Skip to content
vBoxxCloud
Back to home

Data Processing Agreement

Last updated: May 2026

This DPA is concluded between vBoxx B.V. ('Processor') and the Customer ('Controller') and forms part of the vBoxxCloud subscription agreement. It satisfies Article 28 GDPR.

1. Subject

Processing of personal data by vBoxx on behalf of the Controller in connection with the vBoxxCloud service.

2. Duration

For as long as the Controller's subscription to vBoxxCloud is active, plus a 30-day export window.

3. Nature and purpose

Storage, transmission, and collaboration on Controller content; access logging; backup; and incident response.

4. Types of data

Any personal data the Controller chooses to upload. The Controller determines categories and data subjects.

5. Sub-processors

vBoxx uses a limited list of EU-based sub-processors (current list in the Trust Center). The Controller is informed in advance of any change and may object.

6. Security

vBoxx implements ISO 27001-aligned technical and organisational measures, including encryption at rest (AES-256), encryption in transit (TLS 1.3), access controls, and 24/7 monitoring.

7. International transfers

No personal data is transferred outside the EU/EEA.

8. Audits

The Controller may audit vBoxx once per calendar year, subject to reasonable notice and confidentiality. ISO 27001 reports may be provided in lieu of an on-site audit.

9. Breach notification

vBoxx notifies the Controller of any personal data breach without undue delay and at the latest within 48 hours of becoming aware.

10. Return / deletion

On termination, vBoxx returns or deletes all personal data within 30 days, except where retention is required by law.

A countersigned copy of this DPA is available on request, email legal@vboxx.eu.