This DPA governs how Vigilare processes personal data on your behalf as your data processor, in accordance with GDPR, UK GDPR, and applicable US state privacy laws.
Effective date: May 22, 2025
This Data Processing Agreement ("DPA") forms part of the Vigilare Terms of Service between Vigilare ("Processor") and you, the customer ("Controller"). It applies wherever Vigilare processes personal data on your behalf in connection with the Vigilare service.
You are the data controller — you determine the purposes and means of processing. Vigilare is the data processor — we process personal data only on your documented instructions. Where Vigilare processes personal data for its own purposes (e.g. account management), Vigilare acts as a separate data controller governed by the Privacy Policy.
Any information relating to an identified or identifiable natural person — for example, AWS IAM user names, email addresses in resource tags, or IP addresses captured in logs.
Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
A third party engaged by Vigilare to process personal data on your behalf as part of delivering the service.
The European Commission's approved mechanism for transferring personal data outside the EEA, as adopted by Commission Implementing Decision 2021/914.
Monitoring of your AWS account configurations and metadata to detect policy violations, billing anomalies, and security findings.
For the term of your subscription. On termination, Vigilare will delete or return personal data within 30 days as set out in the Termination section below.
Vigilare reads AWS resource metadata via the cross-account IAM role you provision and processes it solely to generate security findings and alerts for your account.
Your AWS IAM users, employees, or contractors whose identity information appears in AWS resource metadata, tags, or CloudTrail events.
IAM user names and ARNs, email addresses in resource tags, IP addresses in logs, and any other personal data incidentally present in AWS resource metadata you grant Vigilare access to read.
You warrant that you have a lawful basis to instruct Vigilare to process personal data on your behalf and that you have provided all required notices to data subjects. You are responsible for ensuring that instructions you give Vigilare comply with applicable data protection law.
Vigilare processes personal data only on your documented instructions. If Vigilare is required by law to process personal data for another purpose, Vigilare will inform you before processing unless prohibited by law.
Vigilare ensures that personnel authorised to process personal data are under an appropriate obligation of confidentiality.
Vigilare implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege IAM policies, and MFA-protected access to production systems.
Vigilare provides reasonable assistance to help you fulfil obligations to respond to data subject requests (access, correction, deletion, portability). Direct such requests to privacy@vigilare.cloud.
Vigilare provides reasonable assistance for data protection impact assessments (DPIAs) and prior consultations with supervisory authorities to the extent required by applicable law.
Vigilare maintains records of processing activities carried out on your behalf as required by Article 30(2) GDPR and makes them available to you on request.
You grant general authorisation for Vigilare to engage sub-processors. Vigilare will give you at least 30 days' notice before adding or replacing a sub-processor, giving you the opportunity to object.
Amazon Web Services (infrastructure, EU and US regions), Stripe (payment processing, US), and our transactional email provider. Each sub-processor is bound by data processing terms no less protective than this DPA.
Vigilare remains liable to you for the acts and omissions of sub-processors to the same extent as if Vigilare had performed the processing itself.
Where personal data is transferred outside the EEA, UK, or Switzerland, Vigilare relies on the EU Standard Contractual Clauses (Module 2: Controller to Processor) or the UK International Data Transfer Addendum as the appropriate safeguard. Copies are available on request.
If you are subject to US state privacy laws (CCPA, CPRA, etc.), Vigilare agrees to the obligations applicable to a "service provider" or "processor" under those laws and will not sell or share personal data for cross-context behavioural advertising.
Vigilare will notify you without undue delay — and in any event within 72 hours — after becoming aware of a personal data breach affecting data processed under this DPA. The notification will describe the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address it.
Vigilare provides all information reasonably necessary to demonstrate compliance with this DPA and applicable data protection law. You may conduct an audit (or appoint an auditor bound by confidentiality) on reasonable notice and no more than once per year, unless required by a supervisory authority. Audit costs are borne by the requesting party.
On expiry or termination of the service agreement, Vigilare will, at your election, delete or return all personal data processed on your behalf within 30 days, and certify deletion in writing. Vigilare may retain personal data to the extent required by applicable law, and only for as long as required.
This DPA is governed by the same law as the Terms of Service. For EU/EEA customers the Standard Contractual Clauses are governed by the law of the EU member state where the Controller is established, or Irish law if no such law is specified.
For questions about this DPA, data processing requests, or to request a signed copy, contact us at:
Vigilare — Privacy Team
privacy@vigilare.cloudWe aim to respond to all DPA requests within 5 business days.