The terms under which Vaultneur acts as your data processor, including sub-processors and security measures.
Effective date: 22 May 2026
This Data Processing Addendum ("DPA") has been updated to reflect changes to Vaultneur's service architecture and sub-processors. The main changes from the previous version are:
These changes are intended to strengthen the protection of your data while maintaining compliance with applicable data protection laws, including the GDPR, CCPA/CPRA, POPIA and the UK Data Protection Act 2018.
Please review Schedule 1 (Description of Transfer) and Schedule 2 (Technical and Organizational Measures), as these contain the most significant updates.
In order that you as a service user and data controller (referred to as "Controller" or "User") may use or continue to use our zero-knowledge encrypted vault services ("Services") offered by us, Vaultneur PTY LTD of Pretoria, Gauteng, South Africa, and data processor (referred to as "Vaultneur" or "Processor"), you agree that certain Personal Data you submit as part of your use of our Services and these data processing terms ("Terms") shall apply (notwithstanding any other terms and conditions applicable to the delivery of the Services to the contrary) in order to address the compliance obligations imposed upon Vaultneur and its Users pursuant to Applicable Law.
"Affiliate" means an entity that, directly or indirectly, controls, is controlled by, or is under common control with a Party. As used herein, "control" means the power to direct the management or affairs of an entity and the beneficial ownership of fifty percent (50%) or more of the voting equity securities or other equivalent voting interests of an entity.
"Applicable Law(s)" means all US, UK, and EU laws, regulations, and other legal or regulatory requirements relating to privacy, data protection/security, or the Processing of Personal Data applicable to Vaultneur's performance of its services under the Agreement, including without limitation the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. ("CCPA") as amended by the California Privacy Rights Act of 2020 ("CPRA"), Protection of Personal Information Act ("POPIA") including any implementing regulations, the United Kingdom Data Protection Act 2018, and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR").
"User Contact Data" means the User's contact information.
"User Personal Data" means User Data, as defined in the Agreement, consisting of Personal Data, except for User Contact Data.
"EEA" means, for purposes of this DPA, the European Economic Area (which is composed of the member states of the European Union), Norway, Iceland, Liechtenstein, and Switzerland.
"EU SCCs" means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in Section 9.
"Personal Data Breach" means the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to User Personal Data.
"Personal Data" includes "personal data," "personal information," and "personally identifiable information," each as defined by Applicable Law.
"Process" and "Processing" mean any operation or set of operations performed on Personal Data, or on sets of Personal Data, whether or not by automated means, such as collecting, recording, organizing, creating, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing (by transmission, dissemination or otherwise making such data available), aligning or combining, restricting, erasing, or destroying such Personal Data.
"Standard Contractual Clauses" means the EU SCCs or the UK SCCs, as applicable.
"UK SCCs" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the Effective Date at the ICO website and completed as described in Section 9.
User is the Controller as defined under Applicable Laws, and User determines the means and purposes for which User Personal Data is Processed by Vaultneur. To the extent Vaultneur Processes User Personal Data subject to Applicable Laws, Vaultneur is a Processor and Service Provider as defined under Applicable Laws, and Vaultneur will Process the User Personal Data according to the instructions set forth in this DPA, the Agreement, and as required under Applicable Laws.
Note on our zero-knowledge architecture: Our Services encrypt User Personal Data on your device before it is transmitted to our infrastructure. We do not hold the cryptographic keys needed to decrypt your vault data and cannot access its plaintext content. This means that although we store and process encrypted data, metadata and account information, we cannot read the actual content of the documents and records you store.
User and Vaultneur are independent Controllers, as defined under Applicable Laws, with respect to User Contact Data. Either Party may Process User Contact Data as necessary for the purpose of (i) carrying out its obligations under the Agreement, (ii) applicable legal or regulatory requirements, (iii) requests and communications with the other Party, (iv) administrative, business, and marketing purposes, and (v) to protect its respective rights in accordance with applicable law and, in the case of Vaultneur, maintaining the security and integrity of the Services.
Vaultneur hereby certifies that it understands the restrictions and obligations set forth in this DPA in relation to its role as a Processor and Service Provider, and that it will comply with them.
Vaultneur will not:
Further details regarding Vaultneur's Processing operations are set forth in Schedule 1. To the extent User discloses or makes available deidentified data (as such term is defined under Applicable Law) within the User Data to Vaultneur, Vaultneur shall not attempt to re-identify such data.
