Table of Contents

Data Processing Agreement (DPA)

Last updated: February 3, 2025

This DPA (Data Processing Agreement), including its annexes, constitutes an addendum to the VKARD Terms of Sale or Terms of Use (hereinafter referred to as the “Master Agreement”). It automatically applies to any client (individual or business) with an active VKARD profile, including those using free or non-customized products, without requiring a manual signature. It governs the processing of personal data carried out by VKARD on behalf of the client as part of the provision of its digital services.

It applies to data processing performed via VKARD services, including the online platform, digital cards, contact management tools, and profile editing tools.

1. Definitions

The terms used in this DPA, particularly “Personal Data,” “Processing,” “Controller,” “Processor,” “Data Subject,” “Data Breach,” shall have the meaning given under the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679). Definitions from other applicable laws (CCPA, FADP, etc.) are considered based on the origin of the processed data.

2. Roles of the Parties

The Client acts as the Controller under the GDPR. VKARD acts as the Processor pursuant to Article 28 of the GDPR. The obligations described in this DPA apply whenever VKARD processes Personal Data on behalf of the Client, whether the Client is a business, professional, or individual with a user account.

VKARD may also act as a Controller for certain purposes (e.g., CRM management, customer support, or legal obligations). These processes are independent of this DPA.

3. Description of Processing

  • Purpose: providing contactless digital business cards, managing professional digital profiles, generating contact links, collecting leads, configuring email signatures, personalizing the Client’s branding.
  • Data subjects: Client employees, administrators, contacts, and leads who interact with a VKARD profile.
  • Categories of data processed: first and last names, job title, professional contact details (email, phone), photo, company name and logo, links to social profiles, shared documents, calendar, exchange links or personalized messages.
  • Retention period: during the contractual relationship, then 24 months after account inactivity or deletion, unless legal obligations or other instructions require otherwise.

4. Processor Commitments

VKARD commits to:

  • Process data only on the Client’s documented instructions;
  • Ensure confidentiality through staff training, written commitments, and fine-grained access control;
  • Maintain a record of processing activities in accordance with Article 30 of the GDPR;
  • Provide technical and documentation support to enable the Client to respond to Data Subject rights requests (access, rectification, erasure, restriction, portability);
  • Return or delete data at the end of the contract per the Client’s choice, providing a deletion certificate upon request;

VKARD maintains a record of processing activities accessible upon reasonable Client request regarding data processed on its behalf.

5. Security Measures

VKARD has implemented appropriate technical and organizational measures to ensure a risk-appropriate level of security, including:

  • Data encryption (AES-256) at rest and in transit;
  • Hosting by providers recognized for compliance (Scaleway – France, AWS France, Google Cloud – Belgium);
  • Access controls with strong authentication, rights limited to strict necessity;
  • Internal and external security audits, including periodic penetration tests;
  • Logging of security events;
  • An operational disaster recovery plan (DRP), reviewed annually.

VKARD shall provide, upon written request from the Client, any relevant documentation demonstrating the implementation of the above security measures within a reasonable timeframe.

When interconnection or data exchange with the Client’s information system is required, VKARD ensures that access is secure and compliant with applicable security standards, including authentication, encryption, and rights limitation. This interconnection is read-only unless expressly agreed by the Client.

VKARD implements a procedure of regular tests (code reviews, static analyses, penetration tests) to assess and improve the effectiveness of technical and organizational measures.

VKARD’s processing services are designed to ensure high availability, integrity, and resilience, including via redundant backups, alert mechanisms, and recovery plans.

VKARD ensures that any sub-processors provide sufficient guarantees of security, confidentiality, and GDPR compliance through standard contractual commitments, recognized certifications, or external audits. VKARD reasonably ensures these sub-processors maintain an equivalent level of protection as required by this Agreement.

6. Sub-Processing

VKARD may engage sub-processors for certain services (e.g., hosting, support). Authorized sub-processors as of this DPA are listed below. Any additions or replacements will be notified on this page or through other appropriate communication channels.

The Client will be informed at least 15 calendar days in advance of significant sub-processor changes and may object for legitimate and verifiable reasons within this period.

  • Scaleway – Database hosting (France)
  • AWS France – Image and static resource storage
  • Google Cloud Belgium – Website and public profile hosting

7. Transfers outside the European Union

VKARD does not transfer Personal Data outside the European Economic Area (EEA) without explicit Client authorization and under adequate safeguards such as European Commission Standard Contractual Clauses (SCC) or other legally recognized guarantees.

8. Data Breach Notification

In the event of a personal data breach, VKARD:

  • Notifies the Client without undue delay, and no later than 48 hours after discovery;
  • Provides all relevant information to enable the Client to notify the supervisory authority and, if applicable, affected data subjects;
  • Documents the incident in a dedicated register and fully collaborates in resolving it.

Additionally, VKARD commits to:

  • Inform the Client immediately if an instruction constitutes a clear GDPR violation or other applicable law;
  • Notify the Client without delay if unable to follow instructions and collaborate to find a compliant solution or organize temporary/permanent suspension of processing;
  • Inform the Client within 72 hours of any administrative or judicial request regarding the processing, unless legally prohibited;
  • Not disclose any information to authorities unless legally required, and inform the Client in advance when possible;
  • Inform the Client of any control or sanction affecting the processing covered by this DPA, as permitted by law.

9. Right to Audit

For Pro plan clients, VKARD allows compliance audits under the following conditions:

  • At least 15 calendar days’ prior written notice must be given to VKARD;
  • Time allocated by VKARD teams gratuitously is limited to 10% of the annual contract value (based on 1000€/day/person). Beyond this, VKARD may offer resources on quotation. The Client may perform audits remotely or via a mandated provider with VKARD’s prior written approval for security and confidentiality reasons;
  • Any excess will require a prior quote. Additional services are billed per current rates and scheduled mutually;
  • On-site audits or audits involving third parties require VKARD written approval and must respect other clients’ confidentiality.

10. Data Retention, Return, and Deletion

At the end of the contractual relationship, the Client may request:

  • Return of all data in a commonly usable format (CSV, JSON);
  • Complete deletion of production and backup data, accompanied by a deletion certificate;
    • Certain data may still be retained beyond the contractual period if legally required (e.g., invoicing, evidence, regulatory compliance).
  • Temporary retention for evidence or to meet specific legal obligations;

VKARD commits to processing all rights requests within 30 days according to documented procedures.

11. Privacy by Design and by Default

VKARD incorporates Privacy by Design and by Default principles in all development processes, implementing appropriate technical and organizational measures throughout the product lifecycle to ensure a risk-appropriate security level.

By default, only data strictly necessary for the processing purpose is collected, used, and accessible to authorized personnel, ensuring GDPR compliance and optimal protection of personal data processed on behalf of the Controller.

12. Data Subject Rights Management

VKARD has implemented a documented process to handle Data Subject requests under the GDPR (access, rectification, erasure, objection, restriction, portability). VKARD informs the Controller of any direct requests and fully cooperates to respond within legal deadlines.

13. Governing Law and Jurisdiction

This DPA is governed by French law. Any dispute regarding its validity, interpretation, or execution falls under the exclusive jurisdiction of Paris courts, unless mandatory law provides otherwise.

14. Version History

  • June 23, 2025 – Clarification of roles and sub-processors
  • April 4, 2024 – First public release

For questions regarding data protection, the Client may contact VKARD’s Data Protection Officer (DPO) at dpo@vkard.io.

Check the Main Menu location in Apppearance->Menus->Display Location.