Legal
Data Processing Addendum
Vaubaan acts as a processor for customer data routed through the gateway.
1. Subject matter
This Addendum forms part of the Vaubaan Terms of Service and applies whenever Vaubaan processes personal data on behalf of the Customer in the course of providing the Service. It is intended to comply with Article 28 GDPR.
2. Definitions
“Customer Personal Data”, “Controller”, “Processor”, “Sub-processor” and other capitalized terms have the meaning given in the GDPR.
3. Scope and nature of processing
- Subject matter: operation of the Vaubaan MCP gateway service.
- Duration: for the term of the Terms of Service.
- Purpose: authenticate users, route MCP tool calls, enforce policy, and maintain the audit log.
- Data subjects: Customer employees, contractors, and end-users of Customer systems whose data passes through the gateway as part of the customer’s workflows.
- Categories of data: identifiers, organizational metadata, repository / resource identifiers, audit metadata.
4. Customer instructions
Vaubaan processes Customer Personal Data only on documented instructions from the Customer, including for international transfers, except where required to do so by Union or Member State law.
5. Confidentiality
Vaubaan ensures that persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
6. Security
Vaubaan implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described on /security.
7. Sub-processors
Vaubaan uses the sub-processors listed at /subprocessors. The Customer authorizes Vaubaan to engage these sub-processors and any successor; Vaubaan will give at least 14 days’ notice of new sub-processors via the same page and accept reasonable, documented objection.
8. Data subject requests
Vaubaan will assist the Customer with appropriate technical and organisational measures, in so far as possible, to respond to data subject requests.
9. Personal data breaches
Vaubaan will notify the Customer without undue delay after becoming aware of a personal data breach. See security · incident response.
10. Return or deletion
At Customer request or on termination, Vaubaan will delete or return Customer Personal Data within 30 days, except where retention is required by law.
11. International transfers
Vaubaan is based in the European Union. Where personal data is transferred outside the EEA, Vaubaan relies on Standard Contractual Clauses or other valid GDPR transfer mechanisms.
12. Signing
To execute a counter-signed copy of this DPA, email legal@vaubaan.com from your billing contact.