Data Processing Agreement

1. Definitions

Terms such as "personal data," "processing," "controller," and "processor" have the meanings given in GDPR. "Customer" refers to the business entity entering into the Terms of Use. MVP HOUSE LTD. acts as the processor, and Customer acts as the controller for all business or lead information uploaded to the platform.

2. Scope of processing

We process personal data solely to provide the services described in the Terms, including:

• Running visibility scans and generating reports from Customer-supplied inputs.
• Storing contact details for authorized users.
• Sending transactional notifications and alerts.
• Facilitating payments through Stripe and maintaining subscription records.

No other processing will be performed unless documented in writing by the Customer.

3. Customer responsibilities

Customer is responsible for ensuring it has a lawful basis to collect and share personal data with us, for configuring retention settings, and for providing accurate instructions through the dashboard or written requests. Customer must promptly notify us if data uploaded to the service is subject to industry-specific rules (HIPAA, PCI, etc.) and agrees not to submit sensitive categories beyond what is necessary.

4. Processor obligations

• Process personal data only on documented instructions from Customer.
• Ensure confidentiality by binding employees and contractors to appropriate obligations.
• Implement technical & organizational measures such as encryption, access controls, logging, and regular penetration tests.
• Notify Customer without undue delay after becoming aware of a personal data breach.
• Assist Customer with data subject requests, DPIAs, and regulatory inquiries where feasible.

5. Sub-processors

Customer authorizes the use of the following sub-processors. We will provide 30 days' notice before adding or replacing any vendor so that you may object.

6. International transfers

Where processing involves a transfer outside the UK or EEA, we rely on Standard Contractual Clauses approved by the European Commission, together with the UK International Data Transfer Addendum. Additional safeguards include encryption in transit, data minimization, and strict access controls.

7. Security measures

We maintain an information security program proportionate to the risks of processing. Measures include TLS 1.2+, encryption at rest, role-based access, regular vulnerability scanning, background checks for key personnel, and incident response procedures coordinated with Stripe for payment-related events.

8. Data subject requests

If we receive a request directly from a data subject, we will notify Customer without undue delay (unless legally prohibited). Customer authorizes us to respond by informing the requester to direct the inquiry to the controller. We will provide reasonable assistance so you can fulfil access, rectification, deletion, or portability obligations within statutory timelines.

9. Audit rights

Upon reasonable notice, Customer may request information necessary to demonstrate compliance with this DPA. We may satisfy this requirement through third-party reports (SOC 2, penetration tests) or virtual assessments. On-site audits are available once per year and subject to confidentiality and reimbursement of our reasonable costs.

10. Deletion or return

Within 30 days after account termination, Customer may export scan data via the dashboard or request secure deletion. We will delete remaining personal data (excluding legally required archives) within 90 days, unless lawfully required to retain it for tax, fraud-prevention, or dispute purposes.

11. Contact