Skip to content

Data Processing Agreement

Last updated September 25, 2022

This Data Processing Agreement (“DPA”) is subject to, incorporated with, and part of, the VALDI LABS, PBC (“VALDI”) Terms of Service (“TOS”) and is entered into between VALDI, Inc. (“VALDI”) and the customer identified in the TOS (“Customer”). VALDI and the Customer are referred to as “Parties” herein, and are individually known as a “Party”.

The parties agree as follows:


Process” or “Processing” is any method, operation, or set of operations that is accomplished upon Personal Data, such as collection, recording, organization, structuring, storage, change or alteration, retrieval, consultation, use, disclosure through transmission, dissemination or other processes applicable Data Protection Laws specify.

Processor” is an entity that, on behalf of the Controller, processes Personal Data.

Security Incident” is any event that poses a threat to the safety, privacy, or integrity of Personal Data or the physical, technical, administrative, or organizational safeguards installed to defend it. This is subject to Data Protection Laws that are relevant.

Service Provider” is a Processor of Personal Data as described in relevant Data Protection Laws.

Standard Contractual Clauses” are Standard Contractual Clauses subject to applicable Data Protection Laws .

Sub-processor” means any Processor used by VALDI or its associates to help in satisfying its duties with regards to VALDI Services pursuant to the TOS or this DPA.


This DPA applies wherein to the volume that VALDI uses Personal Data on behalf of the Customer or its Authorized Affiliates while providing VALDI Services. This is subject to applicable Data Protection Laws.

Processing of Personal Data

Role of the Parties. The Parties agree that during the Processing of Personal Data, Data Protection Laws that outline the Parties’ relation as one of a Controller and a Processor. The Customer is the Controller and VALDI is the Processor. The Parties agree that during the Processing of Personal Data subject to applicable Data Protection Laws, that outline the Parties’ relation as one among an enterprise and a Service Provider, VALDI is the Service Provider. The Parties agree that during the Processing of Personal Data subject to Data Protection Laws, the Parties’ relation is one of a Personal Information Processor and an Entrusted Party. The Customer is the Personal Information Processor and VALDI is the Entrusted Party. Nothing on this DPA or TOS will be construed as VALDI having a direct relation with the clients or customers of the Customer or its Authorized Affiliates or that VALDI is appearing as a Controller under Data Protection Laws.

Customer Obligations. The Customer shall, in its use of VALDI Services, Process Personal Data according to, and in compliance with all relevant laws, such as, with no limitation, Data Protection Laws. The Customer has sole responsibility for the accuracy, standard, and legality of Personal Data, and the method through which the Customer received any Personal Data, such as, with no limitation, receiving the permission of every Data Subject and making sure the accuracy of all Personal Data is maintained.

VALDI Processing of Personal Data. VALDI consents to the Processing of Personal Data on behalf of and according to the Customer’s documented written consent in reference to: (i) Processing according to this DPA and the TOS; (ii) Processing involving the imparting of VALDI Services; or (iii) Processing in any other case required pursuant to relevant Data Protection Laws. The Parties agree that this DPA and the TOS set out Customer’s entire commands to VALDI on the subject of the Processing of Personal Data and any processing not in the scope of such commands (if any) shall require an existing written contract between the Customer and VALDI.


Authorized Sub-processors. The Customer knows and consents to the fact that VALDI may also involve Sub-processors every now and then to maintain Personal Data on the Customer's or its Authorized Affiliates’ behalf. The Customer permits the usage of VALDI’s contemporary Sub-processors, a listing that is available upon request. In the event that VALDI intends to involve a brand new Sub-processor with relation to VALDI Services, VALDI will modify the list with or without notifying the Customer.

Sub-processor Obligations. When relevant, VALDI shall: (i) enter into a written agreement with the Sub-processor enforcing data protection that require the Sub-processor to defend the Personal Data to the standard required through Data Protection Laws; and (ii) continue to be accountable for its compliance with the duties of this DPA and for any acts or omissions of the Sub-processor that require VALDI to breach any of its duties in this DPA.


Security Measures. VALDI shall put in force and keep suitable technical and organizational security features to defend Personal Data from Security Incidents and to maintain the safety and confidentiality of the Personal Data, according to VALDI's protection requirements defined here (“Security Measures”).

Confidentiality of Processing. VALDI shall make certain that any person authorized by VALDI to maintain Personal Data (such as its staff, retailers and subcontractors) will be under the precise responsibility of confidentiality (whether or not it is a contractual or statutory duty).

