Data Processing Agreement
This Data Processing Agreement ("DPA") is entered into between:
Inovacijų dialogas, MB, a company incorporated in Lithuania (company registration number 306672068, VAT number LT100016637613), with registered address at P. Vileišio g. 15-25, LT-10306 Vilnius, Lithuania, operating the Vantemo platform ("Processor", "Vantemo")
and
the merchant entity or individual that has accepted this DPA by checking the acceptance box during registration or account setup ("Controller", "Merchant").
Together referred to as the "Parties".
For the DPA version history, see the DPA Changelog.
Recitals
(A) The Controller operates an online store using the Vantemo platform and, in doing so, collects and processes personal data of its end-customers.
(B) The Processor provides the technical infrastructure and software through which the Controller's online store operates, and in doing so processes personal data on behalf of and under the instructions of the Controller.
(C) The Parties wish to set out in this DPA the terms under which the Processor will process personal data on behalf of the Controller, in accordance with Article 28 of Regulation (EU) 2016/679 ("GDPR").
(D) This DPA forms part of, and is incorporated into, the Terms of Service between the Parties. In the event of conflict between this DPA and the Terms of Service on matters of data protection, this DPA shall prevail.
Article 1 — Definitions
1.1 The following terms have the meanings given to them in the GDPR: "personal data", "processing", "data subject", "controller", "processor", "personal data breach", "supervisory authority", "special categories of personal data".
1.2 "Applicable Data Protection Law" means the GDPR together with any national implementing legislation in the country of establishment of either Party, and any other applicable data protection laws and regulations as amended from time to time.
1.3 "Controller Personal Data" means personal data processed by the Processor under this DPA on behalf of the Controller, as further described in Annex A.
1.4 "Services" means the Vantemo e-commerce platform and all related features and services provided under the Terms of Service.
1.5 "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data transmitted, stored, or otherwise processed by the Processor.
1.6 "Sub-processor" means any third party engaged by the Processor to process Controller Personal Data on the Processor's behalf.
Article 2 — Scope and Purpose
2.1 This DPA applies to the processing of Controller Personal Data by the Processor in connection with providing the Services to the Controller.
2.2 The details of the processing are set out in Annex A, including the subject matter, nature and purpose of processing, data subject categories, and personal data categories.
2.3 Nothing in this DPA relieves the Controller of its own obligations as a Data Controller under Applicable Data Protection Law.
Article 3 — Controller Obligations
3.1 Lawful basis. The Controller confirms that it has a valid lawful basis under Applicable Data Protection Law for each processing activity it instructs the Processor to carry out, and that all processing instructions it provides are lawful.
3.2 Instructions. The Controller's instructions to the Processor are set out in this DPA and the Terms of Service, supplemented by any written instructions provided from time to time. The Controller shall not instruct the Processor to process Controller Personal Data in a manner that would violate Applicable Data Protection Law.
3.3 Privacy notices. The Controller is responsible for providing appropriate privacy notices to its end-customers, obtaining any required consents, and maintaining records of processing activities as required by GDPR Art. 30.
3.4 Special categories. The Controller shall not use the Services to process special categories of personal data (GDPR Art. 9) without prior written agreement with the Processor setting out the additional measures to be implemented. The Processor does not accept special category data by default and is not liable for any special category data submitted without such agreement.
Article 4 — Processor Obligations
4.1 Processing on instructions only. The Processor shall process Controller Personal Data only on the documented instructions of the Controller, as set out in this DPA and the Terms of Service, unless required to do so by EU or member state law applicable to the Processor. In such case, the Processor shall inform the Controller before processing, unless that law prohibits such information.
4.2 Confidentiality. The Processor shall ensure that persons authorised to process the Controller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Annex C and Article 32 GDPR.
4.4 Sub-processors. The Processor shall engage sub-processors only in accordance with Article 5 of this DPA.
4.5 Data subject rights. The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests in accordance with Article 8.
4.6 Deletion and return. The Processor shall delete or return Controller Personal Data on termination in accordance with Article 9.
4.7 Audit. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Article, and allow for and contribute to audits in accordance with Article 10.
4.8 Notification of unlawful instructions. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.
Article 5 — Sub-processors
5.1 General authorisation. The Controller grants the Processor general authorisation to engage sub-processors, subject to the conditions in this Article. The current list of approved sub-processors is available at vantemo.com/sub-processors and in Annex B of this DPA.
