Legal

Data Processing Addendum

How Vimiana processes personal data on behalf of business customers, for inclusion in the agreement between us.

Last updated 22 June 2026 · Draft

Draft — pending review

This is a working draft, not final or legally binding wording. It is published so the platform's real behaviour can be reviewed; final wording is pending operator and counsel review before the public launch.

1. Scope and roles

This addendum applies where Vimiana processes personal data on behalf of a business customer in the course of providing the service. For that data the customer is the controller and Vimiana is the processor. For account, billing and security data described in the privacy policy, Vimiana acts as a controller in its own right.

2. Subject matter, duration and purpose

We process personal data contained in invocation inputs and outputs, and related account identifiers, only to provide, meter, secure and support the service, for the duration of the agreement and any wind-down period. We process such data on the customer's documented instructions, which the use of the service constitutes.

3. Our obligations as processor

  • process personal data only on the customer's documented instructions;
  • ensure personnel with access are bound by confidentiality;
  • implement appropriate technical and organisational security measures (authentication, rate limiting, constrained outbound calls, bounded request sizes, PII-redacted logs);
  • assist the customer, as far as reasonable, with data-subject requests and with security, breach-notification and impact- assessment obligations; and
  • delete or return personal data at the end of the service, save where retention is legally required.

4. Sub-processors

The customer authorises the sub-processors listed on the sub-processor list. We remain responsible for our sub-processors' performance and will provide a mechanism to notify customers of changes and to object.

5. International transfers

Provisional — pending the tax / merchant-of-record rulingWhere personal data is transferred outside the UK / European region, the transfer mechanism (such as standard contractual clauses and any required addenda) is being confirmed with counsel and will be incorporated here.

6. Status of this addendum

Provisional — pending the tax / merchant-of-record rulingThis is a working outline of the data-processing terms, not an executed addendum. The final, signable DPA — including the audit, liability and Annex I/II detail — is being prepared with counsel. To request the DPA for signature, email privacy@vimiana.com.

Questions about this document? Email privacy@vimiana.com or read the docs before relying on these terms.