Data Processing Agreement — Template
Version 1.0 (draft) — published for transparency. The operative DPA between Vorantiq and any specific Customer is the executed agreement bearing both parties’ signatures.
Scope
This template is published so customers, security reviewers, and legal counsel can evaluate Vorantiq’s standard data-processing terms without first signing a non-disclosure agreement. The full text is in the repository under docs/legal/DPA-template.md.
Parties
Controller / Customer: the customer organization.
Processor: Vorantiq, Inc.
Subject matter, duration, nature, and purpose
Duration: term of the Principal Agreement plus a 30-day post-termination retention window.
Nature and purpose: hosting, orchestration, audit, and operational governance of the Customer’s AI workloads.
Categories of Personal Data: account identity, session metadata, tenant configuration, agent definitions, runtime artifacts, spend artifacts, memory artifacts, billing artifacts, audit-log artifacts.
Customer instructions
Vorantiq processes Customer Personal Data only on the documented instructions of the Customer (the Principal Agreement and the Customer’s configuration of the Service through standard administrative surfaces).
Sub-processors
Vorantiq engages a documented set of sub-processors (Vercel, Neon, Stripe, Anthropic, OpenAI, Resend). The Customer is notified at least 30 days in advance of any change to that list.
International data transfers
Primary processing region is the United States (Vercel + Neon US-East). Cross-border transfers rely on Standard Contractual Clauses (Module 2: Controller to Processor), the UK International Data Transfer Addendum where applicable, and the Saudi PDPL transfer mechanism. Multi-region residency is on the roadmap.
Security Incident notification
In the event of a Security Incident affecting Customer Personal Data, Vorantiq notifies the Customer within 72 hours of awareness, with description, scope, likely consequences, and measures taken or proposed.
Deletion or return of data
On termination, Vorantiq provides a 30-day window for Customer-initiated export, then deletes Customer Personal Data per the right-to-erasure procedure. Audit-event records may be retained in pseudonymized form to preserve hash-chain integrity.
How to execute
Email legal@vorantiq.dev to request an executable copy. Both parties review, fill in placeholders, and execute via DocuSign or equivalent.