Legal Data Processing Addendum

Data Processing Addendum

Last updated April 11, 2026 GDPR Article 28 terms.

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Service between K.M.AMINE PFA ("VOTLI", "Processor") and the customer ("Customer", "Controller") that uses the VOTLI Service. It applies whenever VOTLI processes personal data on behalf of the Customer in connection with the Service (such data, "Customer Personal Data").

Capitalised terms not defined here have the meaning given in the Terms of Service or the GDPR, as applicable. "GDPR" means Regulation (EU) 2016/679 and, where applicable, the UK General Data Protection Regulation.

2. Roles of the parties

For Customer Personal Data, the Customer is the Controller and VOTLI is the Processor. VOTLI processes Customer Personal Data only on documented instructions from the Customer, which include these Terms and the configuration options the Customer selects in the Service.

3. Subject matter and details of processing

ItemDetail
Subject matter Provision of the VOTLI Service to the Customer.
Duration For the term of the agreement, plus any post-termination retention period described below.
Nature and purpose Hosting, storing, transmitting, displaying, and securing Customer Personal Data to operate the Service.
Categories of data subjects Customer's end-users, including waitlist subscribers, support ticket submitters, people submitting deletion requests, and visitors to Customer's VOTLI-hosted pages.
Categories of personal data Contact details (name, email), device / technical data (IP, user-agent), content submitted by data subjects (ticket messages, deletion-request reasons, waitlist form fields), and any other data the Customer chooses to process through the Service.
Special categories The Service is not designed for special categories of personal data (Article 9 GDPR). The Customer agrees not to upload such data except with prior written arrangement.

4. Customer obligations

The Customer warrants that:

  • It has a lawful basis to process the Customer Personal Data and to instruct VOTLI to do so.
  • It has provided appropriate notices to its end-users, and obtained any required consents.
  • Its instructions to VOTLI comply with data protection law.
  • It will not configure the Service in a way that would cause VOTLI to violate data protection law.

5. VOTLI obligations

VOTLI will:

  • Process Customer Personal Data only on the Customer's documented instructions, unless required by law to do otherwise.
  • Ensure that persons authorised to process Customer Personal Data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (see Annex 2).
  • Assist the Customer in responding to data-subject requests and in meeting obligations under Articles 32–36 GDPR, taking into account the nature of processing and the information available to VOTLI.
  • Notify the Customer without undue delay and in any case within 72 hours after becoming aware of a personal data breach affecting Customer Personal Data.
  • Make available information necessary to demonstrate compliance with this DPA, and allow audits as described in Section 9.

6. Sub-processors

The Customer provides general authorisation for VOTLI to engage sub-processors to process Customer Personal Data. VOTLI maintains a current list at votli.app/legal/sub-processors.

VOTLI will notify the Customer (by updating that page and, for material changes, by email where the Customer has subscribed to such notices) at least 15 days before adding or replacing a sub-processor. The Customer may object in writing within that period on reasonable data protection grounds. If VOTLI cannot accommodate the objection, the Customer may terminate the affected part of the Service for convenience.

VOTLI enters into a written agreement with each sub-processor that imposes data protection obligations substantially similar to those in this DPA and remains liable for the acts and omissions of its sub-processors.

7. International transfers

Where Customer Personal Data is transferred from the EEA, the UK, or Switzerland to a country not recognised as providing an adequate level of protection, the parties agree that such transfers are governed by the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor), incorporated by reference, with docking clause enabled and Option 2 selected in Clause 9(a). The UK International Data Transfer Addendum applies to transfers from the UK.

8. Data subject rights

VOTLI will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfill the Customer's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR. Where VOTLI receives a request directly from a data subject relating to Customer Personal Data, VOTLI will not respond substantively and will forward the request to the Customer without undue delay.

9. Audits

VOTLI will make available to the Customer, on request and at reasonable intervals (no more than once per year, except following a personal data breach), information necessary to demonstrate compliance with this DPA, including third-party certifications or reports where available. Where the Customer reasonably requires further information, the parties will agree in good faith on the scope, timing, and cost of an audit. Audits are subject to confidentiality obligations and must not unreasonably disrupt the Service.

10. Return and deletion

On termination of the agreement, VOTLI will, at the Customer's choice, delete or return all Customer Personal Data, and delete existing copies, unless retention is required by law. In the absence of an election, VOTLI will delete Customer Personal Data within 90 days of termination. Backups are retained for up to 30 additional days and will be overwritten in the normal course of operation.

11. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions in the Terms of Service. Nothing in this DPA limits liability that cannot be limited by applicable law.

12. Conflict

In case of conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Customer Personal Data.

Annex 1 — Parties

  • Controller: The Customer, as identified in the VOTLI account.
  • Processor: K.M.AMINE PFA, Bucharest, Sector 1, Bucureștii Noi Boulevard, No. 13, Romania. Contact: [email protected].

Annex 2 — Technical and organisational measures

  • Access control. Role-based access controls; least-privilege access to production systems; multi-factor authentication for administrators.
  • Encryption. TLS 1.2+ in transit; encryption at rest where supported by the underlying storage.
  • Network security. Web Application Firewall; DDoS protection; rate limiting at the edge.
  • Logging and monitoring. Application and infrastructure logs retained for audit and security investigation.
  • Backups. Encrypted, regularly tested database backups.
  • Vendor management. Sub-processors are bound by written agreements with equivalent obligations.
  • Personnel. Confidentiality obligations for all staff; security awareness training.
  • Incident response. Documented process for detecting, assessing, and notifying personal data breaches.

Annex 3 — Sub-processors

The current list of authorised sub-processors is maintained at votli.app/legal/sub-processors and forms part of this DPA.

13. How to accept this DPA

This DPA is automatically incorporated into the Terms of Service when the Customer accepts them. Customers who require a counter-signed copy may request one by emailing [email protected].

Questions about this document? Email [email protected] or visit the legal hub.