Data Processing Agreement

This DPA is entered into between:

Controller

The customer entity that has accepted the vatnode Terms of Service (“Customer” or “Controller”).

Processor

Tmi Iurii Rogulia, operating as vatnode, a sole proprietorship registered in Finland (VAT ID: FI29845875), Vanhanpellonkatu 5, 53850 Lappeenranta, Finland (“vatnode” or “Processor”).

This DPA is incorporated by reference into the vatnode Terms of Service. By using the vatnode API, Customer accepts the terms of this DPA.

Personal Data

Any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1).

Processing

Any operation performed on Personal Data, as defined in GDPR Art. 4(2).

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council.

Subprocessor

Any third party engaged by vatnode to process Personal Data on behalf of the Customer.

Service

The vatnode API and associated platform as described in the Terms of Service.

vatnode processes Personal Data on behalf of the Customer for the following purposes:

• EU VAT number validation via VIES and associated lookup services
• Retrieval of company enrichment data from national business registries (legal form, industry description, registry code, registration date) for covered EU countries
• Generation and storage of VIES consultation numbers (requestIdentifier issued by the European Commission) when the Customer has configured a requester VAT
• API request logging (IP address, API key identifier, timestamps, query parameters)
• Webhook delivery logging (endpoint URL, delivery status)
• VAT monitoring subscription management

Categories of data subjects:The Customer's end-users and/or the Customer's customers whose VAT numbers are submitted for validation, including sole traders and individual entrepreneurs whose VAT numbers identify them as natural persons.

Types of Personal Data: IP addresses, API key identifiers, VAT numbers submitted for validation (VAT numbers are business identifiers and generally not personal data, but may relate to sole traders), company enrichment data from national registries (name, address, legal form, industry code, registration date — may constitute personal data where the VAT belongs to a sole trader), VIES consultation numbers, and account activity audit log entries (IP address, timestamps, user agent, action type, affected resource).

Processing necessary to operate the Service — including quota counting, VAT monitoring subscription re-validation, webhook delivery retries, and security audit logging — constitutes processing necessary for the performance of the Service and is not dependent on individual Customer instructions for each operation.

This DPA is effective from the date the Customer first uses the Service and continues for the duration of the subscription agreement. Upon termination, vatnode will delete or return Personal Data as described in §10 of this DPA.

vatnode agrees to:

• Process Personal Data only on documented instructions from the Customer (i.e., API requests made by the Customer), unless required to do so by EU or Finnish law
• Ensure that persons authorised to process the Personal Data have committed to confidentiality
• Implement appropriate technical and organisational security measures (see §8)
• Respect the conditions for engaging subprocessors (see §6)
• Assist the Customer in responding to requests from data subjects exercising their rights under GDPR
• Assist the Customer in ensuring compliance with GDPR Arts. 32–36 (security, breach notification, DPIAs)
• Delete or return all Personal Data to the Customer after the end of the provision of services (see §10)
• Make available all information necessary to demonstrate compliance with GDPR Art. 28 and allow for and contribute to audits and inspections conducted by the Customer or a mandated auditor (see §11)
• Notify the Customer immediately if vatnode believes an instruction infringes GDPR
• Maintain a record of all processing activities carried out on behalf of the Customer, available upon request

Data minimisation: vatnode applies data minimisation principles. IP addresses collected for API request logging and audit purposes are anonymised after 30 days in production logs. Full IP records in the audit log are retained for 1 year and then deleted.

The Customer provides general authorisation for vatnode to engage subprocessors. vatnode will inform the Customer of any intended changes to subprocessors with at least 14 days' notice, giving the Customer the opportunity to object.

Current subprocessors:

SCCs = Standard Contractual Clauses under Commission Implementing Decision 2021/914.

vatnode will promptly notify the Customer of any requests from data subjects exercising their GDPR rights (access, rectification, erasure, restriction, portability, objection) where the request relates to Personal Data processed on behalf of the Customer. vatnode will not respond to such requests directly unless authorised by the Customer or required by EU law.

vatnode will provide the Customer with reasonable technical and organisational assistance to fulfil data subject requests.

vatnode implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• HTTPS/TLS encryption for all connections in transit
• Database encryption at rest
• API keys stored as SHA-256 hashes (never in plaintext)
• Passwords stored as bcrypt hashes
• IP address anonymisation after 30 days in production logs
• Access to production systems restricted to authorised personnel
• Regular security reviews and dependency updates

More detail is available in §9 of the Privacy Policy.

In the event of a Personal Data breach affecting Customer data, vatnode will notify the Customer without undue delay of becoming aware of the breach (GDPR Art. 33(2)). The notification will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects and records affected
• Name and contact details of vatnode's data protection contact
• Likely consequences of the breach
• Measures taken or proposed to address the breach

vatnode will also notify the Customer without undue delay if an API key issued to the Customer is suspected to have been exposed or compromised at vatnode's infrastructure level.

Note: The obligation on the Customer as Controller to notify the competent supervisory authority is governed by GDPR Art. 33(1), which sets a 72-hour deadline running from the Controller's awareness of the breach.

Upon termination of the Services or upon written request from the Customer, vatnode will, at the Customer's choice:

• Return all Personal Data to the Customer in a machine-readable format; or
• Delete all Personal Data and certify such deletion in writing.

Retention periods for specific data types are set out in the vatnode Privacy Policy (§7). Data required to be retained for legal compliance — including VAT check records retained for tax and legal compliance purposes, and invoice records under the Finnish Accounting Act — is exempt from deletion obligations.

Customers have 30 days following termination to request an export by emailing [email protected].

vatnode will make available all information necessary to demonstrate compliance with this DPA and GDPR Art. 28, and will allow for and contribute to audits and inspections conducted by the Customer or a mutually agreed third-party auditor. Upon reasonable written notice (at least 30 days), vatnode will cooperate with such audits, subject to:

• The audit being conducted during business hours and not more than once per year
• The auditor being bound by appropriate confidentiality obligations
• The Customer bearing the costs of any such audit

For most compliance needs, vatnode can provide its security documentation in lieu of a full on-site audit.

Each party's liability under this DPA is subject to the limitations set out in §12 of the Terms of Service. vatnode is liable for damages caused by processing where it has not complied with GDPR obligations specifically directed to processors, or where it has acted outside or contrary to the Customer's lawful instructions.

This DPA is governed by the laws of Finland. Any disputes arising out of or in connection with this DPA that cannot be resolved amicably shall be subject to the exclusive jurisdiction of the Helsinki District Court (Helsingin käräjäoikeus), Finland.

Where the Customer is resident or established in another EU Member State, mandatory consumer or B2B protection laws of that Member State are not affected by this choice of jurisdiction.

For DPA-related enquiries, data subject requests, or to exercise Customer rights under this agreement:

We aim to respond without undue delay for breach notifications and within 30 days for other requests.