Vitrin

Data Processing Agreement

1. Definitions

This Data Processing Agreement ("DPA") defines the conditions under which Vitrin processes personal data as a Data Processor for its customers (the "Data Controllers"). It applies to data processing carried out in connection with the provision of Vitrin services.

2. Roles and Responsibilities

Data Controller: The Vitrin customer who determines the purposes and means of data processing.

Data Processor: Vitrin, which processes data according to the Data Controller's instructions.

3. Personal Data Processed

Vitrin processes the following categories of personal data:

  • Catalog data (product names, descriptions, images, prices)
  • Quote request data (names, emails, phones, addresses)
  • Authentication data (emails, hashed passwords)
  • Branding data (logos, colors, customization settings)

4. Purpose and Duration of Processing

Vitrin processes data to provide the Vitrin service according to the Data Controller's instructions. Processing continues as long as the service is active, then data is deleted within 30 days of account termination.

5. Data Processing Under GDPR

Vitrin processes data in compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws. Vitrin implements appropriate technical and organizational security measures to protect data.

6. Data Security

Vitrin implements the following security measures:

  • TLS/SSL encryption for data in transit
  • Encryption for sensitive data at rest
  • Role-based access with strong authentication
  • Regular backups with geographic redundancy
  • Regular security audits and testing
  • Strict confidentiality policy for employees

7. Sub-processors

Vitrin uses the following sub-processor services to host and process data:

  • Supabase: Database hosting (EU)
  • Vercel: Frontend hosting (EU)
  • SendGrid/Nodemailer: Email service

The Data Controller may request the full list of sub-processors at any time.

8. Data Subject Rights

Data subjects enjoy the following rights:

  • Right of access to their data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to object to processing

9. International Transfers

Data is stored in Europe. No data transfers outside the EEA are made without an adequate transfer mechanism compliant with GDPR.

10. Data Protection Contact

For any questions regarding data processing, contact: privacy@vitrin-catalog.com

Last updated: 5/11/2026