Note on zero-knowledge limitations: Because of our zero-knowledge architecture, we cannot access, read or process the plaintext content of your encrypted vault data. Our processing is limited to encrypted data, file metadata (such as file size, timestamps and record type), account information and operational system data.
User will not instruct Vaultneur to Process User Personal Data in violation of Applicable Law. Vaultneur will without undue delay inform User if, in Vaultneur's opinion, an instruction from User infringes Applicable Law. The Agreement, including this DPA, constitutes User's complete and final instructions to Vaultneur regarding the Processing of User Personal Data, including for purposes of the Standard Contractual Clauses. User shall also have the right to take reasonable and appropriate steps to stop or remediate any unauthorized Processing of User Personal Data by Vaultneur.
Vaultneur will not disclose User Personal Data to any third party without first obtaining User's written consent, except as provided in Section 5, Section 7 or Section 9, except as required by law. Vaultneur will require all employees, contractors, and agents who Process User Personal Data on Vaultneur's behalf to protect the confidentiality of the User Personal Data and to comply with the other relevant requirements of this DPA.
Note: Given our zero-knowledge architecture, we are technically unable to disclose the plaintext content of your encrypted data, as we do not hold the keys required to decrypt it.
Vaultneur may subcontract the collection or other Processing of User Personal Data only in compliance with Applicable Law and any additional conditions for subcontracting set forth in the Agreement. User acknowledges and agrees that Vaultneur's Affiliates and certain third parties may be retained as sub-processors to Process User Personal Data on Vaultneur's behalf (under this DPA as well as under the Standard Contractual Clauses, if they apply) in order to provide the Services.
Vaultneur's third-party sub-processors are:
Prior to a sub-processor's Processing of User Personal Data, Vaultneur will impose contractual obligations on the sub-processor substantially the same as those imposed on Vaultneur under this DPA to the extent applicable to the nature of the services provided by such sub-processor. Vaultneur remains liable for its sub-processors' performance under this DPA to the same extent Vaultneur is liable for its own performance.
Vaultneur will provide Users with at least ten (10) days' written notice of new sub-processors before authorizing such sub-processor(s) to Process User Personal Data in connection with the provision of the Services. Vaultneur will notify User at the email address provided in the signature block of this DPA for purposes of this notification. The sub-processor agreements to be provided under Section 5(j) of the EU SCCs may have all commercial information, or provisions unrelated to the EU SCCs, redacted prior to sharing with User, and User agrees that such copies will be provided only upon written request.
User may object to Vaultneur's use of a new sub-processor on reasonable grounds relating to the protection of User Personal Data by notifying Vaultneur promptly in writing within ten (10) business days after receipt of Vaultneur's notice in accordance with the mechanism set out in Section 5.2. In its notification, User will explain its reasonable grounds for objection. In the event User objects to a new sub-processor, Vaultneur will use commercially reasonable efforts to make available to User a change in the Services or recommend a commercially reasonable change to User's configuration or use of the Services to avoid Processing of User Personal Data by the objected-to new sub-processor without unreasonably burdening User. If Vaultneur is unable to make available such change within a reasonable period of time, which will not exceed thirty (30) days, either Party may terminate without penalty the Processing of User Personal Data and/or the Agreement with respect only to those services which cannot be provided by Vaultneur without the use of the objected-to new sub-processor by providing written notice to the other Party.
Vaultneur will provide reasonable assistance to User regarding User's compliance with its security obligations under Applicable Law relevant to Vaultneur's role in Processing User Personal Data, taking into account the nature of Processing and the information available to Vaultneur, by implementing the technical and organizational measures set forth in Schedule 2, without prejudice to Vaultneur's right to make future replacements or updates to the measures that do not materially lower the level of protection of User Personal Data. Vaultneur will ensure that the persons Vaultneur authorizes to Process the User Personal Data are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality no less protective than the confidentiality obligations set forth in the Agreement.
Vaultneur will comply with the Personal Data Breach-related obligations directly applicable to it under Applicable Law. Taking into account the nature of Processing and the information available to Vaultneur, Vaultneur will inform User of a substantiated Personal Data Breach without undue delay or within the time period required under Applicable Law, and in any event no later than seventy-two (72) hours following such substantiation.
Note on the effect of encryption in a breach: Where a breach involves encrypted User Personal Data, the risk to data subjects is significantly reduced by our zero-knowledge architecture. Encrypted data accessed without the corresponding decryption keys (which Vaultneur does not hold) remains protected by AES-256-GCM encryption.