5.2 Change notification. Before engaging a new sub-processor or making a material change to an existing sub-processor arrangement, the Processor shall provide the Controller with at least 30 days' advance written notice by email.
5.3 Right to object. The Controller may object to the addition of a new sub-processor within 30 days of receiving the notice. An objection must be made in writing to [email protected] and must set out the reasonable grounds for the objection. The Parties shall negotiate in good faith to resolve the objection. If the objection cannot be resolved, the Controller may terminate the relevant Services without penalty.
5.4 Flow-down obligations. The Processor shall impose data protection obligations on each sub-processor that are equivalent to those set out in this DPA. The Processor remains fully liable to the Controller for the acts and omissions of its sub-processors.
5.5 Existing sub-processors. The sub-processors listed in Annex B are approved as of the DPA effective date.
Article 6 — Security of Processing
6.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The specific measures implemented are described in Annex C.
Article 7 — Personal Data Breach
7.1 Processor notification. In the event of a Security Incident affecting Controller Personal Data, the Processor shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of the Security Incident.
7.2 Content of notification. The notification shall include, to the extent known at the time: (a) the nature of the Security Incident, including categories and approximate number of data subjects and records affected; (b) the Processor's privacy contact ([email protected]); (c) likely consequences of the Security Incident; (d) measures taken or proposed to address the incident and mitigate its effects.
7.3 Staged notification. Where all required information is not available at the time of initial notification, the Processor shall provide the information in stages as it becomes available, without further undue delay.
7.4 Controller's responsibility. The Controller (as Data Controller) is solely responsible for: (a) assessing whether the Security Incident must be reported to the relevant supervisory authority under Art. 33 GDPR within 72 hours — the Controller acknowledges that the 72-hour clock begins from the moment the Controller becomes aware of the incident, which may coincide with receipt of the Processor's notification; (b) communicating the incident to affected data subjects where required under Art. 34 GDPR; (c) all related decisions and actions vis-à-vis the supervisory authority and data subjects. The Processor's lead supervisory authority is the State Data Protection Inspectorate (VDAI), A. Juozapavičiaus g. 6, LT-09310 Vilnius ([email protected]).
7.5 Cooperation. The Processor shall cooperate fully with the Controller in investigating, mitigating, and remediating any Security Incident.
7.6 No acknowledgement of fault. The Processor's notification of a Security Incident shall not constitute an acknowledgement of fault or liability.
Article 8 — Data Subject Rights
8.1 Assistance. The Processor shall assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligations to respond to requests from data subjects exercising their rights under Chapter III GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).
8.2 Passing on requests. If the Processor receives a data subject request directly from an end-customer relating to Controller Personal Data, the Processor shall: (a) notify the Controller without undue delay; (b) not respond to the data subject directly, except to acknowledge receipt and to direct the data subject to the Controller; and (c) reasonably cooperate with the Controller to assist in its response.
8.3 Timeline for assistance. The Processor shall provide assistance requested under Article 8.1 within 10 business days of receiving the Controller's written request, or such shorter period as is necessary to enable the Controller to meet its obligations under Art. 12 GDPR (one month from the data subject's request).
8.4 Costs. The Processor may charge a reasonable fee for assistance under this Article where such assistance requires significant effort beyond the standard functionality of the Services.
Article 9 — Deletion and Return of Personal Data
9.1 On termination. On termination of the Terms of Service for any reason, or on written request from the Controller, the Processor shall, at the Controller's election: (a) return to the Controller a copy of all Controller Personal Data in a machine-readable format; or (b) securely delete all Controller Personal Data and certify such deletion in writing.
9.2 Timeline. The Processor shall complete the return or deletion within 30 days of the termination date or request.
9.3 Legal retention exception. Notwithstanding Article 9.1, the Processor may retain Controller Personal Data to the extent, and for the period, required by applicable EU or member state law (including Lithuanian accounting law requiring 10-year retention of financial records). Such retained data shall be anonymised to the extent possible and processed for no other purpose.
9.4 Sub-processor deletion. The Processor shall procure that all sub-processors delete or return Controller Personal Data in accordance with this Article.
Article 10 — Audit Rights
10.1 Information. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA and Art. 28 GDPR.
10.2 Audit. The Processor shall allow for, and contribute to, audits and inspections conducted by the Controller or an auditor mandated by the Controller, provided that: (a) the Controller provides at least 30 days' advance written notice; (b) audits are conducted during normal business hours with minimal disruption; (c) the auditor is subject to confidentiality obligations; (d) no more than one audit per 12-month period is conducted unless a Security Incident has occurred.
