Legal
Data Processing Agreement
Last updated: March 4, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between vidaReady ("Processor") and the customer using the vidaReady platform ("Controller"). It governs how vidaReady processes personal data on behalf of the Controller, in accordance with the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679).
1. Definitions
- Controller — the business or individual that has subscribed to vidaReady and determines the purposes and means of processing personal data.
- Processor — vidaReady, which processes personal data on behalf of the Controller.
- Personal Data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
- Processing — any operation performed on personal data, as defined in Article 4(2) GDPR.
- Sub-processor — any third party engaged by vidaReady to assist in processing personal data.
- Data Subject — the natural person whose personal data is being processed (typically end-customers of the Controller).
2. Nature and Purpose of Processing
vidaReady processes personal data solely to provide the VAT compliance automation service, which includes:
- Syncing EU transaction data from the Controller's connected Stripe account
- Classifying transactions as B2B, B2C, or Reverse Charge using available customer data
- Validating EU VAT IDs via the official VIES API (European Commission)
- Generating and storing OSS-ready VAT reports on behalf of the Controller
- Providing an audit log of data access and export events
Processing is carried out only on documented instruction from the Controller (i.e., the use of the vidaReady platform) and not for any other purpose, including vidaReady's own business interests.
3. Categories of Personal Data Processed
vidaReady processes the following categories of personal data as directed by the Controller:
| Category | Examples |
|---|---|
| Customer identifiers | Stripe customer ID, customer name, email address |
| Tax identifiers | EU VAT registration numbers (VAT IDs) submitted by the customer's buyers |
| Transaction data | Invoice amounts, currency, country of origin, transaction date |
| VAT classification | B2B/B2C classification result, VIES validation status |
vidaReady does not process payment card data, bank account details, or any special categories of personal data under Article 9 GDPR.
4. Duration of Processing
Processing continues for as long as the Controller maintains an active vidaReady account. Upon account deletion or cancellation, personal data is deleted within 30 days, except where retention is required by applicable law. Transaction data and VAT records may be retained for up to 7 years to comply with EU VAT and accounting regulations (e.g., Council Directive 2006/112/EC, Article 244). During this retention period, access is restricted and data is used solely for compliance purposes.
5. Controller Obligations
The Controller warrants and undertakes that:
- It has a valid legal basis under GDPR for sharing the personal data with vidaReady
- It has provided adequate privacy notices to its own customers (data subjects) regarding the use of vidaReady as a processing tool
- It will not instruct vidaReady to process personal data in a manner that would violate applicable law
- It will promptly notify vidaReady of any inaccuracies or changes to the personal data shared
6. Processor Obligations
vidaReady commits to:
- Process personal data only on documented instruction from the Controller
- Ensure that persons authorised to process the data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (Article 32 GDPR)
- Not engage sub-processors without prior written consent from the Controller, or as listed in Section 8
- Assist the Controller in responding to data subject rights requests (Articles 15–22 GDPR)
- Assist the Controller with data breach notification obligations (Articles 33–34 GDPR)
- Delete or return personal data upon termination of the service relationship
- Make available all information necessary to demonstrate compliance with this DPA
7. Security Measures (Article 32 GDPR)
vidaReady implements the following technical and organisational measures:
- Encryption in transit: All data is transmitted via TLS 1.2 or higher
- Encryption at rest: Database storage is encrypted at rest using AES-256
- Access control: Role-based access controls; only authorised personnel can access customer data
- API key security: Stripe API keys are stored encrypted and never logged in plain text
- Audit logging: All data access, exports, and administrative actions are logged
- Minimal data access: Stripe integration uses read-only restricted API keys scoped to the minimum necessary permissions
- Incident response: Security incidents are documented and, where required, reported to the Controller within 72 hours
8. Sub-processors
vidaReady uses the following sub-processors to deliver the service. The Controller hereby provides general authorisation for the use of these sub-processors. vidaReady will notify the Controller of any changes (additions or replacements) to this list with at least 14 days' notice.
| Sub-processor | Purpose | Location |
|---|---|---|
| Clerk | User authentication, session management | USA (SCCs apply) |
| Stripe | Payment processing, Stripe Connect (read-only data access) | USA/EU (SCCs apply) |
| Resend | Transactional email delivery | USA (SCCs apply) |
| Neon / Supabase / Vercel | Database hosting, application hosting | EU (preferred) |
| EU Commission VIES | VAT ID validation API (no data stored) | EU |
Where sub-processors are located outside the European Economic Area (EEA), vidaReady ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) per Commission Implementing Decision (EU) 2021/914.
9. Data Subject Rights
When a data subject exercises their rights under GDPR (Articles 15–22), the Controller is responsible for responding. vidaReady will assist the Controller by:
- Providing access to personal data held within the platform within 5 business days of a Controller request
- Deleting or anonymising personal data relating to a specific data subject upon documented Controller instruction
- Exporting personal data in machine-readable format (JSON or CSV) upon request
10. Data Breach Notification
In the event of a personal data breach (Article 33 GDPR), vidaReady will:
- Notify the Controller without undue delay and within 72 hours of becoming aware of the breach
- Provide a description of the nature of the breach, categories of data affected, likely consequences, and measures taken
- Cooperate with the Controller in its obligations to notify the relevant supervisory authority
The Controller remains responsible for notifying its own supervisory authority (e.g., the DPA in the EU member state where the Controller is established) and affected data subjects.
11. International Data Transfers
vidaReady primarily stores and processes data within the European Economic Area. Where data is transferred to third countries (e.g., to US-based sub-processors), such transfers are made pursuant to:
- Standard Contractual Clauses (SCCs) adopted by the European Commission
- Adequacy decisions where applicable
- The EU–US Data Privacy Framework (DPF) where the sub-processor is certified
12. Audits and Inspections
vidaReady shall allow the Controller or its appointed auditors to conduct audits or inspections of data processing activities, with reasonable notice (at least 30 days). vidaReady may require auditors to sign appropriate confidentiality agreements before disclosing system information.
13. Term and Termination
This DPA remains in effect for the duration of the Controller's use of vidaReady services. Upon termination, vidaReady will delete all personal data within 30 days (subject to legal retention obligations in Section 4). The Controller may request a written confirmation of deletion.
14. Governing Law
This DPA is governed by the laws of the Republic of Albania (as the jurisdiction where vidaReady operates), supplemented by applicable EU data protection law. Any disputes shall be referred first to good-faith negotiation, then to the competent courts.
15. Contact
For questions about this DPA, data protection inquiries, or to exercise any rights, contact:
- Email: privacy@vidaready.com
- Address: vidaReady, Tirana, Albania
To request a signed copy of this DPA for your records, email us with subject line "DPA Request" and we will provide a countersigned copy within 5 business days.