Skip to main content
Vincony
Back to home

Data Processing Agreement

Last updated: June 6, 2026 (25 days ago)

1. Definitions

"Controller" means the entity that determines the purposes and means of processing personal data (you, the customer).

"Processor" means VINCONY AI LTD (Company Number: 17047337), registered at 3rd Floor, 86-90 Paul Street, London EC2A 4NE, England, which processes personal data on behalf of the Controller.

"Sub-processor" means any third party engaged by the Processor to process personal data.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, including collection, storage, use, and deletion.

2. Scope and Purpose

This Data Processing Agreement ("DPA") applies to the processing of personal data by Vincony on behalf of the customer in connection with the provision of the Vincony AI platform services. Vincony processes personal data solely for the purpose of delivering the Service as described in the Terms of Service.

3. Obligations of the Processor

Vincony shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorised to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Not engage another processor without prior written authorisation from the Controller
  • Assist the Controller in responding to data subject requests
  • Delete or return all personal data upon termination of services, at the Controller's choice
  • Make available all information necessary to demonstrate compliance

4. Sub-processors

Vincony uses third-party sub-processors to deliver the Service. A full and current list is maintained at /legal/sub-processors. The principal sub-processors include:

  • Stripe (San Francisco, USA) — Payment processing and subscription management
  • Supabase (San Francisco, USA) — Database, authentication, storage, and edge functions
  • Cloudflare (San Francisco, USA) — CDN, WAF, and DNS
  • OpenAI (San Francisco, USA) — AI model inference
  • Anthropic (San Francisco, USA) — AI model inference
  • Google Cloud / Gemini (Mountain View, USA) — AI model inference
  • ElevenLabs (New York, USA) — Audio and speech generation
  • Resend (San Francisco, USA) — Transactional email delivery

Vincony will provide the Controller with at least 14 days' notice of any intended additions to or replacements of sub-processors. The Controller may object to any such change within that period; if the parties cannot resolve the objection, the Controller may terminate the affected services with written notice. Where a sub-processor processes personal data on behalf of end users of AI model providers, that provider's own data retention and processing policies govern — Vincony's no-training commitment applies solely to data held by Vincony.

5. Security Measures

Vincony implements the following technical and organisational measures:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Row-Level Security on all database tables
  • API key encryption using AES-GCM before database storage
  • Automated data retention and deletion (90-day generation lifecycle)
  • Regular security assessments and vulnerability scanning
  • Access controls with role-based permissions
  • Audit logging for administrative operations

6. Data Breach Notification

In the event of a personal data breach, Vincony shall:

  • Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach
  • Provide details including the nature of the breach, categories and approximate number of affected individuals, likely consequences, and measures taken or proposed
  • Document all breaches and remediation steps

7. Data Subject Rights

Vincony shall assist the Controller in fulfilling its obligations to respond to data subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Vincony will respond to Controller instructions regarding data subject requests within 30 days.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area or the United Kingdom, Vincony ensures appropriate safeguards are in place, including:

  • EU transfers: Standard Contractual Clauses (SCCs) as approved by the European Commission (2021 SCCs)
  • UK transfers: International Data Transfer Agreement (IDTA) as approved by the UK ICO, or the UK Addendum to the EU SCCs where applicable
  • Adequacy decisions where applicable
  • Binding Corporate Rules where relevant

9. Audit Rights

The Controller has the right to audit Vincony's compliance with this DPA. Vincony shall:

  • Provide access to relevant documentation upon reasonable request
  • Allow audits or inspections conducted by the Controller or an appointed auditor, subject to reasonable notice and confidentiality obligations
  • Cooperate fully with audit procedures

10. Term and Termination

This DPA shall remain in effect for the duration of the processing of personal data by Vincony. Upon termination:

  • Vincony shall delete or return all personal data within 30 days
  • Vincony shall certify deletion upon request
  • Obligations of confidentiality survive termination

11. Contact

For DPA-related inquiries or to request a signed copy, contact VINCONY AI LTD's Data Protection Officer at [email protected].

Data Processing Agreement — Vincony