Data processing addendum · template
Customer instructions govern customer data.
This addendum becomes binding only when incorporated into an executed Varistra order. The contracting entity and governing law are identified on that order.
Roles and instructions
The customer is controller or business; Varistra is processor or service provider for customer data submitted to the service. Varistra processes that data only to provide, secure, support, and improve the contracted service, or as required by law.
Confidentiality and security
Access is limited to authorized personnel and service providers under confidentiality duties. Technical controls include tenant scoping, encryption of retained sources, hashed credentials and tokens, immutable evidence records, audit events, retention settings, and backup procedures.
Subprocessors and transfers
Infrastructure, email, payment, authentication, and connected-source providers may process limited data for their service. The current subprocessor and hosting-region schedule is supplied with the order. Material changes are notified through the agreed contact.
Requests, incidents, and deletion
Varistra will reasonably assist with data-subject requests, security inquiries, and impact assessments appropriate to the processing. Confirmed incidents affecting customer data are communicated without undue delay. Workspace deletion removes application records and retained objects; backup expiration follows the contracted retention schedule.
Return and audit
Customers can export snapshots, decisions, outcomes, reports, and audit events. Reasonable security documentation is provided under confidentiality before on-site audit is considered.