data processing agreement.
GDPR Article 28 · VaultPAM Security Sp. z o.o.
| Version | 1.0-draft |
| Effective date | TBD — subject to legal review before publication (AIC-1571) |
| Parties | VaultPAM Security Sp. z o.o. (Processor) and Customer (Controller) |
Draft notice: This is an internal first-draft for legal counsel review. Not yet in force.
Recitals
This Data Processing Agreement ("DPA") is entered into between:
Controller: the Customer entity that has agreed to VaultPAM's Terms of Service or executed an Order Form ("Customer" or "Controller");
Processor: VaultPAM Security Sp. z o.o., ul. Żelazna 51/53, 00-841 Warszawa, Poland ("VaultPAM" or "Processor").
This DPA forms part of, and is incorporated into, the Terms of Service and any applicable Order Form. It is intended to satisfy the requirements of Article 28 of Regulation (EU) 2016/679 ("GDPR").
1. Definitions
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
"Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" have the meanings given in Article 4 GDPR.
"Service" means the VaultPAM platform provided to Customer under the Terms of Service.
"Customer Data" means Personal Data submitted to, collected, or generated within the Service by or on behalf of Customer, including session recordings, access logs, credential metadata, and User identity data.
"Sub-processor" means any third party engaged by VaultPAM to process Customer Data on VaultPAM's behalf.
"Supervisory Authority" means the competent national data protection supervisory authority — being the President of the Personal Data Protection Office (UODO) in Poland for VaultPAM, and the competent authority in Customer's EEA member state for Customer.
2. Subject Matter, Duration, and Nature of Processing
Subject matter: VaultPAM processes Customer Data to provide the privileged access management Service described in the Terms of Service.
Duration: Processing commences when Customer first submits data to the Service and continues for the duration of the subscription, plus any retention period required for secure deletion as provided in clause 3(g).
Nature and purpose: Storing, retrieving, organizing, recording, transmitting, and analysing Customer Data to enable Customer to manage, audit, and control privileged access to Customer's IT infrastructure.
Types of Personal Data processed:
- Identity data: employee full names, job titles, e-mail addresses, employee IDs
- Authentication data: MFA challenge records, authentication event timestamps, IP addresses, device fingerprints
- Session activity data: session start/end times, target host identifiers, keystroke logs, screen recording content, file-transfer metadata
- Credential metadata: vault entry names, last-used timestamps (credential plaintext is not accessible to VaultPAM staff)
- Audit log data: API call logs, administrative action records, policy change events
Categories of Data Subjects:
- Customer's employees, contractors, and other individuals authorized to access privileged infrastructure
- IT system administrators and privileged users whose access events are captured in the audit trail
3. Processor Obligations (GDPR Art. 28(3))
3(a) Processing only on instructions
VaultPAM will process Customer Data only on documented instructions from Customer, unless required to do so by Union or Member State law. Where VaultPAM is required by law to process Customer Data without Customer's instruction, VaultPAM will inform Customer before that processing, unless prohibited by law from doing so.
VaultPAM will inform Customer immediately if, in VaultPAM's opinion, an instruction infringes GDPR or other applicable data protection law.
Customer's documented instructions are: (i) the terms of this DPA; (ii) the Terms of Service; (iii) Customer's configuration of the Service; and (iv) any further written instructions Customer provides from time to time.
3(b) Confidentiality of processing
VaultPAM ensures that persons authorized to process Customer Data are subject to confidentiality obligations — either contractual or statutory — at least as protective as those in this DPA.
3(c) Security measures (Art. 32)
VaultPAM implements and maintains the technical and organisational security measures set out in Annex I to protect Customer Data against unauthorised or unlawful processing, accidental loss, destruction, or damage. VaultPAM reviews and updates these measures periodically to reflect evolving risks and the state of the art.
3(d) Sub-processor conditions
VaultPAM will not engage a new Sub-processor without informing Customer in advance and giving Customer a reasonable opportunity to object on legitimate grounds. VaultPAM will impose on each Sub-processor data protection obligations equivalent to those in this DPA by written contract. The current list of approved Sub-processors is set out in Annex II.
If Customer legitimately objects to a new Sub-processor and VaultPAM cannot provide the Service without that Sub-processor, either party may terminate the affected Services on 30 days' written notice without penalty.
VaultPAM remains liable to Customer for the acts and omissions of its Sub-processors to the same extent as if VaultPAM had performed the processing itself.
3(e) Assistance with Data Subject rights
VaultPAM will, taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures in fulfilling Customer's obligation to respond to Data Subject rights requests under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection).
VaultPAM will forward to Customer without undue delay any Data Subject request it receives that concerns Customer Data, and will not respond to such requests on Customer's behalf without Customer's prior written instruction.
3(f) Assistance with Arts. 32–36 obligations
VaultPAM will assist Customer in ensuring compliance with obligations under GDPR Articles 32–36, including security of processing, Personal Data Breach notification to supervisory authorities, data protection impact assessments, and prior consultation.
