Data Processing Agreement
Standard DPA governing the processing of personal data by VibeCoded on behalf of customers.
Version 2.1 — Effective 1 January 2026
1. Definitions
“Agreement” means this Data Processing Agreement and any schedules. “Controller” means the VibeCoded customer (you). “Processor” means VibeCoded Ltd. “Personal Data” and “Processing” have the meanings given in GDPR (Regulation (EU) 2016/679).
2. Subject Matter and Duration
VibeCoded will process Personal Data on behalf of the Controller for the purpose of providing the VibeCoded platform as described in the main subscription agreement. Processing will continue for the term of the subscription and for 90 days thereafter to allow for data export.
3. Nature and Purpose of Processing
VibeCoded processes Personal Data to provide the features of the platform including project management, workflow automation, analytics, and collaboration tools. Personal Data may include names, email addresses, and any data uploaded by the Controller to the platform.
4. Controller Obligations
The Controller warrants that it has a lawful basis for providing Personal Data to VibeCoded, that it has notified relevant data subjects of the processing, and that it complies with applicable data protection laws.
5. Processor Obligations
VibeCoded shall:
- Process Personal Data only on documented instructions from the Controller.
- Ensure that personnel authorised to process the data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures.
- Assist the Controller in fulfilling data subject rights requests.
- Delete or return Personal Data upon termination of the agreement.
- Provide all information necessary to demonstrate compliance with this DPA.
6. Sub-processors
VibeCoded may engage sub-processors to assist in providing the Service. VibeCoded will inform the Controller of any intended changes to sub-processors with at least 30 days’ notice. The Controller may reasonably object to a new sub-processor within 14 days of notification.
7. Security Measures
VibeCoded implements the following technical and organisational measures: AES-256 encryption at rest; TLS 1.3 encryption in transit; access controls and least-privilege principles; annual penetration testing; SOC 2 Type II certification; and incident response procedures.
8. Data Breach Notification
VibeCoded will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting the Controller’s data.
9. International Transfers
Where Personal Data is transferred outside the EEA, VibeCoded will rely on Standard Contractual Clauses or other appropriate transfer mechanisms.
10. Governing Law
This DPA is governed by the laws of Ireland and forms part of the main subscription agreement between the parties.
To execute this DPA or request a countersigned copy, please email legal@vibecoded.example.