Vaultneur will notify User at the email address provided in the signature block of this DPA for purposes of Personal Data Breach notifications. Any such notification is not an acknowledgement of fault or responsibility. This notification will include Vaultneur's then-current assessment of the following information, to the extent available, which may be based on incomplete information:
Vaultneur will provide timely and periodic updates to User as additional information regarding the Personal Data Breach becomes available. User is solely responsible for complying with legal requirements for incident notification applicable to User and fulfilling any third-party notification obligations related to any Personal Data Breach. Nothing in this DPA or in the Standard Contractual Clauses will be construed to require Vaultneur to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.
To the extent legally permitted, Vaultneur will without undue delay notify User if Vaultneur receives any request from an individual seeking to exercise any right afforded to them under Applicable Law regarding their Personal Data (a "Data Subject Request"). To the extent User, in its use of the Services, does not have the ability to address a Data Subject Request, Vaultneur will, upon User's request, take commercially reasonable efforts to assist User in responding to such Data Subject Request, to the extent Vaultneur is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law.
Note on zero-knowledge implications: Because of our zero-knowledge design, we cannot access, retrieve, modify or delete the plaintext content of your encrypted vault data without your cooperation, as we do not hold the decryption keys. Requests that require access to or modification of vault content must be carried out through your own account using your authentication credentials.
Upon User's written request, Vaultneur will provide User with reasonable cooperation and assistance as needed and appropriate to fulfill User's obligations under Applicable Law to carry out a data protection impact assessment related to User's use of the Services. Vaultneur will provide reasonable assistance to User in the cooperation or prior consultation with the Supervisory Authority (as defined under the GDPR) in the performance of its tasks relating to the data protection impact assessment, and to the extent required under the Applicable Law.
User authorizes Vaultneur and its sub-processors to make international transfers of the User Personal Data in accordance with this DPA so long as Applicable Law for such transfers is respected.
With respect to User Personal Data transferred from the EEA, the EU SCCs will apply and form part of this DPA, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the EU SCCs. For purposes of the EU SCCs, they will be deemed completed as follows:
With respect to User Personal Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the UK SCCs. For purposes of the UK SCCs, they will be deemed completed as follows:
With respect to User Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the EU SCCs will apply and will be deemed to have the following differences to the extent required by the Swiss Federal Act on Data Protection ("FADP"):
Except where the Standard Contractual Clauses (or Applicable Law) require a specific governing law for the international transfer of Personal Data — in which case that law applies solely to those transfer mechanisms — this DPA is governed by the laws of the Republic of South Africa, consistent with the governing law of the Agreement. The governing-law and jurisdiction selections made above in respect of the EU SCCs and UK SCCs apply only to those clauses and the transfers they govern, and do not alter the governing law of the Agreement or the remainder of this DPA.
Vaultneur will make available to User the information reasonably necessary to demonstrate compliance with this DPA and the obligations of a processor under Applicable Law and the Standard Contractual Clauses. The Parties agree that this obligation will ordinarily be satisfied by Vaultneur providing, on User's written request and no more than once per year, (i) a description of the technical and organizational measures set out in Schedule 2, and (ii) where available, the then-current security or compliance reports of Vaultneur's sub-processors (for example, Supabase), which underpin the security of the Services.
An on-site audit or inspection will only take place where (i) the information described above is insufficient to demonstrate compliance, (ii) User is required to carry out such an audit by a supervisory authority or under Applicable Law, or (iii) there has been a substantiated Personal Data Breach affecting User's data. In that event, User will give Vaultneur at least thirty (30) days' prior written notice, the audit will be conducted during business hours, no more than once per year, in a manner that minimizes disruption, and will not exceed one (1) business day. User will bear its own costs and Vaultneur's reasonable costs of the audit, and User will not access any data or Confidential Information of other Users.
If Vaultneur is legally compelled by a court or other government authority to disclose User Personal Data, then to the extent permitted by law, Vaultneur will promptly provide User with sufficient notice of all available details of the legal requirement and reasonably cooperate with User's efforts to challenge the disclosure, seek an appropriate protective order, or pursue such other legal action, as Vaultneur deems appropriate.
Note: Because of our encryption architecture, we are technically unable to provide the plaintext content of your encrypted data in response to legal process, as we do not hold the decryption keys. Any compelled disclosure would be limited to encrypted data, metadata and account information that we are able to access.