3(g) Deletion or return of data
Upon expiry or termination of the subscription, VaultPAM will, at Customer's election, delete or return all Customer Data within 30 days and confirm deletion in writing, unless Union or Member State law requires continued storage. Customer is responsible for exporting required data before the 30-day post-termination period expires.
WORM exception: The 30-day deletion commitment does not apply to data locked under the immutable storage (WORM) feature (clause 6.2). WORM-locked data cannot be deleted until the configured lock period expires. VaultPAM retains WORM-locked data after termination on the basis of GDPR Article 17(3)(e) (establishment, exercise, or defence of legal claims) or Article 17(3)(b) (compliance with a legal obligation or public interest), as applicable to Customer's compliance purposes. By activating WORM, Customer acknowledges that erasure requests from Data Subjects relating to WORM-locked records may be restricted until the lock period expires, and Customer, as Controller, is responsible for informing affected Data Subjects of this restriction under GDPR Article 11(2).
3(h) Audit and information
VaultPAM will make available to Customer all information necessary to demonstrate compliance with the obligations in this DPA, and will allow and contribute to audits and inspections conducted by Customer or a mandated auditor, subject to:
- at least 30 days' advance written notice;
- agreement on scope and reasonable cost allocation; and
- the auditor executing a confidentiality undertaking.
Customer agrees to exercise audit rights no more than once per calendar year, unless required by a supervisory authority or following a confirmed Personal Data Breach.
4. Personal Data Breach Notification
4.1 VaultPAM will notify Customer of a confirmed or reasonably suspected Personal Data Breach affecting Customer Data without undue delay and, where feasible, within 72 hours of becoming aware of it.
4.2 The initial notification will include, to the extent then available: (a) a description of the nature of the breach; (b) approximate categories and number of records and Data Subjects concerned; (c) VaultPAM's data protection contact details; (d) likely consequences; and (e) measures taken or proposed to address and mitigate the breach.
4.3 VaultPAM will provide further information as it becomes available. Where all required information is not available at first notification, it will be provided in phases.
4.4 Customer is solely responsible for assessing whether notification to supervisory authorities (Art. 33) or Data Subjects (Art. 34) is required, and for making any such notifications.
5. International Data Transfers
5.1 VaultPAM will not transfer Customer Data to a country outside the European Economic Area ("EEA") without Customer's prior written consent, unless the transfer is to a country with an EU adequacy decision or is subject to appropriate safeguards under GDPR Art. 46 (e.g. Standard Contractual Clauses — SCCs).
5.2 By default, Customer Data at rest is stored within the EU — Google Cloud Platform, europe-central2 region, Warsaw, Poland.
5.3 Where Sub-processors listed in Annex II process data outside the EEA, VaultPAM has put in place SCCs or equivalent safeguards as noted in Annex II.
6. PAM-Specific Processing Clauses
6.1 Session Recordings
VaultPAM records keystroke logs, screen content, and file-transfer metadata generated during privileged sessions strictly on Customer's behalf and on Customer's instruction (via Customer's recording policy configuration).
Customer, as Controller, is responsible for ensuring:
- employees and contractors whose sessions are recorded are informed in accordance with applicable labour and data protection law;
- any required works-council approval, employee consultation, or equivalent process is completed before enabling recording for any category of User;
- recording policies reflect Customer's legitimate purposes and retention needs.
VaultPAM stores session recordings in encrypted form. Recording content is accessible only to Customer-designated administrators with the assigned RBAC role. VaultPAM support staff do not access recording content except at Customer's explicit written request for the purpose of resolving a technical issue.
6.2 Retention and Immutable Storage (WORM)
Customer may configure retention policies for session recordings and audit logs. Where Customer activates the immutable storage (WORM — Write Once, Read Many) feature:
- Recordings and audit logs written in WORM mode cannot be modified or deleted until the configured retention period expires, even upon Customer instruction or subscription termination.
- The feature is provided for Customer's compliance purposes (e.g. NIS2, SOC 2, ISO 27001 audit evidence requirements).
- VaultPAM will not delete WORM-locked data before the lock period expires unless Customer provides documented legal authority (court order or equivalent) for early deletion.
- Default WORM retention period: 90 days. Maximum configurable period: 7 years.
6.3 Credential Vaulting
VaultPAM stores privileged credentials (passwords, SSH keys, API tokens) on Customer's behalf in an encrypted vault with the following controls:
- Credential plaintext is encrypted at rest using AES-256 with a per-customer key hierarchy managed by a dedicated HashiCorp Vault instance.
- VaultPAM operations staff have no access to credential plaintext; all access is mediated through the PAM control plane under RBAC enforcement with a full audit trail.
- Credential checkout, use, and check-in events are logged and included in Customer's immutable audit trail.
- Customer may configure just-in-time credential rotation and automatic rotation schedules.
Customer, as Controller, is responsible for configuring rotation policies appropriate to its security requirements and applicable standards.