Security Incident Response. Upon noticing a Security Incident, VALDI shall notify Customers without undue untimeliness, and shall offer well-timed statistics referring to the Security Incident as they become available, or as within reason, upon a Customer's request.

Updates to Security Measures. Customer recognizes that the Security Measures are subject to technical developments and improvements, and that VALDI may also replace or revise Security Measures every now and then, with or without notifying the Customer.

Security Reports and Audits

Upon Customer's written request, VALDI shall offer (on a private basis) copies of applicable outside certifications, audit documentation summaries and/or different documentation fairly requested by the Customer to affirm VALDI's compliance with this DPA. VALDI shall in addition offer written responses (on a private basis) to all acceptable requests for statistics made by Customer, such as responses to information security and audit questionnaires, that Customer (appearing fairly) considers important to verify VALDI's compliance with this DPA, supplied that Customer shall not exercise this right more than once a year.

International Transfers

If Data Protection Laws limit cross-border Personal Data transfers, the Customer will instruct its Authorized Affiliates so, and only transfer that Personal Data to VALDI under the subsequent conditions: (i) VALDI, both via its vicinity or participation in a legitimate cross-border transfer mechanism under Data Protection Laws, as recognized in applicable documents, may also legally acquire that Personal Data, or (ii) the transfer in any other case complies with Data Protection Laws for the motives set forth in applicable documents. If any Personal Data switch among Customer and VALDI calls for the execution of Standard Contractual Clauses as a way to follow Data Protection Laws, the Parties agree the Standard Contractual Clauses will thereby be deemed included herein, and take all other moves required to legitimize the transfer. In the occasion of a struggle or inconsistency among this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

Return or Deletion of Data

Upon deactivation of VALDI Services, all Personal Data will be deleted pursuant to VALDI’s retention and removal policies. Notwithstanding the foregoing, VALDI reserves the right to hold applicable records and statistics whilst required through relevant law; whilst below a courtroom docket order, subpoena, or different criminal order; or whilst maintaining proof following or in anticipation of a civil or criminal lawsuit.


Cooperation. VALDI shall (at Customer's expense), taking into consideration the character of the processing, offer reasonable cooperation to help the Customer in responding to a Data Subject request made under relevant Data Protection Laws referring to the processing of Personal Data under the TOS. In the event that this type of Data Subject request is made directly to VALDI, VALDI shall not reply to such request directly without the Customer's earlier authorization, until legally forced to do so (as determined in VALDI’s true faith and discretion). If VALDI must reply to a Data Subject request, VALDI shall directly notify Customer and offer the Customer with a replica of such Data Subject Request (to the volume legally allowed).

Data Impact Assessment. To the extent VALDI is required under relevant Data Protection Laws, VALDI shall (at Customer's expense) offer fairly requested statistics concerning VALDI's Processing of Personal Data below the TOS to permit the Customer to carry out information protection impact tests or previous consultations with information safety authorities as required through law.

Sale of Personal Data

VALDI shall: (a) not sell the Personal Data (including to the volume of the definition of “sell” as described in applicable laws); (b) not hold, use or reveal Personal Data for any reason aside from for acting in the VALDI Services, in compliance with the TOS, or as in any other case authorized through relevant Data Protection Laws; (c) not hold, use or reveal the Personal Data for a business motive (such as to the volume of the definition of “business motive” as described in applicable laws) aside from the agreed functions set forth in the TOS; and (d) not hold, use, or reveal Personal Data outside of the direct business relationship among VALDI and the Customer, except as may in any other case be supplied in this DPA. VALDI hereby certifies that it knows and is inclined to abide by the regulations in this Section.


Notice Requirements. Any notices required to be introduced by VALDI to customers will be sent directly. Any notices required to be introduced by Customer to VALDI hereunder will be sent to

Term. VALDI will Process Personal Data during the course of this DPA, except in any other case that is agreed in writing.

Severability. If one or more provisions of this DPA are held to be unenforceable under relevant law, the Parties conform to renegotiate such provision(s) in good standing. In the occasion that such provision was not required by the Data Protection Laws and the Parties can't attain a collectively agreeable and enforceable replacement, then (a) such provision will be excluded from this DPA, (b) the stability of this DPA will be interpreted as though such provision were so excluded, and (c) the stability of this DPA will be enforceable in accordance with its terms.

Limitation of Liability. Each Party’s legal responsibility arising out of or associated with this DPA, whether or not in contract, tort or under another principle of legal responsibility, is subject to those boundaries of legal responsibility set forth in the TOS and any reference in the TOS restricting a Party’s liability means the aggregate legal responsibility of that Party below the TOS and this DPA.