Data processing addendum · template

Customer instructions govern customer data.

This addendum becomes binding only when incorporated into an executed Varistra order. The contracting entity and governing law are identified on that order.

Roles and instructions

The customer is controller or business; Varistra is processor or service provider for customer data submitted to the service. Varistra processes that data only to provide, secure, support, and improve the contracted service, or as required by law.

Confidentiality and security

Access is limited to authorized personnel and service providers under confidentiality duties. Technical controls include tenant scoping, encryption of retained sources, hashed credentials and tokens, immutable evidence records, audit events, retention settings, and backup procedures.

Subprocessors and transfers

Infrastructure, email, payment, authentication, and connected-source providers may process limited data for their service. The current subprocessor and hosting-region schedule is supplied with the order. Material changes are notified through the agreed contact.

Requests, incidents, and deletion

Varistra will reasonably assist with data-subject requests, security inquiries, and impact assessments appropriate to the processing. Confirmed incidents affecting customer data are communicated without undue delay. Workspace deletion removes application records and retained objects; backup expiration follows the contracted retention schedule.

Return and audit

Customers can export snapshots, decisions, outcomes, reports, and audit events. Reasonable security documentation is provided under confidentiality before on-site audit is considered.