6.4 Lawful Interception and Law Enforcement Requests
6.4.1 When VaultPAM receives a legally binding demand from a law enforcement or government authority for Customer Data (subpoena, court order, regulatory notice, or equivalent), VaultPAM will:
- notify Customer promptly and in advance of any disclosure, unless prohibited by law or court order from doing so;
- challenge the demand if VaultPAM reasonably believes it is legally invalid, overbroad, or inconsistent with applicable EU law or GDPR;
- limit any disclosure to the minimum data strictly required by the demand; and
- document the challenge and its outcome in Customer's account record.
6.4.2 VaultPAM will not voluntarily or proactively disclose Customer Data to any government authority in the absence of a legally binding demand.
6.4.3 If VaultPAM is prohibited by law from notifying Customer of a demand, VaultPAM will: record the demand internally; notify Customer as soon as it becomes legally permitted to do so; and seek to narrow or challenge any prohibition on notification where legally possible.
6.4.4 Customer acknowledges that VaultPAM's ability to challenge a demand is subject to applicable law and that VaultPAM cannot guarantee a successful outcome in all circumstances.
7. Data Protection Contact
VaultPAM's data protection contact: dpa@vaultpam.com
8. Liability
8.1 Scope of ToS cap. The liability limitations and aggregate cap set out in the Terms of Service (section 10) apply equally to claims arising under or in connection with this DPA, including claims for breach of GDPR obligations.
8.2 Mutual indemnification. Each party shall indemnify and hold harmless the other party against any damages, fines, penalties, or costs (including reasonable legal fees) awarded against the other party by a supervisory authority or court to the extent directly attributable to the indemnifying party's breach of its obligations under this DPA or GDPR.
8.3 GDPR Article 82 contribution. If either party pays compensation to a Data Subject under GDPR Article 82 in respect of damage attributable in whole or in part to the other party's breach, the paying party may recover from the other party the portion of compensation attributable to the other party's fault. The parties will cooperate in good faith to apportion liability.
8.4 Nothing in this section limits either party's liability for gross negligence or wilful misconduct.
9. Governing Law
This DPA is governed by the law of Poland. Disputes are resolved as set out in the Terms of Service.
Annex I — Technical and Organisational Security Measures (Art. 32 GDPR)
| Category | Measure |
|---|---|
| Encryption at rest | AES-256 for all Customer Data stored in the platform (database, session recordings, credential vault) |
| Encryption in transit | TLS 1.2+ for all data in transit; RDP and SSH sessions use protocol-native encryption |
| Access controls | RBAC enforced by the control plane; MFA mandatory for all administrator access |
| Credential vaulting | Privileged credentials stored in HashiCorp Vault with per-customer key hierarchy; no plaintext access for VaultPAM staff |
| Session recording integrity | WORM storage with cryptographic checksums; tamper-evidence verified on retrieval |
| Audit logging | Comprehensive immutable audit trail of all administrative actions, session events, and API calls |
| Vulnerability management | Automated dependency scanning (cargo-audit, Dependabot); regular third-party penetration testing |
| Patch management | Critical security patches applied within 72 hours; routine patches within 30 days |
| Incident response | Documented incident response plan; 72-hour breach notification SLA to Customer |
| Business continuity | GCP managed services with regional redundancy; documented RTO/RPO objectives |
| Sub-processor security | Each Sub-processor assessed for GDPR adequacy; Sub-processor DPAs in place |
| Physical security | Data processed exclusively in GCP data centres (europe-central2, Warsaw, Poland); GCP holds ISO 27001 and SOC 2 certifications |
| Staff training | All VaultPAM personnel with access to Customer Data undergo data protection and security training |
| Pseudonymisation | Session logs and audit trails use internal User identifiers; PII mapping held separately with access controls |
Annex II — Approved Sub-processors
| Sub-processor | Location | Processing activity | Data categories |
|---|---|---|---|
| Google Cloud Platform (GCP) | Google Ireland Ltd., Dublin 4, Ireland; infrastructure in europe-central2, Warsaw, Poland (EU) | Cloud compute, managed PostgreSQL databases, object storage (session recordings), Kubernetes (GKE) | All Customer Data |
| Google Workspace (SMTP relay) | Google Ireland Ltd., Dublin 4, Ireland (EU) | Transactional e-mail delivery (account notifications, breach notifications) | E-mail address, notification content |
| SMSAPI Sp. z o.o. | ul. Trakt Lubelski 352, 04-667 Warszawa, Poland (EU) | SMS-based OTP delivery for MFA | Mobile telephone number, OTP content |
| SerwerSMS Sp. z o.o. | Poland (EU) | SMS-based OTP delivery for MFA (alternative provider) | Mobile telephone number, OTP content |
VaultPAM will update this Annex when adding or replacing Sub-processors and will provide Customer with advance notice as required by clause 3(d).
Also available in: Polski · Deutsch · Français
Questions about this DPA? Contact us at dpa@vaultpam.com. See also: Privacy Policy · Terms of Service.