Data Processing Addendum
Last updated May 30, 2026
This DPA template describes how VAR Conduit processes personal data on your behalf. It forms part of your agreement with us; reach out to execute a countersigned copy for procurement.
1. Roles
For the channel data you import, you are the controller and VAR Conduit is the processor. We process that data only on your documented instructions — i.e. to provide the service.
2. Scope of processing
- Subject matter: providing the VAR Conduit service.
- Duration: for the term of your subscription.
- Data subjects: your reseller personnel and account contacts.
- Data types: names, job titles, work email, region, and the account/org-tree records you upload.
3. Subprocessors
We use the subprocessors listed in our Privacy Policy, which is the single, current source of truth for that list. We will give notice of material subprocessor changes and remain responsible for their compliance.
4. Security measures
We maintain technical and organizational measures including encryption in transit and at rest, strict per-tenant isolation, access controls, and audit logging — detailed on our Security & Trust page. Everyone we authorise to process your data — employees and contractors — is bound to confidentiality by written agreement (GDPR Art. 28(3)(b)).
5. Data subject rights
Taking into account the nature of the processing, we assist you in responding to data-subject requests under GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, and objection) and the equivalent CCPA rights. The product gives you self-service tools to export a person's record or your whole workspace as structured JSON (access & portability) and to delete a person or wipe the workspace (erasure) — each audited. For anything outside that self-service scope, email privacy@varconduit.com and we respond without undue delay.
6. Personal data breach
We will notify you without undue delay — and in any event within 72 hours — after becoming aware of a personal data breach affecting your data, with the information you need to meet your own notification obligations (for example, under GDPR Article 33).
7. Return & deletion
On termination, you may export your data, after which we delete it in accordance with our retention practices, unless retention is required by law.
8. International transfers
Our infrastructure is hosted in the United States. For any transfer of personal data from the EEA, UK, or Switzerland to the US, we rely on the EU Standard Contractual Clauses (Module Two, controller-to-processor), together with the UK International Data Transfer Addendum where the UK GDPR applies, which we will execute as part of a countersigned DPA.
9. Audit
On reasonable request, we will make available the information necessary to demonstrate compliance with this DPA, including third-party reports where available.
Contact
To execute a countersigned DPA: legal@varconduit.com.