifiers and device push tokens. You control what you send; do not send special-category/sensitive data without ensuring an appropriate basis.
• Categories of Data Subjects: your end-users and the human operators who use your vessels (e.g. your staff).
• Frequency: continuous, as directed by your use of the Service.

Annex 2 — Technical and organisational measures

• Encryption in transit: all traffic over TLS.
• Encryption at rest: message content and structured fields encrypted with AES-256-GCM under a per-workspace key, itself wrapped by a master key held outside the database; per-workspace keys isolate blast radius and enable cryptographic erasure on deletion.
• Access control: row-level security isolates each workspace; API keys stored only as hashes; passwords hashed by our authentication provider; production access restricted to authorised personnel on a need-to-know basis.
• Integrity / authenticity: webhook deliveries are HMAC-signed; API requests are authenticated and rate-limited.
• Availability: managed, reputable cloud infrastructure (see Annex 3) with provider-level redundancy and backups.
• Organisational: confidentiality obligations on personnel; least-privilege access; change managed through version control and review.

This Annex reflects current measures and will be kept up to date; specific controls may evolve as the Service develops.

Annex 3 — Approved Sub-processors

As of [EFFECTIVE DATE]:

The current list is maintained at this page and mirrored in our Privacy Policy.

Contact

Data protection / DPA enquiries: privacy@vessels.app [LEGAL ENTITY NAME], [REGISTERED ADDRESS], Australia.