Skip to main content
Vincony
Free Credits
Back to home

Data Processing Agreement

Last updated: March 10, 2026 (23 days ago)

1. Definitions

"Controller" means the entity that determines the purposes and means of processing personal data (you, the customer).

"Processor" means VINCONY AI LTD (Company Number: 17047337), registered at 3rd Floor, 86-90 Paul Street, London EC2A 4NE, England, which processes personal data on behalf of the Controller.

"Sub-processor" means any third party engaged by the Processor to process personal data.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, including collection, storage, use, and deletion.

2. Scope and Purpose

This Data Processing Agreement ("DPA") applies to the processing of personal data by Vincony on behalf of the customer in connection with the provision of the Vincony AI platform services. Vincony processes personal data solely for the purpose of delivering the Service as described in the Terms of Service.

3. Obligations of the Processor

Vincony shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorised to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Not engage another processor without prior written authorisation from the Controller
  • Assist the Controller in responding to data subject requests
  • Delete or return all personal data upon termination of services, at the Controller's choice
  • Make available all information necessary to demonstrate compliance

4. Sub-processors

Vincony uses the following sub-processors to deliver the Service:

  • Stripe (San Francisco, USA) — Payment processing and subscription management
  • OpenAI (San Francisco, USA) — AI model inference for text generation
  • Anthropic (San Francisco, USA) — AI model inference for text generation
  • Google Cloud / DeepMind (Mountain View, USA) — AI model inference
  • ElevenLabs (New York, USA) — Audio and speech generation
  • Resend (San Francisco, USA) — Transactional email delivery

Vincony will notify the Controller of any intended changes to sub-processors, providing the Controller with an opportunity to object.

5. Security Measures

Vincony implements the following technical and organisational measures:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Row-Level Security on all database tables
  • API key encryption using AES-GCM before database storage
  • Automated data retention and deletion (90-day generation lifecycle)
  • Regular security assessments and vulnerability scanning
  • Access controls with role-based permissions
  • Audit logging for administrative operations

6. Data Breach Notification

In the event of a personal data breach, Vincony shall:

  • Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach
  • Provide details including the nature of the breach, categories and approximate number of affected individuals, likely consequences, and measures taken or proposed
  • Document all breaches and remediation steps

7. Data Subject Rights

Vincony shall assist the Controller in fulfilling its obligations to respond to data subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Vincony will respond to Controller instructions regarding data subject requests within 30 days.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area or the United Kingdom, Vincony ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Adequacy decisions where applicable
  • Binding Corporate Rules where relevant

9. Audit Rights

The Controller has the right to audit Vincony's compliance with this DPA. Vincony shall:

  • Provide access to relevant documentation upon reasonable request
  • Allow audits or inspections conducted by the Controller or an appointed auditor, subject to reasonable notice and confidentiality obligations
  • Cooperate fully with audit procedures

10. Term and Termination

This DPA shall remain in effect for the duration of the processing of personal data by Vincony. Upon termination:

  • Vincony shall delete or return all personal data within 30 days
  • Vincony shall certify deletion upon request
  • Obligations of confidentiality survive termination

11. Contact

For DPA-related inquiries or to request a signed copy, contact VINCONY AI LTD's Data Protection Officer at dpo@vincony.com.

Other Legal Documents

Terms of ServicePrivacy PolicyRefund & CancellationAcceptable Use PolicyCookie PolicyAccessibility Statement
Vincony — Access the World's Best AI Models