Data Processing Agreement

This DPA is entered into between:

Controller

The customer entity that has accepted the vatnode Terms of Service (“Customer” or “Controller”).

Processor

Tmi Iurii Rogulia, operating as vatnode, a sole proprietorship registered in Finland (VAT ID: FI29845875), Vanhanpellonkatu 5, 53850 Lappeenranta, Finland (“vatnode” or “Processor”).

This DPA is incorporated by reference into the vatnode Terms of Service. By using the vatnode API, Customer accepts the terms of this DPA.

Personal Data

Any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1).

Processing

Any operation performed on Personal Data, as defined in GDPR Art. 4(2).

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council.

Sub-processor

Any third party engaged by vatnode to process Personal Data on behalf of the Customer.

Service

The vatnode API and associated platform as described in the Terms of Service.

vatnode processes Personal Data on behalf of the Customer for the following purposes:

• EU VAT number validation via VIES and associated lookup services
• API request logging (IP address, API key identifier, timestamps, query parameters)
• Webhook delivery logging (endpoint URL, delivery status)
• VAT monitoring subscription management

Categories of data subjects: The Customer's end-users and/or the Customer's customers whose VAT numbers are submitted for validation.

Types of Personal Data: IP addresses, API key identifiers, and VAT numbers submitted for validation (VAT numbers are business identifiers and generally not personal data, but may relate to sole traders).

This DPA is effective from the date the Customer first uses the Service and continues for the duration of the subscription agreement. Upon termination, vatnode will delete or return Personal Data as described in §10 of this DPA.

vatnode agrees to:

• Process Personal Data only on documented instructions from the Customer (i.e., API requests made by the Customer), unless required to do so by EU or Finnish law
• Ensure that persons authorised to process the Personal Data have committed to confidentiality
• Implement appropriate technical and organisational security measures (see §8)
• Respect the conditions for engaging sub-processors (see §6)
• Assist the Customer in responding to requests from data subjects exercising their rights under GDPR
• Assist the Customer in ensuring compliance with GDPR Arts. 32–36 (security, breach notification, DPIAs)
• Delete or return all Personal Data to the Customer after the end of the provision of services (see §10)
• Make available all information necessary to demonstrate compliance with GDPR Art. 28 and allow for audits (see §11)
• Notify the Customer immediately if vatnode believes an instruction infringes GDPR

The Customer provides general authorisation for vatnode to engage sub-processors. vatnode will inform the Customer of any intended changes to sub-processors with at least 14 days' notice, giving the Customer the opportunity to object.

Current sub-processors:

SCCs = Standard Contractual Clauses under Commission Implementing Decision 2021/914.

vatnode will promptly notify the Customer of any requests from data subjects exercising their GDPR rights (access, rectification, erasure, restriction, portability, objection) where the request relates to Personal Data processed on behalf of the Customer. vatnode will not respond to such requests directly unless authorised by the Customer or required by EU law.

vatnode will provide the Customer with reasonable technical and organisational assistance to fulfil data subject requests.

vatnode implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• HTTPS/TLS encryption for all connections in transit
• Database encryption at rest
• API keys stored as SHA-256 hashes (never in plaintext)
• Passwords stored as bcrypt hashes
• IP address anonymisation after 30 days
• Access to production systems restricted to authorised personnel
• Regular security reviews and dependency updates

More detail is available in §9 of the Privacy Policy.

In the event of a Personal Data breach affecting Customer data, vatnode will notify the Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects and records affected
• Name and contact details of vatnode's data protection contact
• Likely consequences of the breach
• Measures taken or proposed to address the breach

Upon termination of the Services or upon written request from the Customer, vatnode will, at the Customer's choice:

• Return all Personal Data to the Customer in a machine-readable format; or
• Delete all Personal Data and certify such deletion in writing.

This obligation does not apply to Personal Data that vatnode is required to retain by EU or Finnish law (e.g., invoice records under the Finnish Accounting Act).

Customers have 30 days following termination to request an export by emailing privacy@vatnode.dev.

vatnode will make available all information necessary to demonstrate compliance with this DPA and GDPR Art. 28. Upon reasonable written notice (at least 30 days), vatnode will cooperate with audits conducted by the Customer or a mutually agreed third-party auditor, subject to:

• The audit being conducted during business hours and not more than once per year
• The auditor being bound by appropriate confidentiality obligations
• The Customer bearing the costs of any such audit

For most compliance needs, vatnode can provide its security documentation in lieu of a full on-site audit.

Each party's liability under this DPA is subject to the limitations set out in §12 of the Terms of Service. vatnode is liable for damages caused by processing where it has not complied with GDPR obligations specifically directed to processors, or where it has acted outside or contrary to the Customer's lawful instructions.

For DPA-related enquiries, data subject requests, or to exercise Customer rights under this agreement:

We aim to respond within 72 hours for breach notifications and 30 days for other requests.