Legal
Data Processing Agreement
Last updated: June 18, 2026 — Version 1.0
This Data Processing Agreement (“DPA”) is entered into between Vaglica Group LLC (“Processor”) and the entity executing a Vaglica Group subscription agreement (“Controller”) and forms part of the Terms of Service. This DPA applies where the Controller’s use of the Xaedros platform involves the processing of Personal Data subject to applicable data protection laws including the GDPR, UK GDPR, or CCPA.
1. Definitions
Personal Data: Any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
Data Subject: The natural person to whom Personal Data relates.
Sub-Processor: Any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
2. Subject Matter & Duration
The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the Xaedros platform services described in the Terms of Service. Processing shall continue for the duration of the Controller’s subscription and for a period of 30 days thereafter (the retention window), unless earlier deletion is requested.
3. Nature & Purpose of Processing
The Processor processes the following categories of data on behalf of the Controller:
- Contact information (names, email addresses, phone numbers) of the Controller’s leads, prospects, and customers
- Business correspondence (outreach emails, reply threads) initiated by the Controller’s connected accounts
- Calendar and scheduling data from connected Google accounts
- Financial data (invoices, payments) entered into the platform by the Controller
- Employee and team member records entered by the Controller
Processing is carried out for the following purposes: lead generation and outreach automation; CRM and pipeline management; invoicing and financial management; social media content publishing; property management (if applicable); and platform analytics and performance reporting.
4. Controller’s Obligations
The Controller shall: (a) ensure it has a lawful basis for processing Personal Data under applicable law; (b) provide appropriate privacy notices to Data Subjects; (c) respond to Data Subject requests; (d) not instruct the Processor to process data in a manner that would violate applicable law; and (e) ensure all Personal Data provided to the Processor is accurate and lawfully obtained.
5. Processor’s Obligations
The Processor shall: (a) process Personal Data only on documented instructions from the Controller; (b) ensure persons authorized to process Personal Data are bound by confidentiality obligations; (c) implement and maintain appropriate technical and organizational security measures (see Section 6); (d) not engage Sub-Processors without the Controller’s general or specific authorization; (e) assist the Controller in fulfilling Data Subject requests; (f) assist the Controller with data breach notification obligations; (g) delete or return all Personal Data upon termination of services; and (h) provide all information necessary to demonstrate compliance with this DPA.
6. Security Measures
The Processor maintains the following technical and organizational measures:
- Encryption in transit: TLS 1.2/1.3 enforced on all connections. HSTS enforced.
- Encryption at rest: AES-256 at hypervisor level (Vultr). Application-level Fernet encryption for credentials and OAuth tokens.
- Access control: Role-based access control (RBAC). Principle of least privilege. All access logged.
- Audit trail: Immutable, append-only audit log retained for 1 year.
- Incident response: Documented incident response procedure. Breach notification within 72 hours.
- Vulnerability management: Regular vulnerability scanning. Responsible disclosure policy at /.well-known/security.txt.
- Data isolation: Multi-tenant row-level isolation enforced at both application and database level.
7. Sub-Processors
The Controller provides general authorization for the Processor to engage the following Sub-Processors. The Processor will notify the Controller of any changes to this list with at least 14 days’ notice:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Vultr Holdings | Cloud infrastructure | USA |
| Cloudflare, Inc. | CDN, file storage (R2), DNS | USA |
| Amazon Web Services | Transactional email (SES) | USA |
| Anthropic, PBC | AI language model processing | USA |
| New Relic, Inc. | Observability & audit log forwarding | USA |
| Stripe, Inc. | Payment processing | USA |
8. Data Subject Rights
The Processor shall provide reasonable assistance to the Controller in responding to Data Subject requests for access, rectification, erasure, restriction, portability, or objection. Controllers may submit Data Subject requests on behalf of their users to privacy@vaglicagroup.com. The Processor will respond within 5 business days and take required action within 30 days.
9. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data breach. Notification shall include: nature of the breach; categories and approximate number of Data Subjects affected; categories and approximate number of records affected; likely consequences of the breach; and measures taken or proposed to address the breach.
10. International Transfers
All Personal Data is processed and stored in the United States. For transfers from the European Economic Area (EEA) or United Kingdom to the USA, the Processor relies on Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated into this DPA by reference. The Controller may request a copy of the applicable SCCs by contacting legal@vaglicagroup.com.
11. Deletion & Return of Data
Upon termination or expiry of the Controller’s subscription, the Processor shall, at the Controller’s option: (a) return all Personal Data in CSV/JSON format via the platform’s data export feature; or (b) securely delete all Personal Data within 30 days. The Controller may request immediate deletion at any time by contacting support@vaglicagroup.com. Written confirmation of deletion will be provided within 5 business days.
12. Audit Rights
The Controller may, with 30 days’ written notice and no more than once per year, request an audit of the Processor’s data processing activities. Audits shall be conducted during normal business hours and at the Controller’s expense. The Processor may satisfy this requirement by providing its most recent third-party security assessment or New Relic audit trail export in lieu of an on-site audit.
13. Execution
This DPA is automatically incorporated into your Vaglica Group subscription agreement. No additional signature is required for the standard DPA. For customized DPA terms, or to execute a signed copy for your records, contact legal@vaglicagroup.com. We execute customized DPAs within 24 hours of request.
14. Contact
Vaglica Group LLC — Data Protection Contact: privacy@vaglicagroup.com — Miami, Florida, USA