Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Starbox Group GmbH ("Processor", "Starbox", "we", "us") and you ("Controller", "Customer", "you") and governs the processing of personal data by Starbox Group GmbH on your behalf through its Vaultbrix platform.

This DPA complies with the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (nFADP/LPD), and applicable data protection laws.

2. Definitions

• "Personal Data": Any information relating to an identified or identifiable natural person stored in your Vaultbrix databases
• "Processing": Any operation performed on Personal Data (storage, retrieval, transmission, deletion, etc.)
• "Data Subject": An identified or identifiable natural person whose Personal Data is processed
• "Sub-processor": A third party engaged by Vaultbrix to process Personal Data on your behalf
• "Controller": The entity (you) that determines the purposes and means of Processing
• "Processor": The entity (Vaultbrix) that processes Personal Data on behalf of the Controller
• "Security Incident": A breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data

3. Scope of Processing

3.1 Subject Matter

Vaultbrix processes Personal Data that you store in your databases, storage buckets, and edge functions as part of providing the Vaultbrix platform services.

3.2 Nature and Purpose

Processing is limited to:

• Hosting and storing data in PostgreSQL databases
• Providing API access (REST, GraphQL, Realtime)
• Authentication and session management
• Object storage for files and media
• Executing Edge Functions on your behalf
• AI Context Engine schema introspection (metadata only, not data content)
• Backup and disaster recovery operations

3.3 Duration

Processing continues for the duration of your subscription, plus a 30-day grace period for data export, plus any legally required retention periods.

3.4 Types of Personal Data

The categories of Personal Data processed depend entirely on what you choose to store. Common categories include:

• Names, email addresses, phone numbers
• User account information
• Authentication credentials (hashed)
• IP addresses and access logs
• Any other personal data you store in your databases

3.5 Categories of Data Subjects

Data Subjects are determined by you and may include your customers, employees, contractors, or any individuals whose data you store.

4. Obligations of Vaultbrix (Processor)

4.1 Processing Instructions

We will process Personal Data only in accordance with your documented instructions, including those in the Terms of Service, this DPA, and through your use of the platform. We will inform you if we believe an instruction violates applicable data protection laws.

4.2 Confidentiality

All Vaultbrix personnel with access to Personal Data are subject to confidentiality obligations and have received appropriate training on data protection.

4.3 Security Measures

We implement appropriate technical and organizational measures including:

• AES-256 encryption at rest for all database data
• TLS 1.3 encryption for all data in transit
• Role-based access controls (RBAC)
• Row Level Security (RLS) enforcement
• Network isolation and firewalls
• Regular security audits and penetration testing
• SOC 2 Type II certification (in progress)
• 24/7 infrastructure monitoring

4.4 Sub-processor Management

You authorize us to engage Sub-processors listed in Annex 2. We will:

• Maintain a current list of Sub-processors
• Notify you at least 30 days before adding new Sub-processors
• Ensure Sub-processors are bound by equivalent data protection obligations
• Remain liable for Sub-processor compliance

4.5 Assistance Rights

We will assist you in:

• Responding to Data Subject requests (access, rectification, erasure, portability)
• Conducting Data Protection Impact Assessments (DPIAs)
• Consulting with supervisory authorities
• Meeting security obligations under GDPR Articles 32-34

4.6 Security Incident Notification

In the event of a Security Incident affecting your Personal Data:

• We will notify you within 72 hours of becoming aware
• Notification will include: nature of the incident, categories of data affected, likely consequences, and remediation measures
• We will cooperate with your incident response and regulatory notification obligations

4.7 Data Return and Deletion

Upon termination of your subscription:

• You have 30 days to export your data via dashboard or API
• After 30 days, we will delete all Personal Data from active systems
• Backup copies will be purged according to retention schedules (maximum 90 days)
• We will provide written confirmation of deletion upon request

5. Obligations of Customer (Controller)

5.1 Lawful Basis

You are responsible for ensuring you have a valid lawful basis (consent, contract, legitimate interest, etc.) for processing Personal Data stored on Vaultbrix.

5.2 Data Subject Rights

You are responsible for responding to Data Subject requests. We provide tools (API, dashboard) to help you fulfill these requests.

5.3 Instructions

You are responsible for ensuring your processing instructions comply with applicable data protection laws.

6. International Data Transfers

6.1 Administrative Data

Limited administrative data (account information, billing) may be processed by Sub-processors in the EU/EEA. Such transfers are protected by:

• EU-Switzerland adequacy decision
• Standard Contractual Clauses (SCCs) where required

6.2 Standard Contractual Clauses

Where SCCs are required, we incorporate the EU Commission's Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by Decision 2021/914.

7. Audits

You may audit our compliance with this DPA subject to:

• 30 days written notice
• Reasonable scope and duration
• Confidentiality obligations regarding information accessed
• Audit costs borne by you, unless non-compliance is found

Alternatively, we provide:

• SOC 2 Type II audit reports (upon request under NDA)
• Security questionnaire responses
• Penetration test summaries

Annex 1: Technical and Organizational Measures

A1.1 Access Control

• Multi-factor authentication (MFA) for all staff
• Principle of least privilege
• Regular access reviews (quarterly)
• Automatic session timeouts
• Unique user accounts (no shared credentials)

A1.2 Encryption

• AES-256 encryption at rest (database, storage, backups)
• TLS 1.3 for all data in transit
• Key management using HSM-backed systems
• Regular key rotation

A1.3 Network Security

• Firewalls and network segmentation
• DDoS protection (Cloudflare/Caddy)
• Intrusion detection systems (IDS)
• VPN for administrative access

A1.4 Physical Security

• ISO 27001 certified data center (Infomaniak, Geneva)
• 24/7 on-site security
• Biometric access controls
• CCTV surveillance

A1.5 Business Continuity

• Automated backups with point-in-time recovery
• RPO: 1 hour, RTO: 4 hours
• Off-site backup replication
• Documented disaster recovery procedures
• Annual DR testing

A1.6 Monitoring and Logging

• Centralized logging (90-day retention)
• Audit logs for administrative actions (1-year retention)
• Real-time alerting for security events
• Regular log reviews

Annex 2: Authorized Sub-processors

Updates: Subscribe to Sub-processor updates at legal@starbox-group.com or check this page regularly.

8. Contact

For DPA inquiries or to request a countersigned copy:
Email: legal@starbox-group.com
Data Protection: privacy@starbox-group.com
Address: Starbox Group GmbH, 1288 Geneva, Switzerland

9. Related Documents

• Terms of Service
• Privacy Policy
• Service Level Agreement (SLA)
• Data Retention Policy