Data Processing Addendum

1. Introduction & Scope

This Data Processing Addendum ("DPA") forms part of the agreement between:

• Controller: The organisation deploying VitaPing services ("Customer", "you", "your")
• Processor: [Legal Entity Name] trading as VitaPing ("VitaPing", "we", "us", "our")

1.1 Precedence

In the event of any conflict or inconsistency between the main commercial agreement and this DPA, the provisions of this DPA shall prevail with respect to data protection matters.

1.2 Incorporation

This DPA is incorporated into and forms part of the Customer's commercial agreement with VitaPing ("Main Agreement"). Terms not defined in this DPA have the meanings given in the Main Agreement.

2. Definitions

For the purposes of this DPA:

• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data, including GDPR, UK DPA, UAE DPA, and any successor or replacement legislation.
• "Controller" means the Customer, as the entity that determines the purposes and means of processing Personal Data.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA (users, employees, visitors).
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
• "Personal Data" means any information relating to an identified or identifiable natural person processed by VitaPing on behalf of the Customer.
• "Processing" has the meaning given in Applicable Data Protection Law and includes any operation performed on Personal Data.
• "Processor" means VitaPing, as the entity that processes Personal Data on behalf of the Controller.
• "Security Incident" means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data.
• "Sub-processor" means any third party engaged by VitaPing to process Personal Data on behalf of the Customer.
• "Supervisory Authority" means any regulatory authority responsible for enforcing Applicable Data Protection Law.

3. Data Controller & Processor Roles

3.1 Controller Status

The Customer is the Data Controller for all Personal Data processed through the VitaPing platform. The Customer:

• Determines the purposes and means of processing
• Is responsible for obtaining necessary consents from Data Subjects
• Must provide lawful processing instructions to VitaPing
• Bears ultimate responsibility for compliance with Applicable Data Protection Law

3.2 Processor Status

VitaPing acts as Data Processor, processing Personal Data only on behalf of and in accordance with documented instructions from the Customer. VitaPing:

• Processes Personal Data only as instructed by the Customer
• Does not determine purposes or essential means of processing
• Implements appropriate technical and organisational measures
• Assists the Customer in meeting its obligations

3.3 Independent Controllers

For certain limited purposes, VitaPing may act as an independent Controller (e.g., for compliance, legal obligations, platform security). In such cases, VitaPing processes data under its own Privacy Policy and bears direct responsibility to Data Subjects.

4. Processing Instructions & Scope

4.1 Processing Instructions

VitaPing shall process Personal Data only in accordance with the Customer's documented instructions, which include:

• The Main Agreement and this DPA
• The Customer's deployment configuration and governance policies
• Written instructions provided through the platform interface
• Additional written instructions agreed between the parties

4.2 Unlawful Instructions

If VitaPing believes that any instruction violates Applicable Data Protection Law, VitaPing shall:

• Immediately inform the Customer
• Be entitled to suspend processing until the instruction is confirmed or withdrawn
• Not be liable for any failure to process while awaiting lawful instructions

4.3 Scope of Processing

Details of Personal Data processing are set out in Annex 1 (Processing Details), including:

• Subject matter and duration of processing
• Nature and purpose of processing
• Types of Personal Data
• Categories of Data Subjects

5. Processor Obligations

5.1 Confidentiality

VitaPing shall ensure that all personnel authorized to process Personal Data:

• Are subject to binding confidentiality obligations
• Receive appropriate data protection training
• Have access only to Personal Data necessary for their role

5.2 Security Measures

VitaPing implements technical and organisational measures as detailed in Section 6 and Annex 2 (Security Measures).

5.3 Assistance Obligations

VitaPing shall, to the extent reasonably possible and at the Customer's cost, assist the Customer in:

• Responding to Data Subject rights requests
• Conducting Data Protection Impact Assessments (DPIAs)
• Consulting with Supervisory Authorities
• Ensuring compliance with security obligations
• Notifying and investigating Security Incidents

5.4 Records of Processing

VitaPing maintains records of all processing activities carried out on behalf of the Customer, as required by Article 30(2) GDPR and equivalent provisions.