10.3 Costs. The Controller shall bear all costs of the audit unless the audit reveals material non-compliance by the Processor, in which case the Processor shall bear reasonable audit costs.
Article 11 — Liability
11.1 Each Party's liability to the other under or in connection with this DPA shall be subject to the same limitations and exclusions of liability as set out in the Terms of Service, unless otherwise stated in this Article.
11.2 Processor liability. The Processor shall be liable to the Controller for damages caused by processing in breach of this DPA where the Processor has not complied with its obligations under Applicable Data Protection Law or under this DPA that are specifically directed to the Processor.
11.3 Controller liability. The Controller shall be liable to the Processor for damages caused by processing in breach of this DPA or Applicable Data Protection Law where the Controller has acted outside or contrary to its lawful instructions under this DPA, or where the damage was caused by the Controller's failure to fulfil its obligations as a Controller.
11.4 Indemnity. The Controller shall indemnify and hold harmless the Processor against regulatory fines, penalties, claims, damages, costs, and expenses arising from: (a) the Controller's failure to have a lawful basis for processing; (b) the Controller's breach of its obligations under Article 3; (c) any inaccurate, incomplete, or unlawful data submitted by the Controller to the Services.
11.5 Regulatory fines. Where a supervisory authority imposes a fine, each Party shall bear responsibility for its own failures. The Processor shall not be liable for fines arising from the Controller's failures, and vice versa.
11.6 Cap on liability. The Processor's total liability to the Controller under this DPA shall not exceed the total fees paid by the Controller to Vantemo in the 12 months immediately preceding the event giving rise to the claim.
11.7 Exclusions. Nothing in this DPA limits either Party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) any liability that cannot be limited by applicable law.
Article 12 — Term and Termination
12.1 Term. This DPA is effective from the date the Controller accepts it (by checking the acceptance box during registration) and remains in force until the Terms of Service terminate.
12.2 Effect of termination. On termination, the Processor's obligations to process Controller Personal Data under this DPA cease, subject to Article 9 and Article 12.3.
12.3 Survival. Articles 1, 9, 10 (for 12 months post-termination), 11, and 13 survive termination.
Article 13 — General Provisions
13.1 Entire agreement. This DPA, together with its Annexes and the Terms of Service, constitutes the entire agreement between the Parties with respect to the subject matter hereof.
13.2 Amendments. The Processor may amend this DPA by providing the Controller with at least 30 days' advance written notice. For amendments that materially increase the Controller's obligations or materially reduce the Processor's obligations, the Controller may terminate the Terms of Service without penalty within 30 days of the amendment taking effect. See the DPA Changelog for all versions.
13.3 Severability. If any provision of this DPA is found to be invalid or unenforceable, that provision shall be modified to the minimum extent necessary, and the remaining provisions shall continue in full force.
13.4 Governing law. This DPA is governed by the laws of the Republic of Lithuania, without regard to conflict of law principles.
13.5 Jurisdiction. Disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Vilnius, Lithuania, except that either Party may seek interim injunctive relief in any court of competent jurisdiction.
13.6 Language. This DPA is drafted in English. In the event of any inconsistency between the English version and any translation, the English version shall prevail.
Article 14 — International Data Transfers
14.1 Primary processing location. The Processor processes Controller Personal Data on servers located within the European Union (Lithuania). No international transfer of Controller Personal Data to third countries occurs through the Processor's own infrastructure.
14.2 Sub-processor transfers. Certain approved sub-processors (listed in Annex B) are located in, or transfer data to, countries outside the European Economic Area, including the United States. Where such transfers occur, the Processor ensures that adequate safeguards are in place in accordance with Chapter V GDPR.
14.3 Transfer mechanisms. The following mechanisms are used to protect personal data transferred to third countries:
| Sub-processor | Country | Transfer mechanism |
|---|---|---|
| Stripe Inc. | USA | EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses (Module 3) |
| Amazon Web Services (SES) | USA | EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses (Module 3) |
| Cloudflare Inc. | USA | EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses (Module 3) |
| PostHog Inc. | USA | Standard Contractual Clauses (Module 3) |
14.4 SCC incorporation. Where Standard Contractual Clauses are used, the relevant module of the SCCs adopted by the European Commission (Commission Implementing Decision 2021/914) is incorporated by reference into the sub-processor agreements. The Processor maintains signed SCCs with all US sub-processors and will provide copies on request to [email protected].
