Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

• Controller: the subscribing organisation ("you", "Customer") that has entered into a Varden B2B subscription agreement.
• Processor: Techson Tecnologias Online Lda, NIF 515616222, Rua do Exemplo 123, Portugal ("Varden", "we", "us").

This DPA supplements the Varden Terms of Service and applies to the extent that Varden processes personal data on behalf of the Customer.

2. Definitions

Terms used in this DPA have the meanings given in the GDPR (Regulation (EU) 2016/679), unless otherwise defined herein.

3. Scope and Purpose of Processing

• Subject matter: provision of the Varden AI companion service to the Customer's authorised users.
• Duration: for the term of the B2B subscription agreement, plus any data retention period specified herein.
• Nature and purpose: AI-assisted personal organisation including conversations, memory graph management, document processing, financial tracking, and health logging.
• Categories of data subjects: Customer's authorised end users (employees, team members, family members).
• Types of personal data: account data, conversation data, memory facts, uploaded documents, financial data, health data, and any other data the data subjects choose to share with the AI companion.

4. Obligations of the Processor

Varden shall:

• Process personal data only on documented instructions from the Controller, unless required by EU or Member State law.
• Ensure that persons authorised to process personal data have committed to confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 5).
• Not engage another processor without prior specific or general written authorisation of the Controller (see Section 6).
• Assist the Controller in fulfilling its obligations to respond to data subject requests.
• Assist the Controller in ensuring compliance with security, breach notification, data protection impact assessments, and prior consultation obligations.
• At the Controller's choice, delete or return all personal data after the end of the service, and delete existing copies unless EU or Member State law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28.

5. Security Measures

Varden implements the following technical and organisational measures:

• Encryption at rest: AES-256 for all stored personal data, including database and file storage.
• Encryption in transit: TLS 1.3 for all data transmission.
• Access control: role-based access, principle of least privilege, multi-factor authentication for staff.
• Infrastructure: self-hosted PostgreSQL in EU data centres with automated backups.
• Monitoring: real-time security monitoring, intrusion detection, and audit logging.
• Development practices: secure development lifecycle, dependency scanning, regular security reviews.
• Staff training: regular data protection and security awareness training.
• Incident response: documented incident response plan with defined roles and escalation procedures.

6. Sub-Processors

The Controller grants general authorisation for Varden to engage sub-processors. Varden shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object within 30 days.

Current sub-processors:

7. Data Breach Notification

In the event of a personal data breach, Varden shall:

• Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach.
• Provide the Controller with sufficient information to fulfil its obligation to notify the supervisory authority and affected data subjects, including:
  • The nature of the breach, including categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach
• Cooperate with the Controller and take reasonable steps to mitigate the effects of the breach.

8. Audit Rights

• The Controller has the right to conduct audits, including inspections, to verify Varden's compliance with this DPA.
• Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and shall not unreasonably disrupt Varden's operations.
• Varden shall cooperate with the audit and provide access to relevant documentation, systems, and personnel.
• The Controller may engage a qualified, independent third-party auditor, subject to confidentiality obligations.
• Audit costs are borne by the Controller, unless the audit reveals material non-compliance by Varden.

9. International Transfers

Where personal data is transferred outside the EU/EEA (specifically to Anthropic and Stripe in the USA), such transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914), supplemented by Transfer Impact Assessments.

10. Term and Termination

• This DPA is effective for the duration of the B2B subscription agreement.
• Upon termination, Varden shall, at the Controller's choice, return or delete all personal data within 30 days, unless retention is required by law.
• Varden shall provide a certificate of deletion upon request.

11. Governing Law

This DPA is governed by the laws of Portugal and subject to the jurisdiction of the Portuguese courts, without prejudice to any mandatory provisions of the GDPR.

12. Contact

For questions regarding this DPA, contact our Data Protection Officer at dpo@varden.app.