Data Processing Agreement
Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between VantaWeb ("Processor") and the customer ("Controller") and governs the processing of personal data by VantaWeb on the Controller's behalf in connection with the VantaWeb platform.
This DPA supplements and is incorporated into the Terms of Service. Capitalized terms not defined here have the meaning given in the Terms of Service.
This DPA addresses VantaWeb acting as a data processor under the GDPR and a service provider under the CCPA/CPRA where those laws apply. VantaWeb is not currently offered for PHI or HIPAA-regulated workflows and does not currently execute Business Associate Agreements.
Requesting a Signed DPA
Business customers who require a countersigned DPA may request one by emailing privacy@vantaweb.io with the subject line “DPA Execution Request.” Availability, review scope, effective terms, and timing are confirmed in writing for the specific customer; this page does not promise automatic countersignature or a fixed turnaround.
Definitions
- Personal Data — any information relating to an identified or identifiable natural person processed in connection with the Service.
- Controller — the customer who determines the purposes and means of processing Personal Data.
- Processor — VantaWeb, processing Personal Data on behalf of the Controller.
- Sub-processor — any third party engaged by VantaWeb to assist in processing Personal Data.
- Applicable Data Protection Law — GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, and any other applicable data protection laws.
Scope and Purpose
VantaWeb processes Personal Data solely to provide the Service as described in the Terms of Service, including operating the AI receptionist ("Anna"), storing call records, and managing account data.
VantaWeb will not process Personal Data for its own independent purposes, sell Personal Data, or use it for advertising.
Controller Obligations
- Ensure a lawful basis exists for processing Personal Data before providing it to VantaWeb.
- Provide all required privacy notices to data subjects.
- Respond to data subject requests (VantaWeb will assist as described below).
- Configure the Service with accurate business information.
Processor Obligations
- Process Personal Data only on documented instructions from the Controller.
- Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (see Privacy Policy — Security).
- Notify the Controller without undue delay upon becoming aware of a Personal Data breach.
- Delete or return all Personal Data upon termination of the Service, at Controller's election.
Sub-processors
VantaWeb engages the following categories of sub-processors to deliver the Service:
- Anthropic (Claude AI) — conversational AI processing
- Telnyx / LiveKit — telephony and real-time communications
- Hetzner Online GmbH — application and database hosting (Ashburn, Virginia, US)
- Cloudflare, Inc. — CDN, DDoS protection, DNS, R2 object storage
- Stripe — payment processing (PCI DSS compliant)
The complete, current sub-processor list including locations and DPA links is published at vantaweb.io/legal/sub-processors/. VantaWeb will provide 30 days advance written notice before adding or materially changing a sub-processor.
Data Subject Rights Assistance
VantaWeb will provide reasonable assistance to the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection). Contact privacy@vantaweb.io to initiate.
Security Measures
VantaWeb's current public security boundary includes the following qualified measures. These statements are not a certification, audit opinion, or evidence of HIPAA eligibility:
- TLS protects supported public service connections in transit; protocol version and termination point vary by service and provider.
- Access to production systems is restricted. Exact role, logging, encryption-at-rest, and key-management claims require control-specific evidence before inclusion in a signed security schedule.
- Security monitoring and incident-response procedures are maintained, but this page does not represent that a recurring independent penetration test or annual audit has been completed.
- Any contractual breach-notification duty is governed by the executed agreement and applicable law, not an unsupported universal website SLA.
International Data Transfers
VantaWeb's primary application and database infrastructure is hosted in Ashburn, Virginia, United States. Some sub-processors operate global networks or may process service data in other regions under their own documented terms. Do not infer an absolute US-only residency promise. Contact privacy@vantaweb.io to review required transfer terms for a specific deployment.
Data Retention
Retention varies by data category, customer agreement, legal obligation, production store, backup lifecycle, and sub-processor behavior. Earlier fixed-period statements are not a universal promise. See the Interim Data Retention Notice and the executed customer agreement.
HIPAA Business Associate Agreement (BAA)
VantaWeb is not currently offered for PHI or HIPAA-regulated workflows and does not currently execute Business Associate Agreements. No current plan is approved for the transmission, storage, or processing of Protected Health Information (PHI).
Do not interpret this DPA, a security measure, an integration page, or a planned compliance program as present BAA availability or HIPAA eligibility.
- Do not transmit PHI through VantaWeb until a BAA has been executed. Transmitting PHI without an executed BAA would violate your HIPAA obligations and these Terms of Service.
- To ask about future product-boundary changes, email privacy@vantaweb.io with subject line "HIPAA Status Inquiry." No launch date or eligibility is promised.
- See our Privacy Policy — Security section for current infrastructure measures, and the HIPAA AI Receptionist page for current compliance posture.
Contact
For DPA execution, transfer-term inquiries, HIPAA status, or sub-processor questions: privacy@vantaweb.io
VantaWeb | Subject line: "DPA Inquiry" or "HIPAA Status Inquiry"
See also: Privacy Policy | Sub-Processor List | Terms of Service