legal --dpa

Data Processing Agreement

This page summarises how VaultTerm processes data on your behalf. It reflects our current practice; a formal, countersigned DPA is available for teams and enterprise customers on request.

Roles: When you use VaultTerm to store and broker access to your own systems, you are the data controller for the credentials and content you put in. VaultTerm acts as a data processor, handling that data on your instructions to provide the service.
Scope of processing: We process the data you store (credentials, connection details, secure notes), the access and session metadata needed to broker and audit connections, and the account/billing data needed to run your subscription. We do not sell your data or use your secrets to train models.
Security measures: Secrets are protected with envelope encryption and are never stored as plaintext. Access is brokered and decrypted in memory only for authorized, audited sessions. Every secret read and session is written to a tamper-evident audit trail. See the security page for the full model.
Subprocessors: We use a short list of subprocessors for payments, transactional email and hosting. The current list, with purpose and location, is published on the subprocessors page. Material changes are communicated to account contacts before they take effect.
Data location & residency: Hosting region is configured per deployment. Enterprise customers can arrange data-residency requirements as part of their agreement — talk to us about your environment, including self-hosted options.
Sub-breach notification: If we become aware of a personal-data breach affecting your data, we will notify the account's designated contact without undue delay and share the information needed for you to meet your own notification obligations.
Data subject requests & deletion: You can export and delete your data from the app. On termination, your data is deleted or returned according to the agreed retention terms.

For the countersigned DPA or any data-protection questions, contact us. See also the subprocessors list and the security model.