Vespper Logo
Sign in
Back to Home

Data Processing Addendum

Last updated: March 10, 2026

Overview

This Data Processing Addendum ("DPA") is entered into between Vespper, Inc. ("Vespper," "Processor") and the customer entity agreeing to these terms ("Controller") and forms part of the agreement governing use of Vespper's Services (the "Agreement").

This DPA reflects the parties' agreement with regard to the processing of Personal Data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, and applicable U.S. state privacy laws.

Definitions

  • Data Controller: The entity that determines the purposes and means of processing Personal Data. Under this DPA, the customer is the Controller.
  • Data Processor: The entity that processes Personal Data on behalf of the Controller. Under this DPA, Vespper is the Processor.
  • Personal Data: Any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
  • Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means.
  • Sub-processor: Any third party engaged by Vespper to process Personal Data on behalf of the Controller.

Subject Matter, Nature, and Purpose of Processing

Vespper processes Personal Data solely to provide the Services described in the Agreement, which include AI-assisted document drafting, review, and management for regulatory and life-science professionals.

Categories of data subjects: Employees, contractors, and authorized users of the Controller; and individuals whose Personal Data may be incidentally included in documents uploaded by the Controller.

Categories of Personal Data: Identity and contact information (name, email, job title); account credentials; usage and log data; and any Personal Data incidentally contained in documents or content uploaded by the Controller.

Duration: Vespper processes Personal Data for the term of the Agreement. Upon termination, data is deleted or returned as described in the Data Retention section below.

Processor Obligations

Vespper shall:

  • Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
  • Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.
  • Implement technical and organizational measures to ensure a level of security appropriate to the risk, including as set out in the Security Measures section below.
  • Not engage Sub-processors without prior general or specific written authorization from the Controller, and ensure Sub-processors are bound by equivalent data protection obligations.
  • Assist the Controller in fulfilling its obligations to respond to Data Subject requests, taking into account the nature of the processing.
  • Assist the Controller in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
  • Delete or return all Personal Data to the Controller upon termination of the Agreement, and delete existing copies unless retention is required by applicable law.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits as described below.

Security Measures

Vespper implements industry-standard technical and organizational security measures, including:

  • Encryption of Personal Data in transit (TLS) and at rest (AES-256)
  • Access controls, role-based permissions, and multi-factor authentication
  • Regular security assessments and vulnerability monitoring
  • Employee training on data protection and security practices
  • Incident response and breach management procedures
  • Logical separation of customer data

Sub-processors

The Controller grants Vespper general authorization to engage Sub-processors to assist in providing the Services. Vespper maintains a current list of Sub-processors and will provide at least 14 days' notice of any intended changes (additions or replacements), giving the Controller the opportunity to object.

A current list of Sub-processors is available upon request at privacy@vespper.com. All Sub-processors are bound by written agreements requiring data protection obligations no less protective than this DPA.

Data Subject Rights

Vespper will promptly notify the Controller of any Data Subject requests received and will provide reasonable assistance to help the Controller fulfill its obligations under applicable law, including requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing.

Data Breach Notification

In the event of a Personal Data breach, Vespper will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will include, to the extent available: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

International Data Transfers

Where Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to countries not recognized as providing an adequate level of protection, such transfers will be made pursuant to:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated herein by reference; or
  • The EU–U.S. Data Privacy Framework or UK Extension thereof, where applicable.

Data Retention and Deletion

Upon termination or expiration of the Agreement, Vespper will, at the Controller's election, delete or return all Personal Data within 90 days, unless applicable law requires longer retention. Vespper will certify such deletion upon request.

Audit Rights

Vespper will make available all information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable written notice, Vespper will allow for and contribute to audits conducted by the Controller or an independent third-party auditor appointed by the Controller, subject to reasonable confidentiality obligations and at the Controller's cost.

Contact

For questions about data processing or to exercise rights under this DPA, contact our Data Protection Officer at dpo@vespper.com. For general privacy inquiries, contact privacy@vespper.com.

Vespper Logo
The AI editor for professional documents
Start for freeSign in
Product
Use casesSecurityBlogCompare Vespper
Policies
Terms of UsePrivacy PolicyData Processing Addendum
Contact
founders@vespper.com