14.5 Transfer Impact Assessments. The Processor has conducted Transfer Impact Assessments for all third-country sub-processors in accordance with EDPB Recommendations 01/2020. Copies are available on request.
14.6 Change notification. If the Processor adds a new sub-processor involving an international transfer, the Controller will be notified in accordance with Article 5.2 (30-day advance notice).
Annex A — Details of Processing
A.1 Subject matter
The Processor processes personal data in connection with operating the Controller's online store on the Vantemo platform, including order management, payment processing, customer communications, and storefront delivery.
A.2 Nature and purpose
| Purpose | Nature of processing |
|---|---|
| Operating the storefront | Storage, retrieval, display of product and order data |
| Order processing | Collection, storage, transmission to payment processors |
| Customer session management | Storage of session identifiers in Redis (short TTL) |
| Transactional email | Transmission via AWS SES (order confirmations, shipping notifications) |
| Fraud and security | Analysis of IP addresses, login patterns, rate limiting |
| Analytics | Aggregation and reporting of store performance metrics |
A.3 Duration
For the duration of the Terms of Service, and thereafter in accordance with Article 9.
A.4 Categories of data subjects
- End-customers of the Controller's online store
- Visitors to the Controller's storefront (non-purchasing)
A.5 Categories of personal data
| Category | Examples |
|---|---|
| Identity data | First name, last name |
| Contact data | Email address, phone number |
| Delivery data | Shipping address (street, city, postal code, country) |
| Transaction data | Order contents, quantities, prices, payment reference |
| Technical data | IP address, session identifier, browser/device type |
| Communication data | Order confirmation emails, shipping notifications |
The Controller determines which specific data it collects. The Processor processes whatever data the Controller's store configuration directs it to collect.
A.6 Special categories
None are processed by default. Processing of special categories requires prior written agreement under Article 3.4.
A.7 Processing location
Controller Personal Data is processed on servers located within the European Union. Sub-processors may process data in other jurisdictions as listed at vantemo.com/sub-processors.
Annex B — Approved Sub-processors
The following sub-processors are approved as of the DPA effective date. The Controller is deemed to have approved this list by accepting this DPA at signup. The always-current list is maintained at vantemo.com/sub-processors.
| Sub-processor | Country | Purpose | Transfer mechanism |
|---|---|---|---|
| Stripe Inc. | USA | Payment processing infrastructure | EU-US DPF + SCCs |
| Amazon Web Services (SES) | USA | Transactional email delivery | EU-US DPF + SCCs |
| Cloudflare Inc. | USA | CDN, DDoS protection, SSL termination | EU-US DPF + SCCs |
| PostHog Inc. | USA | Platform-level product analytics | SCCs |
| Hostinger | Lithuania / EU | VPS infrastructure — primary data hosting | EU-based; no transfer |
Annex C — Technical and Organisational Security Measures
C.1 Data in transit
All data transmitted between end-users, merchants, and Vantemo servers is encrypted using TLS 1.2 or higher. All endpoints are HTTPS-only; HTTP requests are automatically redirected to HTTPS.
C.2 Data at rest
Sensitive fields (API tokens, access tokens, secrets) are encrypted at rest. Passwords are stored exclusively as bcrypt hashes — plaintext passwords are never stored or logged.
C.3 Access controls
- Access to production systems is restricted to authorised personnel only
- Multi-factor authentication is required for all administrative access
- Principle of least privilege: personnel have access only to what is needed for their role
- Access is reviewed and revoked promptly on personnel changes
C.4 Authentication and session security
- Admin sessions use httpOnly, Secure, SameSite=Strict cookies
- Session tokens are stored in Redis with a fixed TTL
- Brute-force protection and rate limiting on all authentication endpoints
- Automatic session invalidation on logout and after periods of inactivity
C.5 Audit logging
All administrative actions are logged with timestamp, user identity, and IP address. Audit logs are retained for 12 months and are tamper-evident.
C.6 Vulnerability management
- Dependencies are monitored for known vulnerabilities
- Security patches are applied on a risk-prioritised basis
- Regular security reviews are conducted internally
C.7 Incident response
The Processor maintains an internal incident response procedure. On discovery of a Security Incident, the Processor will: contain the incident, assess its scope and impact, notify the Controller in accordance with Article 7, and remediate the root cause.
C.8 Business continuity
The Processor maintains regular backups of all Controller Personal Data. Backups are encrypted and stored separately from primary data. Recovery procedures are tested periodically.
Contact [email protected] with questions about this DPA.