6. Security Measures

VitaPing implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

6.1 Technical Security

• Encryption of Personal Data in transit and at rest
• Multi-factor authentication for system access
• Regular security testing and vulnerability assessments
• Intrusion detection and prevention systems
• Secure software development practices
• Regular security patches and updates

6.2 Organisational Security

• Role-based access controls
• Background checks for personnel with data access
• Mandatory data protection training
• Incident response procedures
• Business continuity and disaster recovery plans
• Secure disposal procedures for data and equipment

6.3 Detailed Security Documentation

A comprehensive list of security measures is provided in Annex 2 (Technical and Organisational Measures). The Customer may request updates to this documentation annually.

6.4 Security Updates

VitaPing may update security measures provided that such updates do not result in degradation of security. Material changes will be communicated to the Customer.

7. Sub-processors

7.1 General Authorization

The Customer provides general authorization for VitaPing to engage Sub-processors, subject to the conditions in this Section 7.

7.2 Current Sub-processors

A current list of Sub-processors is maintained in Annex 3 (Sub-processors) and includes:

• Cloud infrastructure providers
• Analytics and monitoring services
• Security and audit services

7.3 Notification of Changes

VitaPing shall notify the Customer of any intended changes concerning the addition or replacement of Sub-processors. The Customer may object to such changes within 30 days on reasonable data protection grounds.

7.4 Objection Process

If the Customer objects to a new Sub-processor:

• The parties shall work together in good faith to find a resolution
• If no resolution is reached within 30 days, the Customer may terminate the affected services
• Termination shall not affect any fees due for services rendered

7.5 Sub-processor Requirements

VitaPing ensures that all Sub-processors:

• Are bound by written contracts imposing data protection obligations equivalent to this DPA
• Provide sufficient guarantees of appropriate security measures
• Are subject to regular compliance monitoring

7.6 Liability for Sub-processors

VitaPing remains fully liable to the Customer for the performance of Sub-processors' obligations under this DPA.

8. Data Subject Rights

8.1 Customer Responsibility

The Customer is responsible for responding to Data Subject rights requests. VitaPing shall assist by:

• Providing functionality for Data Subjects to exercise rights where technically feasible
• Forwarding Data Subject requests received by VitaPing to the Customer
• Assisting with retrieval, rectification, or deletion of Personal Data
• Providing information necessary for the Customer to respond to requests

8.2 Assistance Fees

VitaPing's assistance under this Section 8 is included in the Main Agreement fees. Assistance requiring significant additional resources may be charged at VitaPing's standard rates, agreed in advance.

8.3 Emergency Context

During active emergency incidents, certain Data Subject rights may be temporarily restricted to protect vital interests. The Customer must ensure Data Subjects are informed of this in privacy notices.

9. Audits & Compliance

9.1 Audit Rights

VitaPing shall make available to the Customer all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.

9.2 Third-Party Certifications

VitaPing maintains industry-standard certifications and undergoes regular third-party audits. Copies of relevant certificates and audit summaries are available upon request.

9.3 On-Site Audits

The Customer may conduct on-site audits, subject to:

• Reasonable advance notice (minimum 60 days)
• Frequency: maximum once per year unless required by Supervisory Authority
• Non-disruptive to VitaPing's operations
• Execution of appropriate confidentiality agreements
• Customer bears all audit costs

9.4 Remote Audits

As an alternative to on-site audits, the Customer may request remote audits via questionnaire or document review, which may be provided at no additional cost.

9.5 Audit Findings

If an audit reveals non-compliance, VitaPing shall:

• Provide a remediation plan within 30 days
• Implement corrective measures within agreed timeframes
• Provide evidence of remediation

10. Data Breach Notification

10.1 Notification Obligation

VitaPing shall notify the Customer without undue delay, and in any event within 48 hours, of becoming aware of a Security Incident affecting the Customer's Personal Data.

