Data Processing Agreement (DPA)

Last updated: 2026-05-25

Contractual annexes that regulate the processing of your end customers data under GDPR / LGPD principles.

Purpose and scope
Parties and roles
Documented instructions
Confidentiality
Technical and organizational measures
Subprocessors
Assistance with data subject rights
Breach notification
Audit
International transfers
Duration and return
Annex A — Processing details
Annex B — Authorized subprocessors

1. Purpose and scope

This Data Processing Agreement (hereinafter the "DPA") supplements the Terms of Service between Voilatier Inc. and the Customer, and governs the processing of personal data that the Customer entrusts to Voilatier when using the platform. It is governed by the principles of the General Data Protection Regulation (GDPR), the Lei Geral de Proteção de Dados (LGPD) and applicable local Latin American laws.

2. Parties and roles

Data Controller: the Customer.
Data Processor: Voilatier Inc.

The Customer determines the purposes and means of processing the data of its end customers. Voilatier acts exclusively under the Customer's documented instructions.

3. Documented instructions

Voilatier processes Customer Data only to: (a) provide the Service in accordance with the Terms; (b) follow reasonable Customer instructions communicated through the panel or in writing; (c) comply with legal obligations to which it is subject. Any instruction that, in Voilatier's judgment, violates applicable law will be reported to the Customer without being carried out.

4. Confidentiality

Voilatier ensures that persons authorized to process Customer Data are bound by an equivalent contractual or legal duty of confidentiality. Access to production data is restricted to authorized engineering staff, with each access logged.

5. Technical and organizational measures

Voilatier implements measures appropriate to the risk, including:

Encryption in transit (TLS 1.2+) and at rest (disk-level encryption for all storage, column-level encryption for identifiable PII).
Mandatory two-factor authentication for administrative roles.
Immutable audit log of significant actions (Spatie ActivityLog + append-only ledgers for accounting movements).
Strict logical tenant isolation: no query can cross company_id without going through an explicit exception in code.
Daily encrypted backups with 30-day retention.
Documented incident management policy with playbooks by category.
Mandatory code reviews for changes that touch security surfaces or PII.
Annual third-party penetration tests (formal program from 2027 onward).

6. Subprocessors

Voilatier may engage subprocessors to provide parts of the Service. The current list is in Annex B. Before adding a new subprocessor, Voilatier will notify the Customer at least 30 days in advance. The Customer has the right to object on reasonable grounds; if the objection cannot be resolved, the Customer may terminate the contract without penalty.

Voilatier imposes on each subprocessor contractual obligations equivalent to those of this DPA regarding confidentiality, security and breach notification.

7. Assistance with data subject rights

Voilatier reasonably assists the Customer in responding to data subject requests (access, rectification, erasure, portability, objection). If a data subject contacts Voilatier directly, Voilatier will redirect them to the Customer without processing the request unilaterally, unless legally obligated otherwise.

The panel offers self-service tools to export (CSV), anonymize (the anonymized_at field, which preserves aggregates without PII) and delete end-customer records.

8. Breach notification

If Voilatier becomes aware of a security breach affecting Customer Data, it will notify the Customer without undue delay and, in any case, within 72 hours of detection. The notification will include: a description of the nature of the breach, the categories and approximate volume of affected data subjects and data, likely consequences, and measures taken or proposed to mitigate it.

9. Audit

The Customer has the right to verify compliance with this DPA up to once a year (plus one additional time after a confirmed breach) under the following conditions:

30 days' advance notice.
A non-disclosure agreement (NDA) signed by the designated auditor.
An audit conducted during business hours, without disrupting the Service.
Costs borne by the Customer, unless material non-compliance is found, in which case Voilatier covers the direct costs.

Instead of an on-site audit, Voilatier may satisfy this right by providing the latest equivalent independent audit report (SOC 2 Type II or comparable, once available) and responses to a standard security questionnaire (CAIQ).

10. International transfers

When Customer Data is transferred outside the jurisdiction of origin, the transfer is covered by the European Commission's Standard Contractual Clauses (SCCs) or equivalent mechanisms recognized by local authorities. The processing jurisdictions are listed in Annex B.

11. Duration and return

This DPA remains in effect as long as Voilatier processes Customer Data. Upon termination of the contract, the Customer has 60 days to export its data via the panel or API. After that period, Voilatier will delete or anonymize the data, unless legally required to retain it. At the Customer's request, Voilatier will issue a certificate of deletion.

Annex A — Processing details

Categories of data subjects

End customers of the Merchant (people who receive loyalty communications).
Merchant staff who operate the panel.

Categories of personal data

Identification: first name, last name, optional external identifiers (DNI, RFC, NIT, RUC).
Contact: mobile phone, email (both encrypted at the column level).
Demographics: date of birth (optional), preferred language, country.
Behavior: transaction history, accumulated points, RFM segment, loyalty tier, channel subscriptions.
Consents: opt-in / opt-out per channel (email, SMS, WhatsApp), associated timestamps.

Purposes of processing

Operation of the loyalty program (accumulation, redemption, tiers).
Communication with end customers through authorized channels.
Analytics and segmentation for the Merchant's internal use.
Compliance with the Merchant's legal obligations.

Duration of processing

As long as the Merchant's Account is active, plus 60 days after termination for export, unless the Merchant instructs early deletion.

Annex B — Authorized subprocessors

List current as of Last updated: 2026-05-25:

Resend — United States · Delivery of transactional and marketing emails.
LabsMobile — Spain / multiple LATAM · Delivery of SMS messages.
Meta Platforms (WhatsApp Cloud API) — United States / Ireland · Delivery of WhatsApp messages.
Cloudflare — United States · CDN, CAPTCHA, DDoS protection.
AWS / DigitalOcean — United States · Application hosting and database storage.
Stripe — United States · Processing of Merchant payments (does not process end-customer data).
Anthropic — United States · Language models for optional assisted-writing features; prompts do not persist identifiable personal data of the Merchant or its end customers.

For questions about subprocessors or to subscribe to change notifications, write to [email protected].