VantixOS

Legal

Data Processing Addendum

Effective Date
June 9, 2026
Last Updated
June 9, 2026

This Data Processing Addendum applies where Vantix Operational Systems processes personal data on behalf of a customer through VantixOS and the processing is subject to GDPR, UK GDPR, CCPA, CPRA, or similar data protection laws.

This DPA forms part of the agreement between Vantix Operational Systems and the customer and governs VantixOS processing of personal data in Customer Data.

1. Definitions

Controller, processor, personal data, processing, data subject, personal data breach, supervisory authority, and subprocessors have the meanings given under applicable data protection laws. Customer means the entity using VantixOS. VantixOS means Vantix Operational Systems. Customer Personal Data means personal data contained in Customer Data processed by VantixOS on behalf of the customer.

2. Subject Matter

The subject matter of processing is VantixOS provision of SaaS CRM, lead management, conversation management, analytics, AI assistance, workflow automation, reporting, integrations, support, security, and related business services to the customer.

3. Duration

Processing continues for the duration of the customer's subscription or use of the Services and any applicable retention, export, backup, legal, audit, compliance, dispute-resolution, or deletion period.

4. Processing Activities

  • Hosting, storing, organising, structuring, retrieving, transmitting, analysing, displaying, securing, deleting, and otherwise processing Customer Personal Data.
  • Providing CRM, lead, pipeline, conversation, analytics, AI, reporting, automation, email, messaging, telephony, and integration functionality.
  • Providing support, troubleshooting, monitoring, security, audit logs, backups, account administration, and service improvement.

5. Controller and Processor Roles

For Customer Personal Data, the customer is the controller or business and VantixOS is the processor, service provider, or contractor, except where VantixOS independently determines purposes and means for account administration, billing, security, legal compliance, product analytics, or its own business operations.

The customer is responsible for lawful basis, notices, consents, instructions, data accuracy, data subject communications, and compliance with laws applicable to Customer Personal Data.

6. Customer Instructions

VantixOS will process Customer Personal Data only on documented customer instructions, including these Terms, the DPA, product configuration, user actions, support requests, and applicable order forms, unless required by law. VantixOS will inform the customer if it believes an instruction infringes applicable data protection law, unless prohibited by law.

7. Security Measures

  • Access controls, authentication controls, role-based permissions, logging, monitoring, and administrative restrictions.
  • Encryption in transit and appropriate encryption or equivalent protections for stored data where applicable.
  • Secure development practices, vulnerability management, backup practices, incident response procedures, vendor management, and personnel confidentiality obligations.
  • Technical and organisational measures designed to protect against unauthorised access, accidental loss, destruction, alteration, disclosure, or misuse.

8. Subprocessors

The customer grants VantixOS general authorisation to use subprocessors for hosting, infrastructure, storage, communications, AI, analytics, support, monitoring, security, and operational services. VantixOS will impose data protection obligations on subprocessors that are substantially no less protective than those in this DPA, taking into account the nature of the services.

VantixOS remains responsible for subprocessors' processing of Customer Personal Data as required by applicable data protection law and this DPA.

9. Cross-Border Transfers

The primary data hosting region is the United States. Where Customer Personal Data is transferred internationally and transfer safeguards are required, VantixOS will use appropriate mechanisms such as standard contractual clauses, the UK International Data Transfer Addendum or equivalent mechanisms, supplementary measures, or other lawful transfer mechanisms.

10. Assistance Obligations

Taking into account the nature of processing and information available to VantixOS, VantixOS will provide reasonable assistance to the customer for data protection impact assessments, prior consultations, security obligations, breach notifications, and compliance with data subject rights, to the extent required by applicable law.

11. Data Subject Requests

If VantixOS receives a data subject request relating to Customer Personal Data, VantixOS will, where appropriate, refer the requester to the customer or notify the customer unless prohibited by law. VantixOS will provide reasonable assistance for customer responses to data subject requests through product functionality or support processes.

12. Security Incident Obligations

VantixOS will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, where required by applicable law. Notice will include available information reasonably necessary for the customer to meet its notification obligations, taking into account the nature of the incident and information available at the time.

VantixOS will take reasonable steps to investigate, contain, mitigate, and remediate confirmed incidents affecting Customer Personal Data.

13. Deletion and Return of Data

During the active subscription, Customer Data remains available subject to product functionality and plan limits. Following termination, customers may export data during the retention window. After the applicable retention period, VantixOS may delete, anonymise, or aggregate Customer Personal Data, except where retention is required for legal, security, audit, compliance, fraud-prevention, backup, accounting, or dispute-resolution purposes.

14. Audit Rights

Upon reasonable written request, and subject to confidentiality, security, and operational limitations, VantixOS will make available information reasonably necessary to demonstrate compliance with this DPA. Audits must be limited to once annually unless required by a supervisory authority or following a confirmed material security incident, must not compromise security or confidentiality, and must be conducted during normal business hours with reasonable notice.

15. Confidentiality

VantixOS will ensure that personnel authorised to process Customer Personal Data are subject to appropriate confidentiality obligations. Customer must treat security documentation, audit materials, subprocessor information, and non-public compliance information as VantixOS confidential information.

16. CCPA and CPRA Service Provider Terms

Where CCPA or CPRA applies and VantixOS processes personal information as a service provider or contractor, VantixOS will not sell or share Customer Personal Data, retain, use, or disclose it outside the business purposes of providing the Services, or combine it with other personal information except as permitted by applicable law.

17. Liability

Liability arising under this DPA is subject to the limitations, exclusions, and allocations of liability in the Terms or applicable written agreement, except to the extent such limitations are prohibited by applicable data protection law.

18. Governing Law

This DPA is governed by the laws of England and Wales, unless applicable data protection law requires otherwise. The courts of England and Wales have exclusive jurisdiction unless otherwise agreed in writing.