10.2 Notification Content

Security Incident notifications shall include:

• Description of the nature of the Security Incident
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the Security Incident
• Measures taken or proposed to address the Security Incident
• Contact point for further information

10.3 Investigation & Cooperation

VitaPing shall:

• Investigate the Security Incident promptly
• Take reasonable steps to mitigate harm
• Cooperate with the Customer's investigation
• Provide regular updates on investigation progress
• Assist with any required notifications to Supervisory Authorities or Data Subjects

10.4 Notification to Authorities

The Customer is responsible for determining whether notification to Supervisory Authorities or Data Subjects is required. VitaPing shall provide reasonable assistance with such notifications.

11. International Data Transfers

11.1 Transfer Mechanisms

Where Personal Data is transferred outside the UK, EEA, or UAE, VitaPing ensures appropriate safeguards through:

• Transfers to countries with adequacy decisions
• Standard Contractual Clauses (SCCs) approved by the European Commission
• International Data Transfer Addendum to the SCCs (UK IDTA)
• UAE-approved transfer mechanisms
• Other legally compliant transfer mechanisms

11.2 Standard Contractual Clauses

Where SCCs apply, the terms set out in Annex 4 (Standard Contractual Clauses) are incorporated into this DPA.

11.3 Data Localization

VitaPing maintains regional data storage capabilities and shall store Personal Data in the region specified in the Customer's deployment configuration, except where:

• Required for emergency response across jurisdictions
• Necessary for platform security or maintenance
• Required by law or regulatory authority

11.4 Changes to Transfer Mechanisms

If any transfer mechanism is invalidated by courts or regulators, VitaPing shall promptly implement alternative compliant mechanisms.

12. Data Deletion & Return

12.1 Upon Termination

Upon termination or expiration of the Main Agreement, VitaPing shall, at the Customer's choice:

• Delete all Personal Data, or
• Return all Personal Data to the Customer in a structured, commonly used format

12.2 Deletion Timeline

Deletion or return shall be completed within 90 days of termination, unless:

• Required by law to retain certain data
• Necessary for ongoing legal or regulatory proceedings
• Required for compliance or audit purposes

12.3 Certification

Upon completion of deletion, VitaPing shall provide written certification that all Personal Data has been deleted or returned, except for data retained under legal obligations.

12.4 Backup Data

Personal Data contained in backup systems shall be deleted in accordance with VitaPing's backup retention policies (maximum 90 days) and securely overwritten to prevent recovery.

13. Liability & Indemnification

13.1 Liability Allocation

Each party shall be liable under this DPA for damages caused by its breach, subject to the limitations of liability set out in the Main Agreement.

13.2 Controller Liability

The Customer is liable for:

• Obtaining necessary consents from Data Subjects
• Ensuring lawfulness of processing instructions
• Compliance with Data Subject rights requests
• Providing accurate privacy notices to Data Subjects

13.3 Processor Liability

VitaPing is liable for:

• Processing Personal Data in accordance with instructions
• Implementing appropriate security measures
• Ensuring Sub-processor compliance
• Security Incident notification and mitigation

13.4 Regulatory Fines

If either party is fined by a Supervisory Authority due to the other party's breach of this DPA, the breaching party shall indemnify the fined party for the amount of the fine and associated reasonable costs.

14. Duration & Termination

14.1 Duration

This DPA comes into effect on the date the Main Agreement comes into effect and continues for the duration of the Main Agreement.

14.2 Survival

The following provisions survive termination:

• Section 5.1 (Confidentiality)
• Section 10 (Data Breach Notification) — for incidents discovered after termination
• Section 12 (Data Deletion & Return)
• Section 13 (Liability & Indemnification)

14.3 Regulatory Changes

The parties agree to review and, if necessary, amend this DPA to reflect changes in Applicable Data Protection Law.

15. Annexes