Legal

Privacy Policy

Last updated · June 10, 2026
The terms governing use of Vantory’s platform are set out below, together with the Data Processing Addendum and Security Measures that describe how customer personal information is handled and protected.

Data Processing Addendum

Vantory.ai and Customer hereby adopt this Data Processing Addendum (“DPA”) for so long as Vantory.ai processes Customer Personal Information (as defined herein) on Customer’s behalf pursuant to Vantory.ai’s customer agreement (“Agreement”). In the event of a conflict between this DPA and the Agreement with respect to the subject matter of this DPA, this DPA will prevail to the extent of such conflict.

1. Definitions

Capitalized terms used in this DPA and not defined herein will have the meanings given to them by the Agreement. As used in this DPA:

  • “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.
  • “Consumer” means a natural person. Where applicable, Consumer will be interpreted consistent with the same or similar term under the U.S. Privacy Laws.
  • “Controller” means a person or entity that collects individuals’ Personal Information and alone, or jointly with others, determines the purposes and means of the Processing of such Personal Information. Where applicable, Controller will be interpreted consistent with the same or similar term under the U.S. Privacy Laws.
  • “Customer Personal Information” means Customer Data that constitutes Personal Information subject to U.S. Privacy Laws.
  • “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person. Where applicable, Personal Information will be interpreted consistent with the same or similar term under U.S. Privacy Laws.
  • “Processor” means “Processor,” “Service Provider,” or “Contractor” as those terms are defined in U.S. Privacy Laws.
  • “Sale” and “Selling” have the meaning defined in the U.S. Privacy Laws.
  • “Share,” “Shared,” and “Sharing” have the meaning defined in the CCPA.
  • “U.S. Privacy Laws” means, collectively, all U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the Processing of individuals' Personal Information and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health or biometric information), in each case where applicable to the Processing of Customer Personal Information by Vantory.ai pursuant to the Agreement. U.S. Privacy Laws may include, but are not limited to, the CCPA. In the event of a conflict in the meanings of defined terms in U.S. Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies.

2. Scope, Roles, and Termination

2.1 Applicability. This DPA applies only to Vantory.ai’s Processing of Customer Personal Information for the nature, purposes, and duration set forth in the Agreement.

2.2 Roles of the Parties. For the purposes of the Agreement and this DPA, Customer is the party responsible for determining the purposes and means of Processing Customer Personal Information as the Controller and appoints Vantory.ai as a Processor to Process Customer Personal Information on Customer’s behalf for the limited and specific purposes set forth in the Agreement.

2.3 Obligations at Termination. Upon termination of the Agreement, except as set forth therein or herein, Vantory.ai will discontinue Processing and destroy or return Customer Personal Information in its or its subcontractors’ and sub-processors’ possession without undue delay. Vantory.ai may retain Customer Personal Information to the extent required by law but only to the extent and for such period as required by such law and always provided that Vantory.ai will take steps to ensure the confidentiality of all such Customer Personal Information.

3. Compliance

3.1 Compliance with Obligations. Vantory.ai will take steps to ensure that its employees, agents, subcontractors, and sub-processors: (a) comply with applicable obligations of U.S. Privacy Laws; (b) provide the level of privacy protection for Customer Personal Information required by applicable U.S. Privacy Laws; and (c) to the extent required by applicable U.S. Privacy Laws, provide Customer with reasonable assistance to enable Customer to fulfill Customer’s own obligations under applicable U.S. Privacy Laws.

3.2 Compliance Assurance. Customer may take reasonable and appropriate steps to ensure that Vantory.ai uses Customer Personal Information consistent with Customer’s obligations under applicable U.S. Privacy Laws.

3.3 Compliance Monitoring. No more than once per calendar year, Vantory.ai will provide or make available to Customer, upon Customer’s written request, information or documentation in Vantory.ai’s possession and control necessary to demonstrate Vantory.ai’s compliance with its obligations under this DPA.

3.4 Compliance Remediation. Vantory.ai will notify Customer if it determines that it can no longer meet its obligations under applicable U.S. Privacy Laws. Upon receiving notice from Vantory.ai in accordance with this subsection, Customer may direct Vantory.ai to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information.

3.5 Security. The parties will implement and maintain no less than commercially reasonable security measures, appropriate to the nature of the information, designed to protect Customer Personal Information from unauthorized access, destruction, use, modification, or disclosure, which will include, at a minimum, those set forth in in our Security Measures.

4. Restrictions on Processing

4.1 Limitations on Processing. Vantory.ai will Process Customer Personal Information as instructed in the Agreement. Except as expressly permitted by U.S. Privacy Laws, Vantory.ai is prohibited from: (a) Selling or Sharing Customer Personal Information; (b) retaining, using, or disclosing Customer Personal Information for any purpose other than for the specific purpose of performing the services specified in Appendix A; (c) retaining, using, or disclosing Customer Personal Information outside of the direct business relationship between the parties; and (d) combining Customer Personal Information with Personal Information obtained from, or on behalf of, sources other than Customer, except as expressly permitted under applicable U.S. Privacy Laws.

4.2 Confidentiality. Vantory.ai will take steps to ensure that its employees, agents, subcontractors, and sub-processors who Process Customer Personal Information are subject to a duty of confidentiality with respect to Customer Personal Information.

