Data Processing Addendum
Forms part of the Terms when Vize processes personal information on the customer's behalf.
1. Roles
The customer is the APP entity / data controller. Vize is the processor acting only on documented instructions.
2. Duration
Processing runs for the duration of the subscription and for the retention window thereafter for audit-grade evidence.
3. Sub-processors
Supabase (database + storage, AU region), Resend (email), Stripe (billing). 30-day notice before new sub-processors.
4. Security
Encryption in transit and at rest, MFA, RLS, least-privilege staff access, audit logging, dependency scanning, 72-hour breach notification.
5. Cross-border transfers
Personal information is hosted in AU regions. Where a sub-processor is overseas, standard contractual clauses apply.
6. Data subject requests
Vize will assist the customer in responding to access, correction, and erasure requests within five business days.
7. Return and deletion
On termination, Vize returns CSV + PDF bundles and deletes from production systems within 60 days, backups within 12 months.