Data Processing Agreement
This page is a public summary of VectorFlow Cloud’s DPA so you can read the substance before requesting a signable copy. Email trust@vectorflow.sh with your legal entity name and we will return a counter-signable PDF within two business days.
1. Roles
Customer is the data controller for any personal data submitted to or generated by the VectorFlow Cloud service. VectorFlow is the data processor and processes personal data only on the documented instructions of Customer (including the terms of this DPA).
2. Categories of data processed
- Account & identity data: email addresses, names, organization name, role assignments.
- Configuration data: pipeline definitions, alert rules, notification channel destinations.
- Operational metadata: fleet node hostnames, heartbeat state, version drift, deploy history.
- Bounded telemetry: metric rollups and capped event samples retained per the schedule in Trust & Security.
VectorFlow does notprocess raw log data: it remains within the customer’s network.
3. Sub-processors
VectorFlow uses the sub-processors listed at /trust/subprocessors. Customer is provided 30 days’ advance notice of any new sub-processor and may object in writing; if the objection cannot be resolved Customer may terminate the affected service component with pro-rata refund of pre-paid fees.
4. Security measures
VectorFlow implements the technical and organizational measures summarised on the Trust & Security overview. Measures include:
- Per-organization data encryption keys wrapped with AWS KMS; AES-256-GCM with AAD binding ciphertexts to their owning org.
- Postgres Row-Level Security with the application running under a
NOBYPASSRLSrole. - Break-glass operator decrypt workflow with customer-admin email notification and two independent audit logs.
- Hash-chained customer audit log with externally verifiable export.
- Outbound URL validation against private/link-local/metadata IP ranges (IPv4 + IPv6).
- At-rest encryption on the database and S3 buckets backing the service.
5. International transfers
Where data transfers occur outside the European Economic Area or the United Kingdom, VectorFlow relies on Standard Contractual Clauses (SCCs) and where applicable the UK International Data Transfer Addendum. By default Customer data is processed in the EU (AWS eu-west-2); US processing requires explicit Customer opt-in at signup.
6. Data subject requests
VectorFlow assists Customer in responding to data subject requests (access, rectification, erasure, portability) within 30 days. The customer-side audit export and organization export endpoints fulfil the data-portability obligation programmatically (GDPR Art. 20). Erasure is performed by deleting the organization, which triggers a 90-day cool-off followed by crypto-shredding the per-org DEK; once the DEK is destroyed the ciphertext is computationally inert.
7. Personal data breach notification
VectorFlow notifies Customer of a personal data breach affecting Customer’s data without undue delay and in any event within 72 hours of confirmation. The notification includes the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and the measures taken or proposed to be taken to mitigate.
8. Audit rights
Customer may audit VectorFlow’s compliance with this DPA once per year on 30 days’ written notice. VectorFlow will provide the most recent SOC 2 Type II report (when available) and may request that the audit be carried out by a mutually agreed independent third party. Customer bears the cost of any audit it initiates.
9. Term & return / deletion of data
On termination Customer may export their data via the Article 20 endpoints during a 30-day grace period. After the grace period VectorFlow deletes all Customer personal data in active systems within 30 days; backups containing Customer data are retained no longer than 90 days and are not restored except for disaster recovery.
Questions: trust@vectorflow.sh. Return to Trust & Security overview.