1. Scope and Roles

This Data Processing Agreement ("DPA") is entered into between you (the "Controller") and Vaizy B.V. (the "Processor"), and forms part of the Terms of Service. The Controller determines the purposes and means of processing personal data. Vaizy acts as a Processor, processing personal data only to operate the Service and only on documented instructions from the Controller.

2. Subject Matter and Duration

Subject matter: Processing of personal data submitted to the Vaizy platform in connection with the Service, including project records, team data, financial entries, risk data, and AI conversation inputs. Duration: This DPA is in effect for the duration of the Terms of Service and until all personal data has been deleted or returned.

3. Nature and Purpose of Processing

Processing activities include: — Storage and retrieval of project, milestone, team, financial, and risk data in Supabase (PostgreSQL) — AI-assisted processing: user prompts and project context sent to OpenAI's GPT-4 via Supabase Edge Function for AI assistant responses — Authentication and access control via Supabase Auth — Usage and performance analytics via PostHog — Security monitoring, audit logging, and system operations — Communication via transactional email (SMTP)

4. Categories of Data Subjects

Personal data may relate to the following categories of data subjects: — The Controller's employees and contractors who are granted access to the platform — Project stakeholders and team members whose data is entered into the platform — Any other individuals whose personal data the Controller submits to the Service

5. Types of Personal Data

Personal data processed may include: — Identifiers: name, email address, job title — Account data: authentication credentials, profile information — Operational data: project records, milestone status, team assignments, cost rates, weekly hours, financial entries, risk records — AI interaction data: prompts, context, and conversation history submitted to the AI assistant — Usage and log data: access timestamps, IP addresses, authentication events

6. Processor Obligations

Vaizy shall: — Process personal data only on documented instructions from the Controller (these Terms and this DPA constitute such instructions) — Ensure that personnel with access to personal data are subject to appropriate confidentiality obligations — Implement appropriate technical and organisational measures to protect personal data (see Section 9) — Not engage subprocessors without the Controller's prior authorisation (general authorisation is granted under Section 7) — Assist the Controller with GDPR obligations including data subject rights, DPIAs, and breach notification — Notify the Controller without undue delay upon becoming aware of a personal data breach — Delete or return all personal data upon termination of the agreement, at the Controller's choice

7. Subprocessors

The Controller grants Vaizy general authorisation to engage the following subprocessors: — Supabase Inc. (database, authentication, edge functions, real-time) — EU region — OpenAI LLC (AI assistant processing) — United States — Hetzner Online GmbH (hosting and infrastructure) — EU region (Germany), via Coolify — PostHog Inc. (product analytics) — EU region — HubSpot Inc. (CRM and communications) — United States — Featurebase (in-app Help Center, support requests, and What's New changelog) — EU, with EU SCCs where applicable Vaizy ensures each subprocessor is bound by data protection obligations no less protective than those in this DPA. Vaizy will notify the Controller of any intended changes to subprocessors and provide 14 days to object. An updated subprocessor list is available on request at hello@vaizy.com.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), Vaizy relies on: — Standard Contractual Clauses (SCCs) as adopted by the European Commission (for transfers to OpenAI and HubSpot in the United States) — Adequacy decisions where applicable Vaizy selects EU-region infrastructure where available. Transfers to OpenAI occur server-side via Supabase Edge Functions and are subject to OpenAI's enterprise data processing terms.

9. Data Residency and Jurisdiction

Vaizy B.V. is a Dutch company incorporated and operating within the European Union. This has the following consequences for data sovereignty: Data storage: All customer data is stored in Supabase infrastructure located in the EU region (Frankfurt). No customer data is stored in or transited through data centres outside the European Economic Area, except where Standard Contractual Clauses apply to limited subprocessor transfers (see Section 7). Regulatory jurisdiction: Vaizy B.V. is subject to Dutch law and EU regulation, including the GDPR. It is not incorporated under the laws of the United States and is not directly subject to the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act). US CLOUD Act: The CLOUD Act permits US authorities to compel US-based companies to disclose data stored anywhere in the world. Because Vaizy B.V. is not a US entity and does not operate data infrastructure under US jurisdiction, this mechanism does not apply to customer data stored by Vaizy. Note: OpenAI LLC (a US entity) is engaged as a subprocessor for AI assistant processing under EU Standard Contractual Clauses. If Vaizy becomes aware of any legally binding government request affecting customer data, it will notify the Controller to the extent permitted by applicable law. Governing authority: Any lawful access request for customer data held by Vaizy must be routed through applicable EU/Dutch legal process. Vaizy will challenge requests it considers unlawful or disproportionate to the extent permitted by law.

10. Technical and Organisational Measures

Vaizy implements the following security measures: — Encryption in transit: TLS 1.2+ for all API and database connections — Encryption at rest: Supabase-managed encryption for stored data — Row Level Security (RLS): enforced on all database tables — users access only their own data — Role-based access control (RBAC) within the application — Multi-factor authentication (MFA/TOTP) support via Supabase Auth — Server-side secret management: API keys stored in Supabase Edge Function secrets, never exposed to the browser — Production hardening: console logs stripped from production builds; SECURITY DEFINER views removed — Search path injection protection on all database functions — Security headers: HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff — Authentication event logging and monitoring — Regular security reviews aligned with Supabase and Hetzner/Coolify platform updates

11. Data Subject Rights

Vaizy will assist the Controller in responding to data subject requests for access, rectification, erasure, portability, restriction, and objection within the timescales required by GDPR. Where technically feasible, self-service data deletion is available within the platform. For other requests, contact hello@vaizy.com.

12. Audits and Compliance Verification

Upon reasonable written request, Vaizy will provide information necessary to demonstrate compliance with this DPA. Audits by the Controller are permitted subject to: reasonable advance notice (minimum 30 days), agreement on scope and timing, confidentiality obligations, and reimbursement of Vaizy's reasonable costs. Audits must not disrupt normal operations.

13. Data Breach Notification

Upon becoming aware of a personal data breach, Vaizy will: — Notify the Controller without undue delay (and where feasible within 72 hours) — Provide relevant details including the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed — Cooperate with the Controller's breach response obligations

14. Data Deletion and Return

Upon termination of the agreement, Vaizy will at the Controller's election: — Delete all personal data within 90 days of account closure, or — Return personal data in a structured, machine-readable format Vaizy may retain personal data only where required by applicable law, for the minimum period required.

15. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Where both parties are liable for the same damage, liability is allocated in proportion to their respective responsibility.

16. Governing Law

This DPA is governed by the laws of the Netherlands. Disputes arising from this DPA shall be subject to the exclusive jurisdiction of the competent courts in Amsterdam, the Netherlands.

17. Contact

For DPA inquiries, data subject requests, subprocessor lists, or compliance verification requests: Vaizy B.V. hello@vaizy.com vaizy.com/dpa