Data Processing Addendum (DPA)
Effective Date: September 4, 2025
Last Updated: September 4, 2025
This Data Processing Addendum (“DPA”) forms part of the agreements between VAMS Technologies LLC (“VAMS”, “Processor”, “Service Provider”, “we”, “us”) and any client (“Client”, “Controller”, “you”) that engages VAMS for technology services, including IT development, SaaS solutions, ERP implementations, and related support (the “Services”).
This DPA governs the processing of Personal Data when VAMS acts on behalf of the Client.
1. Definitions
- “Personal Data”: Any information relating to an identified or identifiable individual.
- “Processing”: Any operation performed on Personal Data, such as collection, storage, use, transfer, or deletion.
- “Controller”: The Client, who determines the purpose and means of Processing.
- “Processor/Service Provider”: VAMS, who processes Personal Data on behalf of the Client.
- “Subprocessor”: Third parties engaged by VAMS to process Personal Data.
- Applicable Laws: GDPR (EU), CPRA (California), TDPSA (Texas), and other relevant data protection laws.
2. Roles of the Parties
- The Client is the Controller.
- VAMS is the Processor (or “Service Provider” under CPRA/TDPSA).
- VAMS will only process Personal Data as instructed by the Client and as necessary to provide the Services.
3. Scope and Purpose of Processing
VAMS will process Personal Data solely for:
- Delivering Services as agreed in the main contract.
- Supporting, maintaining, and improving the Services.
- Meeting legal or regulatory requirements.
VAMS will never:
- Sell Personal Data.
- Share Personal Data with third parties for marketing without Client authorization.
4. Client Responsibilities
The Client represents and warrants that:
- It has a lawful basis for providing Personal Data to VAMS.
- All instructions given to VAMS comply with Applicable Laws.
5. VAMS Obligations
VAMS agrees to:
- Process Personal Data only on documented instructions from the Client.
- Ensure persons authorized to process data are bound by confidentiality.
- Implement appropriate technical and organizational security measures.
- Assist the Client with data subject rights requests (access, deletion, correction).
- Provide breach notification without undue delay, and within legal timelines.
- Make available all information necessary to demonstrate compliance.
6. Subprocessors
VAMS engages carefully selected third-party service providers (“Subprocessors”) to support delivery of our Services. These Subprocessors may have access to Personal Data only as necessary to perform their functions and are contractually bound to maintain confidentiality and security.
Current Subprocessors
| Subprocessor | Purpose | Location | Policy Link |
|---|---|---|---|
| Odoo S.A. / Odoo.sh | ERP hosting and application services | Belgium / Global | odoo.com/privacy |
| Amazon Web Services (AWS) | Cloud hosting & infrastructure | USA | aws.amazon.com/privacy |
| Google (Workspace, Analytics) | Email, documents, analytics | USA | policies.google.com/privacy |
| Calendly | Meeting scheduling | USA | calendly.com/privacy |
Notice of New Subprocessors
- VAMS will update this list if we add new Subprocessors.
- Clients may object to a new Subprocessor within 30 days of notice.
7. International Data Transfers
If Personal Data is transferred outside the Client’s jurisdiction:
- VAMS will ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses for EU transfers).
8. Data Retention and Deletion
Upon termination of Services, VAMS will:
- Return all Personal Data to the Client, or
- Delete Personal Data securely, unless retention is required by law.
9. Liability
The total aggregate liability of VAMS under this DPA will not exceed the fees paid by the Client to VAMS in the 12 months preceding the claim.
10. Governing Law
This DPA is governed by the laws of the State of Texas, USA, unless otherwise required by Applicable Laws.
11. Contact
Questions about this DPA can be directed to:
VAMS Technologies LLC, 4400 State Hwy 121 #300, Lewisville TX 75056, Texas, USA