Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between VectorLabs s.r.o. (IČO: 23149281), a company registered in the Czech Republic ("Processor," "we," "us"), and you, the customer ("Controller," "you").

This DPA applies where VectorLabs processes Personal Data on your behalf in the course of providing the JAX platform ("Service"), in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

3.1 Subject Matter

The Processor provides JAX, an AI-powered product feedback platform. Processing is carried out for the purpose of delivering the Service as described in the Terms of Service.

3.2 Duration

Processing continues for the duration of the Controller's use of the Service and until all Personal Data is deleted or returned in accordance with this DPA.

3.3 Nature and Purpose of Processing

• Storing and displaying screenshots and bug reports
• Processing chat messages through AI models to generate issue descriptions and detect duplicates
• Transmitting issue data to connected third-party task management platforms (Linear, Jira, Asana) as directed by the Controller
• Indexing product documentation and code repositories for AI context
• Account management and authentication
• Analytics and service improvement (using aggregated/anonymized data where possible)

3.4 Types of Personal Data

• Names and email addresses of team members
• Authentication identifiers and profile pictures
• Screenshots that may incidentally contain personal data visible on screen
• Chat messages and feedback text
• Browser metadata (IP address, user agent, viewport dimensions)
• Console logs and network request data (HAR files) that may contain personal data

3.5 Categories of Data Subjects

• Controller's employees and team members using the Service
• End users of the Controller's web applications whose data may appear in screenshots, console logs, or network requests

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law. The Terms of Service and the Controller's use of Service features constitute documented instructions.
• Ensure that persons authorized to process Personal Data have committed to confidentiality or are under a statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7.
• Not engage another processor (Sub-processor) without prior general written authorization from the Controller, as described in Section 6.
• Assist the Controller in fulfilling its obligations to respond to data subject requests under Chapter III of the GDPR.
• Assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR (security, breach notification, impact assessments, prior consultation).
• At the Controller's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits and inspections, as described in Section 8.
• Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions.

The Controller shall:

• Ensure that it has a lawful basis for the processing of Personal Data and that all necessary consents or notices have been obtained or provided.
• Provide processing instructions that comply with applicable data protection laws.
• Be responsible for ensuring that Personal Data submitted to the Service (including data incidentally captured in screenshots) is appropriate for processing and does not include special categories of personal data (Article 9 GDPR) unless the Controller has ensured a lawful basis and appropriate safeguards.
• Inform the Processor without undue delay of any data subject requests received directly, where such requests relate to Personal Data processed by the Processor.

6.1 General Authorization

The Controller provides general written authorization for the Processor to engage Sub-processors. The current list of Sub-processors is set out in Section 6.3 below.

6.2 Notification of Changes

The Processor shall inform the Controller of any intended additions or replacements of Sub-processors at least 30 days before the change, giving the Controller the opportunity to object. If the Controller objects on reasonable data protection grounds, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected Service.

6.3 Current Sub-processors

Customer-directed integrations (Linear, Jira, Asana, etc.) are not Sub-processors — data is transmitted to these platforms under the Controller's instructions and the Controller's separate agreement with those providers.

6.4 Sub-processor Obligations

The Processor shall impose the same data protection obligations as set out in this DPA on each Sub-processor by way of a contract. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

The Processor implements and maintains appropriate technical and organizational measures, including:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest
• Access controls with role-based permissions and multi-factor authentication for administrative access
• Regular security updates and vulnerability patching
• Network isolation and firewall protection
• Logging and monitoring of access to systems containing Personal Data
• Confidentiality obligations for all personnel with access to Personal Data
• Regular review and testing of security measures

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR.

The Controller may conduct an audit, or appoint a qualified third-party auditor (subject to reasonable confidentiality obligations), to verify the Processor's compliance with this DPA. Audits shall:

• Be conducted with at least 30 days' prior written notice
• Take place during normal business hours
• Not unreasonably disrupt the Processor's operations
• Be limited to once per 12-month period, unless a Data Breach has occurred or a supervisory authority requires an audit
• Be at the Controller's expense

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Data Breach affecting Personal Data processed under this DPA. The notification shall include:

• A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records concerned
• The name and contact details of the point of contact for further information
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, and objection).

If the Processor receives a request from a data subject directly, it shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless legally required to do so.

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor ensures that appropriate safeguards are in place, including:

• Adequacy decisions — transfers to countries with an adequate level of data protection as determined by the European Commission.
• Standard Contractual Clauses (SCCs) — the European Commission's approved standard contractual clauses (Commission Implementing Decision (EU) 2021/914) are incorporated into Sub-processor agreements where applicable.
• EU-U.S. Data Privacy Framework — for transfers to US-based Sub-processors that are certified under the DPF.

A copy of the relevant transfer mechanism is available upon request.

Upon termination of the Service or upon the Controller's written request, the Processor shall:

• Delete all Personal Data processed on behalf of the Controller within 30 days, unless EU or Member State law requires further storage.
• Upon request, provide the Controller with a copy of the Personal Data in a structured, commonly used, machine-readable format before deletion.
• Certify in writing that deletion has been completed, upon the Controller's request.

Aggregated, anonymized data that can no longer be used to identify any natural person may be retained for analytics and service improvement purposes.

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments (DPIAs) and prior consultations with supervisory authorities that the Controller is required to carry out under Articles 35 and 36 of the GDPR, to the extent that such assistance relates to the processing performed by the Processor.

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. This DPA does not limit either party's liability for breaches of data protection law to the extent that such limitation is not permitted under applicable law.

This DPA takes effect when the Controller begins using the Service and remains in effect for as long as the Processor processes Personal Data on behalf of the Controller.

The obligations under this DPA survive the termination of the Terms of Service to the extent necessary to complete the processing, deletion, or return of Personal Data.

This DPA is governed by the laws of the Czech Republic. Any disputes shall be subject to the exclusive jurisdiction of the courts of the Czech Republic, without prejudice to the rights of data subjects under GDPR Article 79 to lodge proceedings before the courts of the Member State where the data subject has habitual residence.

For questions about this DPA or to exercise any rights under it, please contact us at: