v1.6Data Processing Agreement·last updated May 12, 2026·GDPR Art. 28·SCCs 2021/914
Legal · Data Processing Agreement

Data Processing
Agreement.

The GDPR Article 28 controller‑to‑processor agreement governing how VesperWise handles personal data on your behalf. This DPA is automatically incorporated into our Terms of Service for every customer in the EEA, UK, or Switzerland.

EffectiveMay 12, 2026Versionv1.6IncorporatesSCCs (EU 2021/914), UK AddendumIn force
You don’t need to sign anything. This DPA is automatically incorporated into the Terms of Service when you create an account. If your procurement team requires a counter‑signed copy, email legal@intentiq.dev and you’ll have a DocuSign within one business day.

01Definitions & roles

Terms not defined here have the meaning given in the Terms of Service or the GDPR. For clarity:

  • Controller means the Customer (you), who determines the purposes and means of processing Personal Data;
  • Processor means VesperWise Labs, Inc., processing Personal Data on the Controller’s behalf;
  • Personal Data, Processing, Data Subject, Supervisory Authority, and Personal Data Breach have the meanings given in GDPR Art. 4;
  • SCCs means the EU Standard Contractual Clauses, Module Two (Controller → Processor), Commission Decision 2021/914.

02Subject matter & scope

This DPA applies to all Processing of Personal Data carried out by VesperWise in performance of the Service. The subject matter, duration, nature, and categories of data are described in Annex I. This DPA prevails over the Terms with respect to any inconsistency in the handling of Personal Data.

03Processing instructions

VesperWise will Process Personal Data only on documented instructions from the Controller — including with regard to international transfers — unless required to do so by EU or Member State law. The Controller’s documented instructions are:

  1. 1.The Terms of Service;
  2. 2.This DPA, including its Annexes;
  3. 3.The configuration and inputs the Controller provides through the Service (e.g. domains submitted, workflows enabled).

If VesperWise is required by law to Process Personal Data outside these instructions, it will inform the Controller of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest.

04Confidentiality & personnel

VesperWise ensures that any person authorized to Process Personal Data is bound by an obligation of confidentiality and has received appropriate data‑protection training. Access to Personal Data is granted on a least‑privilege basis and reviewed quarterly.

05Subprocessors

The Controller grants general authorization for VesperWise to engage subprocessors. The current list is on our Subprocessors page. VesperWise will:

  • Notify the Controller at least 30 days in advance before adding or replacing a subprocessor (by email to the account owner, and by an update to the Subprocessors page);
  • Impose on each subprocessor data‑protection obligations no less protective than those in this DPA;
  • Remain fully liable for the acts and omissions of its subprocessors.

The Controller may object to a new subprocessor on reasonable data‑protection grounds within the notice period; if the parties cannot resolve the objection, the Controller may terminate the affected services and receive a prorated refund of prepaid fees.

06Security measures

VesperWise implements appropriate technical and organizational measures (“TOMs”) to ensure a level of security appropriate to the risk, including those listed in Annex II. The Controller acknowledges that the measures in Annex II constitute appropriate security for the categories of Personal Data described in Annex I.

07Personal data breach

VesperWise will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting the Controller’s data. The notification will include:

  1. 1.A description of the nature of the breach, including categories and approximate numbers of Data Subjects and records concerned;
  2. 2.The likely consequences;
  3. 3.Measures taken or proposed to address the breach and mitigate possible adverse effects;
  4. 4.The point of contact for further information (security@intentiq.dev).

08Data subject rights

VesperWise will, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures (insofar as possible) in fulfilling its obligation to respond to requests by Data Subjects exercising their rights under Chapter III GDPR.

If VesperWise receives a request from a Data Subject in respect of Personal Data Processed under this DPA, it will direct the Data Subject to the Controller without responding to the request itself, except where required by law.

