Data Processing Agreement

Last updated: October 05, 2025

1. Purpose

This Data Processing Agreement ("DPA") governs how vested.fyi processes personal data on behalf of our users in compliance with applicable data protection laws, including GDPR and CCPA.

2. Definitions

Personal Data

Any information relating to an identified or identifiable natural person, including:

  • Names and contact information
  • Compensation data and financial information
  • Employment details
  • IP addresses and usage data

Processing

Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

Data Controller

You (the user) - you determine the purposes and means of processing your personal data.

Data Processor

vested.fyi - we process personal data on your behalf according to your instructions.

3. Data Processing Details

Categories of Data Subjects

  • Our users (individuals using our compensation tracking service)
  • Individuals whose compensation data is entered by users

Categories of Personal Data

  • Identification data (names, email addresses)
  • Financial data (salary, bonus, equity information)
  • Employment data (job titles, company information)
  • Technical data (IP addresses, browser information, usage logs)

Processing Purposes

  • Providing compensation tracking and modeling services
  • Account management and user support
  • Service improvement and analytics
  • Legal compliance and security

Processing Activities

  • Collection and storage of compensation data
  • Data analysis and modeling calculations
  • Data backup and recovery
  • Data export and deletion
  • Access logging and security monitoring

4. Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures

  • Data encryption in transit (TLS/SSL)
  • Data encryption at rest (AES-256)
  • Regular security updates and patches
  • Multi-factor authentication for administrative access
  • Network firewalls and intrusion detection

Organizational Measures

  • Access controls and role-based permissions
  • Employee training on data protection
  • Regular security audits and assessments
  • Incident response procedures
  • Data minimization practices

5. Subprocessors

We may use the following subprocessors to help us provide our service:

Hosting and Infrastructure

  • Amazon Web Services (AWS) - Cloud hosting and data storage
  • Cloudflare - Content delivery and security

Analytics and Monitoring

  • Google Analytics - Usage analytics (anonymized)
  • Sentry - Error monitoring and logging

Payment Processing

  • Stripe - Payment processing and billing

We maintain an up-to-date list of subprocessors and will notify you of any changes.

6. Data Subject Rights

We assist you in fulfilling data subject requests, including:

  • Right to access personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to object to processing
  • Right to restrict processing

7. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify you within 72 hours of becoming aware of the breach
  • Provide details about the breach and its potential impact
  • Take appropriate measures to mitigate the breach
  • Cooperate with you in notifying affected individuals if required

8. Data Retention and Deletion

We retain personal data only as long as necessary for the purposes outlined above. When data is no longer needed:

  • User data is deleted within 30 days of account deletion
  • Backup data is securely deleted within 90 days
  • Logs are retained for 12 months for security purposes

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions where applicable
  • Other legally recognized transfer mechanisms

10. Audits and Inspections

You have the right to audit our data processing practices. We will provide:

  • Access to relevant documentation and certifications
  • Responses to questionnaires about our security practices
  • Reasonable cooperation with third-party audits (at your expense)

11. Termination

Upon termination of your account or our agreement:

  • We will delete or return all personal data
  • Deletion will be completed within 30 days
  • We will certify completion of data deletion

12. Contact Information

For data protection inquiries or to exercise your rights, please contact:

  • Email: privacy@vested.fyi
  • Data Protection Officer: Harrison Sweeney

13. Governing Law

This DPA is governed by the laws of the United States, with specific reference to California law for interpretation of data protection provisions.