Data Processing Agreement
Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between VantaWeb ("Processor") and the customer ("Controller") and governs the processing of personal data by VantaWeb on the Controller's behalf in connection with the VantaWeb platform.
This DPA supplements and is incorporated into the Terms of Service. Capitalized terms not defined here have the meaning given in the Terms of Service.
This DPA applies to VantaWeb acting as a data processor under the GDPR, a service provider under the CCPA/CPRA, and a Business Associate under HIPAA where applicable. See the HIPAA section below for BAA availability.
Requesting a Signed DPA
Business customers who require a countersigned copy of this DPA — for example to satisfy GDPR Article 28(3) or internal compliance requirements — may request one by emailing privacy@vantaweb.io with the subject line “DPA Execution Request.” We will provide a countersigned PDF within 5 business days. No additional negotiation of standard terms is required; the signed DPA will reflect the terms published on this page at the time of execution.
Definitions
- Personal Data — any information relating to an identified or identifiable natural person processed in connection with the Service.
- Controller — the customer who determines the purposes and means of processing Personal Data.
- Processor — VantaWeb, processing Personal Data on behalf of the Controller.
- Sub-processor — any third party engaged by VantaWeb to assist in processing Personal Data.
- Applicable Data Protection Law — GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, and any other applicable data protection laws.
Scope and Purpose
VantaWeb processes Personal Data solely to provide the Service as described in the Terms of Service, including operating the AI receptionist ("Anna"), storing call records, and managing account data.
VantaWeb will not process Personal Data for its own independent purposes, sell Personal Data, or use it for advertising.
Controller Obligations
- Ensure a lawful basis exists for processing Personal Data before providing it to VantaWeb.
- Provide all required privacy notices to data subjects.
- Respond to data subject requests (VantaWeb will assist as described below).
- Configure the Service with accurate business information.
Processor Obligations
- Process Personal Data only on documented instructions from the Controller.
- Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (see Privacy Policy — Security).
- Notify the Controller without undue delay upon becoming aware of a Personal Data breach.
- Delete or return all Personal Data upon termination of the Service, at Controller's election.
Sub-processors
VantaWeb engages the following categories of sub-processors to deliver the Service:
- Anthropic (Claude AI) — conversational AI processing
- Telnyx / LiveKit — telephony and real-time communications
- Hetzner Online GmbH — application and database hosting (Ashburn, Virginia, US)
- Netcup GmbH (US East) — supporting tooling/analytics infrastructure (Manassas, Virginia, US)
- Cloudflare, Inc. — CDN, DDoS protection, DNS, R2 object storage
- Stripe — payment processing (PCI DSS compliant)
The complete, current sub-processor list including locations and DPA links is published at vantaweb.io/legal/sub-processors/. VantaWeb will provide 30 days advance written notice before adding or materially changing a sub-processor.
Data Subject Rights Assistance
VantaWeb will provide reasonable assistance to the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection). Contact privacy@vantaweb.io to initiate.
Security Measures
VantaWeb maintains the following technical and organizational measures:
- TLS 1.3 encryption in transit for all data in motion
- Encryption at rest: application-layer encryption for sensitive fields; full-disk encryption at rest is on our HIPAA-tier roadmap (see HIPAA AI Receptionist page for current status)
- Role-based access control; principle of least privilege
- Annual security audits and penetration testing
- Incident response plan with breach notification within 72 hours of discovery
International Data Transfers
VantaWeb infrastructure is located in the United States. Transfers of Personal Data from the EU/EEA or UK to the US are governed by Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), as applicable. Contact privacy@vantaweb.io to execute SCCs.
Data Retention
Personal Data is retained for the duration of the Service agreement plus 90 days, unless a shorter or longer period is required by law or requested by the Controller. See the Data Retention Policy for full details.
HIPAA Business Associate Agreement (BAA)
VantaWeb's AI receptionist service is designed for home service businesses and is not a HIPAA-covered entity or business associate by default. Standard plans are not intended for the transmission, storage, or processing of Protected Health Information (PHI) as defined under HIPAA.
A HIPAA Business Associate Agreement (BAA) program is in active development for customers with HIPAA compliance requirements (e.g., healthcare-adjacent home services or wellness businesses). It is not yet available on any plan. Our DPA and sub-processors list are published today, and the BAA program will govern VantaWeb's responsibilities as a Business Associate once available.
- Do not transmit PHI through VantaWeb until a BAA has been executed. Transmitting PHI without an executed BAA would violate your HIPAA obligations and these Terms of Service.
- To discuss BAA program timeline and eligibility, email privacy@vantaweb.io with subject line "BAA Inquiry" and include your account email and plan details.
- See our Privacy Policy — Security section for current infrastructure measures, and the HIPAA AI Receptionist page for current compliance posture.
Contact
For DPA execution, BAA requests, SCC inquiries, or sub-processor questions: privacy@vantaweb.io
VantaWeb | Subject line: "DPA Inquiry" or "BAA Request"
See also: Privacy Policy | Sub-Processor List | Terms of Service