09International transfers

To the extent that Processing under this DPA involves the transfer of Personal Data out of the EEA, UK, or Switzerland to a country not covered by an adequacy decision, the parties enter into the SCCs (Module Two), incorporated herein by reference:

  • Clause 7 (docking clause): not used;
  • Clause 9 (subprocessors): Option 2 (general written authorization), 30‑day notice;
  • Clause 11 (redress): independent dispute resolution body not used;
  • Clause 17 (governing law): law of Ireland;
  • Clause 18 (forum): courts of Ireland;
  • Annex I.A populated from Annex I of this DPA;
  • Annex II populated from Annex II of this DPA.

For UK transfers, the UK International Data Transfer Addendum (Version B1.0) supplements the SCCs as drafted by the ICO.

10Audits

VesperWise will make available to the Controller all information necessary to demonstrate compliance with this DPA, including a current SOC 2 Type II report and the answers to the CAIQ Lite and SIG Core. The Controller may request an audit once per twelve‑month period, on 30 days notice, conducted during business hours, by a mutually agreed independent auditor bound by confidentiality. The Controller bears the cost unless the audit reveals material non‑compliance.

11Deletion & return

Upon termination of the Service, VesperWise will, at the Controller’s choice:

  • Return all Personal Data via a JSON export available in‑product;
  • Delete all Personal Data within 90 days, including from backups within their normal rotation schedule (≤ 35 additional days), and provide written confirmation;

Unless retention of some Personal Data is required by Union or Member State law (e.g. tax records). In that case, VesperWise will continue to ensure the confidentiality of the retained data and will not actively Process it.

12Liability & term

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA enters into force on the effective date stated above and remains in effect for the duration of the Service.

A1Annex I · Details of Processing

A. List of Parties. Controller: the Customer as identified in the account record. Processor: VesperWise Labs, Inc., 340 Brannan St., 4th fl., San Francisco, CA 94107.

Subject matter
Provision of B2B intent scoring, workflows, and chat copilot via the VesperWise Service.
Duration
Term of the Service plus the 90‑day deletion window in Section 11.
Nature & purpose
Account scoring, person scoring, watchlist alerts, AI summary generation, billing.
Categories of Data Subjects
Customer's employees (seat holders); business contacts (e.g. people the Customer scores).
Categories of Personal Data
Name, work email, professional title, employer, LinkedIn URL, IP address, account activity.
Special categories
None. Processing of Article 9 data is prohibited by the AUP.
Frequency
Continuous, throughout the Term.
Competent supervisory authority
Data Protection Commission of Ireland (lead authority for EEA transfers).

A2Annex II · Technical & organizational measures

VesperWise implements the following measures. The full Security page, including diagrams and control mappings, is at intentiq.dev/security.

Control areaMeasure
Encryption · transitTLS 1.3 on all customer‑facing endpoints; HSTS preloaded.
Encryption · at restAES‑256 for database and object storage (Supabase + Vercel Blob).
Access controlSSO + MFA enforced for all internal access. Least‑privilege RBAC; quarterly access review.
API authenticationSHA‑256 hashed bearer tokens; per‑user rate limiting; revocation on suspected compromise.
Tenant isolationPostgres Row‑Level Security on every multi‑tenant table; tenant ID required on all queries.
Logging & monitoringAudit logs for all admin actions; 12‑month retention; alerts on anomalous read volume.
Vulnerability managementDependabot for dependencies; quarterly third‑party pen test; bounties via the Security page.
Personnel securityConfidentiality agreements; security training on hire and annually.
Subprocessor managementPublic list; 30‑day notice; DPA required from each.
Incident response72‑hour Controller notification on breach; runbook tested twice per year.
Backups & resilienceDaily encrypted backups; 35‑day retention; RPO 24h, RTO 4h.
Physical securityNone operated by VesperWise; all production hosting is with subprocessors with SOC 2 / ISO 27001.
Questions? legal@intentiq.dev
Terms →Privacy →Subprocessors →