Trust & Security

Data Processing Agreement

Our commitments for processing customer personal data: roles, safeguards, subprocessors, and breach notification.

Last updated · July 2026

Draft, pending legal review. This DPA is provided as a starting point and has not yet been reviewed by counsel. If you require an executed agreement for procurement, email abhi@valiqai.com and we will arrange a countersigned copy.

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Customer", "Controller") and ValiqAI ("ValiqAI", "Processor", "we") governing the Customer's use of the ValiqAI platform (the "Service"). It reflects the parties' agreement on the processing of Personal Data in connection with the Service and applies to the extent ValiqAI processes Personal Data on the Customer's behalf that is subject to data protection laws such as the GDPR, UK GDPR, or the CCPA/CPRA.

1. Definitions

  • "Personal Data", "Controller", "Processor", "Data Subject", and "Processing" have the meanings given in applicable data protection law.
  • "Subprocessor" means any third party engaged by ValiqAI to process Personal Data on the Customer's behalf.
  • "Data Protection Law" means all privacy and data protection laws applicable to the Processing, including the GDPR, UK GDPR, and the CCPA/CPRA.

2. Roles & scope

For Personal Data processed under this DPA, the Customer is the Controller and ValiqAI is the Processor. ValiqAI processes Personal Data only on documented instructions from the Customer, including as set out in this DPA and the agreement, and as necessary to provide and support the Service. Details of the Processing are described in Annex I below.

3. ValiqAI's obligations

  • Process Personal Data only on the Customer's documented instructions.
  • Ensure personnel authorized to process Personal Data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (see Annex II).
  • Assist the Customer, taking into account the nature of the Processing, in responding to Data Subject requests and meeting its security, breach-notification, and impact-assessment obligations.
  • Not sell or share Personal Data, and not retain, use, or disclose it for any purpose other than performing the Service, as required under the CCPA/CPRA.

4. Subprocessors

The Customer provides general authorization for ValiqAI to engage the Subprocessors listed on our Subprocessors page. ValiqAI imposes data protection obligations on each Subprocessor that are no less protective than those in this DPA and remains responsible for each Subprocessor's performance.

ValiqAI will update the Subprocessors page before engaging a new Subprocessor that processes Customer Personal Data. The Customer may object to a new Subprocessor on reasonable data protection grounds by contacting us.

5. Data subject rights

Taking into account the nature of the Processing, ValiqAI will assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Data Protection Law. If ValiqAI receives such a request directly, it will, where legally permitted, direct the Data Subject to the Customer.

6. Personal data breaches

ValiqAI will notify the Customer without undue delay after becoming aware of a Personal Data breach affecting the Customer's Personal Data, and will provide information reasonably available to it to help the Customer meet its own notification obligations.

7. International transfers

Where the Processing involves transfers of Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree that the applicable Standard Contractual Clauses (and the UK Addendum where relevant) are incorporated into this DPA and apply to such transfers.

8. Return & deletion

Upon termination of the Service, and at the Customer's choice, ValiqAI will delete or return the Customer's Personal Data, and delete existing copies unless retention is required by law. Standard retention periods are described in our Privacy Policy.

9. Audits

ValiqAI will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. To the extent audits are required, they may be satisfied by providing relevant certifications, reports (such as a SOC 2 report when available), or responses to reasonable security questionnaires.

Annex I: Details of Processing

Subject matter & duration

Provision of the ValiqAI automated quality and security testing Service, for the duration of the Customer's subscription.

Nature & purpose

Hosting account data, running scans of Customer-authorized targets, generating results and reports, and providing related support.

Categories of Data Subjects

Customer's authorized users (account holders and team members), and any individuals whose data appears within Customer-authorized scan targets.

Categories of Personal Data

Account details (name, email), authentication data, billing contact information, usage and diagnostic data, and any Personal Data incidentally captured in scan results (e.g. screenshots) of the Customer's own systems.

Special categories

Not intended. The Service is not designed to process special-category data, and the Customer should not direct scans at systems where such data would be captured.

Annex II: Technical & Organizational Measures

ValiqAI maintains security measures appropriate to the risk, including:

  • Encryption of data in transit (TLS) and at rest.
  • Access controls and organization-level data isolation.
  • Hashing of passwords and encryption of sensitive stored secrets.
  • Error monitoring, logging, and least-privilege access to production systems.

A fuller description is available on our Security & Trust page.

Questions

To request a signed DPA or ask questions about data processing, contact abhi@valiqai.com.

Ready to secure your app?