VVaubaan

Legal

Data Processing Addendum

Vaubaan acts as a processor for customer data routed through the gateway.

Last updated · 2026-05-26


1. Subject matter

This Addendum forms part of the Vaubaan Terms of Service and applies whenever Vaubaan processes personal data on behalf of the Customer in the course of providing the Service. It is intended to comply with Article 28 GDPR.

2. Definitions

“Customer Personal Data”, “Controller”, “Processor”, “Sub-processor” and other capitalized terms have the meaning given in the GDPR.

3. Scope and nature of processing

  • Subject matter: operation of the Vaubaan MCP gateway service.
  • Duration: for the term of the Terms of Service.
  • Purpose: authenticate users, route MCP tool calls, enforce policy, and maintain the audit log.
  • Data subjects: Customer employees, contractors, and end-users of Customer systems whose data passes through the gateway as part of the customer’s workflows.
  • Categories of data: identifiers, organizational metadata, repository / resource identifiers, audit metadata.

4. Customer instructions

Vaubaan processes Customer Personal Data only on documented instructions from the Customer, including for international transfers, except where required to do so by Union or Member State law.

5. Confidentiality

Vaubaan ensures that persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.

6. Security

Vaubaan implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described on /security.

7. Sub-processors

Vaubaan uses the sub-processors listed at /subprocessors. The Customer authorizes Vaubaan to engage these sub-processors and any successor; Vaubaan will give at least 14 days’ notice of new sub-processors via the same page and accept reasonable, documented objection.

8. Data subject requests

Vaubaan will assist the Customer with appropriate technical and organisational measures, in so far as possible, to respond to data subject requests.

9. Personal data breaches

Vaubaan will notify the Customer without undue delay after becoming aware of a personal data breach. See security · incident response.

10. Return or deletion

At Customer request or on termination, Vaubaan will delete or return Customer Personal Data within 30 days, except where retention is required by law.

11. International transfers

Vaubaan is based in the European Union. Where personal data is transferred outside the EEA, Vaubaan relies on Standard Contractual Clauses or other valid GDPR transfer mechanisms.

12. Signing

To execute a counter-signed copy of this DPA, email legal@vaubaan.com from your billing contact.

Data Processing Addendum — Vaubaan