4.3 Sub-processors. Vantory.ai will use reasonable efforts to notify Customer of any intended changes concerning the addition or replacement of sub-processors. Further, Vantory.ai will take steps to ensure that Vantory.ai’s sub-processors who Process Customer Personal Information on Vantory.ai’s behalf agree in writing to the same or materially equivalent restrictions and requirements that apply to Vantory.ai in this DPA and the Agreement with respect to Customer Personal Information, as well as to comply with U.S. Privacy Laws.

4.4 Right to Object. Customer may object in writing to Vantory.ai’s appointment of a new sub-processor on reasonable grounds by notifying Vantory.ai in writing within 14 calendar days of receipt of notice. In the event Customer objects, the parties will discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution.

5. Consumer Rights

5.1 Assistance. To the extent required by applicable U.S. Privacy Laws, Vantory.ai will provide commercially reasonable assistance to Customer for the fulfillment of Customer’s obligations to respond to U.S. Privacy Law-related Consumer rights requests regarding Customer Personal Information.

5.2 Customer Notice. Where applicable, Customer will inform Vantory.ai of any Consumer rights request made pursuant to U.S. Privacy Laws with which Vantory.ai must comply with. Customer will provide Vantory.ai with the information necessary for Vantory.ai to comply with the request.

5.3 Deletion. Vantory.ai will not be required to delete any Customer Personal Information to comply with a Consumer’s rights request directed by Customer if retaining such information is specifically permitted by applicable U.S. Privacy Laws; provided, however, that in such case, Vantory.ai will not use Customer Personal Information retained for any purpose other than provided for by that exception.

6. Exemptions

Notwithstanding any provision to the contrary in the Agreement or this DPA, the terms of this DPA will not apply to Vantory.ai’s Processing of Customer Personal Information that is exempt from applicable U.S. Privacy Laws.

7. Changes to Applicable Privacy Laws

The parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations, or other laws pertaining to privacy and information security, including, where applicable, U.S. Privacy Laws.

Security Measures

Vantory.ai will apply at least the following types of security measures to Customer Personal Information, as applicable:

Physical access control

Technical and organizational measures designed to prevent unauthorized persons from gaining access to the premises and facilities (including databases, application servers, and related hardware) where Customer Personal Information is Processed, such as:

  • Establishing security areas, restriction of access paths
  • Establishing access authorizations for employees and third parties
  • Access control system (ID reader, magnetic card, chip card)
  • Key management, card-keys procedures
  • Door locking (electric door openers, etc.)
  • Security staff, janitors
  • Surveillance facilities, video/CCTV monitor, alarm system
  • Securing decentralized data processing equipment and personal computers

Virtual access control

Technical and organizational measures designed to prevent systems used to Process Customer Personal Information from being used by unauthorized persons, such as:

  • User identification and authentication procedures
  • ID/password security procedures (special characters, minimum length, change of password)
  • Automatic blocking (e.g., password or timeout)
  • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous password attempts
  • Creation of one master record per user, user-master data procedures per data processing environment
  • Encryption of archived data media

Data access control

Technical and organizational measures designed to ensure confidentiality and that persons entitled to use a data processing system gain access only to such Customer Personal Information in accordance with their access rights, and that Customer Personal Information cannot be read, copied, modified, or deleted without authorization, such as:

  • Internal policies and procedures
  • Control authorization schemes
  • Default configuration
  • Differentiated access rights (profiles, roles, transactions, and objects)
  • Monitoring and logging of access
  • Disciplinary action against employees who access Customer Personal Information without authorization
  • Reports of access
  • Access procedure
  • Change procedure
  • Deletion procedure
  • Encryption

Disclosure control

Technical and organizational measures designed to ensure that Customer Personal Information cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport, or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities to whom Customer Personal Information is disclosed, such as:

  • Encryption/pseudonymization/tunneling
  • Logging
  • Transport security

Entry control

Technical and organizational measures designed to monitor whether Customer Personal Information has been entered, changed, or removed (deleted), and by whom, from data processing systems, such as:

  • Logging and reporting systems
  • Audit trails and documentation

Control of instructions

Technical and organizational measures designed to ensure that Customer Personal Information is Processed solely in accordance with the instructions of Customer, such as:

  • Unambiguous wording of the contract
  • Formal commissioning (request form)
  • Criteria for selecting the Processor

Availability control

Technical and organizational measures designed to ensure the integrity, availability and resilience of the Processing systems, and that Customer Personal Information is protected against accidental destruction or loss (physical/logical) such, as:

  • Backup procedures
  • Mirroring of hard disks (e.g. RAID technology)
  • Uninterruptible power supply (UPS)
  • Remote storage
  • Antivirus/firewall systems
  • Disaster recovery plan, in the event of a physical or technical incident

Separation control

Technical and organizational measures designed to ensure that Customer Personal Information collected for different purposes can be Processed separately, such as:

  • Separation of databases
  • “Internal client” concept / limitation of use
  • Segregation of functions (production/testing)
  • Procedures for storage, amendment, deletion, transmission of data for different purposes

Testing controls

Technical and organizational measures to test, assess, and evaluate the effectiveness of the technical and organizational measures implemented designed to ensure the security of the Processing, such as:

  • Periodic review and testing of disaster recovery plan
  • Testing and evaluation of software updates before they are installed
  • Authenticated (with elevated rights) vulnerability scanning
  • Test bed for specific penetration tests and red team attacks

IT governance

Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts, such as:

  • Certification/assurance of processes and products
  • Processes for data minimization
  • Processes for data quality
  • Processes for limited data retention
  • Processes for ensuring accountability
  • Data subject rights policies