Data Processing Agreement

This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service between Valorcy Inc. ("Data Processor") and the customer ("Data Controller"). This DPA governs the processing of personal data by Valorcy on behalf of the Data Controller in connection with the Valorcy platform and services.

For the purposes of this DPA, "personal data" means any information relating to an identified or identifiable natural person as defined by the General Data Protection Regulation (GDPR) and other applicable data protection laws. "Processing" means any operation or set of operations performed on personal data, whether or not by automated means.

By using Valorcy services to process personal data of individuals, the Data Controller agrees to the terms of this DPA. This agreement applies to all processing activities carried out by Valorcy in connection with the provision of the services described in the Terms of Service.

Valorcy processes personal data solely for the purpose of providing the website building platform and related services as described in the Terms of Service. This includes hosting, storing, and serving websites created by the Data Controller, processing user submissions through forms, managing authentication, and providing analytics and support services.

The types of personal data processed may include names, email addresses, phone numbers, physical addresses, payment information (processed by our PCI-compliant payment partners), IP addresses, device identifiers, and any other data that the Data Controller or their end users input into the Valorcy platform.

Valorcy shall not process personal data for any purpose other than the specific purposes described in this DPA, except as required by applicable law, regulation, or legal process. Any processing beyond the agreed scope requires prior written consent from the Data Controller.

The Data Controller warrants that it has a valid legal basis for processing personal data through the Valorcy platform and that all processing is conducted in compliance with applicable data protection laws. The Data Controller is responsible for providing appropriate notices to data subjects and obtaining any necessary consents.

The Data Controller shall ensure that all personal data provided to Valorcy is accurate, up-to-date, and lawfully collected. The Data Controller agrees to indemnify Valorcy against any claims, damages, or losses arising from the Data Controller's failure to comply with applicable data protection laws.

The Data Controller shall implement appropriate technical and organizational measures to ensure that any instructions given to Valorcy regarding the processing of personal data comply with applicable data protection requirements.

Valorcy shall process personal data only on documented instructions from the Data Controller and shall not process personal data for its own purposes unless required or permitted by law. Valorcy shall immediately inform the Data Controller if, in its opinion, an instruction from the Data Controller infringes applicable data protection laws.

Valorcy implements appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, damage, theft, alteration, or disclosure. These measures include encryption at rest (AES-256) and in transit (TLS 1.3), access controls, regular security testing, and employee training.

Valorcy shall assist the Data Controller in responding to data subject requests, conducting data protection impact assessments, and consulting with supervisory authorities as required by applicable data protection laws. Valorcy shall notify the Data Controller without undue delay if it becomes aware of any personal data breach.

Valorcy may engage sub-processors to assist in the provision of the services. A current list of authorized sub-processors is maintained and available at /subprocessors. The Data Controller is deemed to have approved the use of sub-processors listed on that page by using the services.

Valorcy shall inform the Data Controller of any intended changes to the list of sub-processors, giving the Data Controller the opportunity to object to such changes. If the Data Controller objects to a proposed sub-processor on reasonable grounds related to data protection, Valorcy will work with the Data Controller to find a mutually acceptable solution.

All sub-processors are bound by data processing agreements that provide at least the same level of data protection as this DPA. Valorcy remains fully liable to the Data Controller for the performance of its sub-processors' data processing obligations.

Upon termination of the services, and upon the Data Controller's written request, Valorcy shall return all personal data to the Data Controller in a structured, commonly used, and machine-readable format within 30 days, or delete all personal data and certify such deletion in writing, unless applicable law requires Valorcy to retain certain data.

Where the Data Controller does not request return or deletion of personal data upon termination, Valorcy shall delete all personal data within 90 days of the termination date, except where retention is required by applicable law for tax, accounting, or legal compliance purposes.

Backups containing personal data will be securely deleted or overwritten in accordance with Valorcy's standard backup retention schedule, which is typically 30 days. Valorcy shall not be able to access personal data in backups after the expiration of this retention period.