Upon termination of the Agreement and written request from User, Vaultneur will delete or anonymize User Personal Data, unless prohibited by Applicable Law. Notwithstanding the foregoing, nothing will oblige Vaultneur to delete or anonymize User Personal Data from files created for security, backup and business continuity purposes sooner than required by Vaultneur's data retention processes. Any User Personal Data that may be retained beyond the duration of the Agreement will still be protected in accordance with this DPA and Vaultneur shall not process such User Personal Data except as strictly permitted under Applicable Law.
This DPA replaces any existing data processing addendum the Parties may have previously entered into in connection with the Agreement. In the event of a conflict between the terms of the Agreement and this DPA, the terms of the DPA will apply. In the event of a conflict between this DPA and the applicable Standard Contractual Clauses, the Standard Contractual Clauses will apply.
Module Two: Transfer Controller to Processor. Module Three: Transfer Processor to Processor.
Data exporter(s):
Data importer(s):
Data subjects whose Personal Data is uploaded by the data exporter to, or otherwise provided to Vaultneur through, the Services. This includes individual users of the vault application and, where applicable, their designated emergency contacts or family vault members.
The data exporter may transfer Personal Data to Vaultneur, the extent of which is determined and controlled by the data exporter in its sole discretion. This data falls into two categories:
Encrypted vault data (stored and processed in encrypted form only; Vaultneur cannot access the plaintext):
Account and metadata (accessible to Vaultneur):
Note on processing limitations: Because of our zero-knowledge encryption, all vault content — including document contents, filenames, file types, record titles, fields, notes and attachments — is encrypted on your device before it reaches us and remains encrypted on our systems. We do not hold the keys needed to decrypt it.
The Services are designed to let Users store sensitive personal information, including health data, financial records and identification documents. All such data is encrypted on your device using AES-256-GCM before it is transmitted to our infrastructure. The safeguards that apply are:
Continuously, for the duration of the Agreement, whenever Users upload documents or create or modify records through the application.
User Personal Data is processed in order to: receive and store encrypted data; maintain encrypted database records and metadata; authenticate users and manage accounts; synchronize encrypted vault data across a user's devices; manage subscriptions; maintain encrypted backups; and comply with applicable law. All processing of vault content occurs in encrypted form only.
User Personal Data is retained for as long as necessary to provide the Services under the Agreement and in accordance with Vaultneur's data retention processes and applicable law. On account deletion, vault data, records, recovery data and the account are removed. Encrypted copies in backups are retained only as long as required by our backup processes before being overwritten.
Supabase — provides authentication, database and storage infrastructure. It stores encrypted vault data, hashed account credentials and metadata, and enforces row-level security. It processes this data for as long as needed for Vaultneur to provide the Services. Supabase only ever handles encrypted (ciphertext) vault data and cannot read its content.
RevenueCat — provides subscription and entitlement management. It receives an account identifier and entitlement status (for example, Free or Pro) and does not receive any vault content or documents. It processes this data for as long as needed for Vaultneur to provide the Services.
The Parties will follow the rules for identifying the competent supervisory authority under Section 13 of the EU SCCs and, to the extent legally permissible, select the Irish Data Protection Commission for transfers governed by the GDPR, and the Information Commissioner's Office (ICO) for transfers governed by UK data protection law.
This Schedule describes the technical and organizational measures Vaultneur has implemented to protect User Personal Data, taking into account the nature, scope and purpose of the processing and the risks involved.
The core of our security model is that all substantive User Personal Data is encrypted on the user's device before it is transmitted to our infrastructure. We do not hold any key capable of decrypting your vault content.
Document contents, filenames and file types; all record fields and titles; notes, tags and attachments; signature images; and emergency QR data are all encrypted on the device before transmission.
Vaultneur does not operate its own data centers. Hosting is provided by Supabase, and the physical and environmental security of the underlying infrastructure is managed by that provider and its own underlying hosting providers.
Before engaging a sub-processor that may have access to User Data, Vaultneur reviews the sub-processor's security and privacy practices and enters into a written agreement imposing data protection and security obligations appropriate to the data involved. Our current sub-processors are Supabase (which only ever handles encrypted vault data) and RevenueCat (which handles only subscription data and no vault content).
End of Data Processing Addendum.
For questions regarding this Data Processing Addendum, please contact [email protected].
Vaultneur PTY LTD, Pretoria, Gauteng, South Africa. Version 2.0 (zero-knowledge architecture), effective 22 May 2026.