Vimub

Data Processing Agreement

Last updated: 22 April 2026 · Version 3

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between Quantum AI WebApps Digital LLC (“Processor”, “we”, “us”) and the customer accepting these terms (“Controller”, “you”) and reflects the parties’ agreement with respect to the Processing of Personal Data.

This DPA is intended to satisfy the requirements of Article 28 of the UK GDPR, Article 28 of the EU GDPR, the California Consumer Privacy Act (CCPA/CPRA), the Lei Geral de Proteção de Dados (LGPD, Brazil), and analogous data-protection regimes worldwide.

1. Definitions

Personal Data”, “Data Subject”, “Processing”, and “Controller” have the meanings given in the UK and EU GDPR. “Sub-processor” means any Processor engaged by us who Processes Personal Data on behalf of a Controller.

2. Subject matter & duration

We will Process Personal Data only for the duration of the Agreement and strictly to provide, maintain, and improve the Service, in accordance with your documented instructions.

3. Nature & purpose of Processing

We Process Personal Data to: (i) manage and respond to reviews on your behalf; (ii) send review-request and transactional messages to your customers; (iii) track local SEO ranks; (iv) operate bookings and the unified message inbox; (v) produce reports; and (vi) provide support.

4. Categories of Data Subjects & Personal Data

Data Subjects include:

  • Your employees, contractors, and end-users (“Authorised Users”).
  • Your customers, patients, or clients whose data you submit to the Service.

Categories of Personal Data may include:

  • Identification and contact data (name, email, phone, postal address).
  • Transactional history (invoices, bookings, services performed).
  • Review content authored by the Data Subject and public metadata.
  • Authentication credentials for connected third-party services (encrypted at rest).

5. Our obligations as Processor

  • Process Personal Data only on your documented instructions unless required by law.
  • Ensure persons authorised to Process Personal Data are under a duty of confidentiality.
  • Implement and maintain the technical and organisational measures described in our Security page.
  • Assist you in responding to requests from Data Subjects exercising their rights.
  • Notify you without undue delay and within 72 hours of becoming aware of a Personal Data breach.
  • On termination of the Agreement, delete or return all Personal Data within 60 days except as required by law.

6. Sub-processors

You grant us general authorisation to engage Sub-processors subject to the requirements of this DPA. The current list of Sub-processors is published at /legal/subprocessors and updated whenever we onboard a new one. You may object in writing to a new Sub-processor within 30 days of publication.

7. International transfers

Where Personal Data is transferred out of the UK or EEA, we rely on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses (Module Two: Controller to Processor) as applicable.

8. Audit & inspection

You may audit our compliance with this DPA no more than once per calendar year on thirty (30) days’ written notice. In lieu of a bespoke audit, you may accept our most recent independent penetration-test report and SOC 2 readiness summary, available under NDA.

9. Liability

The parties’ liability under this DPA is subject to the limitations of liability in the Agreement.

10. Signing this DPA

Customers on the Growth tier and above may execute a signed countersigned copy. Email gdpr@vimub.com to request one. For Starter-tier customers, acceptance of the Terms of Service constitutes acceptance of this DPA.

This document is a commercial contract. It is not legal advice. If you have questions, have your counsel review it. We’re happy to negotiate reasonable red-lines for customers on the Agency tier and above.