DPA

Data Processing Addendum

Forms part of the Terms when Vize processes personal information on the customer's behalf.

1. Roles

The customer is the APP entity / data controller. Vize is the processor acting only on documented instructions.

2. Duration

Processing runs for the duration of the subscription and for the retention window thereafter for audit-grade evidence.

3. Sub-processors

Supabase (database + storage, AU region), Resend (email), Stripe (billing). 30-day notice before new sub-processors.

4. Security

Encryption in transit and at rest, MFA, RLS, least-privilege staff access, audit logging, dependency scanning, 72-hour breach notification.

5. Cross-border transfers

Personal information is hosted in AU regions. Where a sub-processor is overseas, standard contractual clauses apply.

6. Data subject requests

Vize will assist the customer in responding to access, correction, and erasure requests within five business days.

7. Return and deletion

On termination, Vize returns CSV + PDF bundles and deletes from production systems within 60 days, backups within 12 months.