scope
this addendum applies whenever a vøiddo customer submits personal data of end users, staff, or contractors through our services — the scrb web app and api, the rankd web app and embeddable widget, the tells web app and api, our wordpress plugins on customer-managed sites, our browser extensions when used in a paid configuration, and any custom api integration — and that personal data falls under the gdpr, the uk gdpr, the swiss federal act on data protection, or another comparable regulation. it does not apply to the account-level data you provide about yourself when you sign up (your own name and email); that is covered by our privacy policy, which describes us as the controller for our own account database.
roles
the customer (you, the business who signed up) is the data controller: you decide what personal data of your own end users enters our systems, why it is being processed, and on what lawful basis. vøiddo acts strictly as the data processor: we process that data only on your documented instructions and only to deliver the service you have paid for. we do not use customer-submitted personal data for our own marketing, we do not feed it into the training of any foundational ai model, we do not resell it to a data broker, and we do not enrich it with third-party sources to make it more profitable. the inference partner we use for ai model calls is contractually bound by the same no-training clause, written into the sub-processor agreement.
sub-processors
we use a deliberately small set of sub-processors. paddle.com inc and its european operating entity paddle.com market limited (dublin, ireland) handle billing, payment processing, vat, sales tax, refunds, and chargebacks; they receive customer billing details and transaction records, never user-submitted content. cloudflare, inc. provides network protection and cdn caching in front of every voiddo.com property; they see request metadata at the edge but cannot read tls-encrypted bodies. our ai inference partner processes the text content of generation calls under a contractual no-training, no-retention-beyond-the-call clause; the partner is named on request via the support inbox to verified business customers. hetzner online gmbh hosts the production database and application servers in their frankfurt am main data centre under eu jurisdiction. when we add or change a sub-processor we update this document and email every active business customer with at least thirty days notice before the change goes live; objection within that window allows you to terminate the contract without penalty.
security measures
in transit we use tls 1.2 or higher with modern cipher suites; all our endpoints earn an “a” on the ssllabs report. at rest, application data sits on encrypted managed disks; database backups are encrypted with a separate key and stored off-host. access to the production database and the production application servers is limited to two named on-call engineers, protected by ssh keys plus a hardware-backed second factor, and logged centrally with the log retained for ninety days. application secrets are never committed to the repository; they live in a managed secret store and are rotated on staff changes. backups are taken hourly, retained for thirty days, and tested for restoration quarterly. we do not run a soc 2 audit and we are honest about that — what we do run is the documented controls listed here, available to verified business customers on request.
international transfers
personal data is processed primarily inside the european union. voiddo oÜ is an estonian private limited company registered via the e-residency programme, with its registered office in kohtla-järve, estonia. our primary application servers, the production database, and our backup archives all run in hetzner’s frankfurt am main data centre, inside germany, inside the eu. some of our sub-processors (notably the ai inference partner and certain edge cdn nodes) operate from facilities in the united states or other jurisdictions outside the european economic area. where personal data crosses the eea boundary we rely on the european commission’s standard contractual clauses (commission implementing decision 2021/914) and on the uk international data transfer addendum where uk data is in scope. additional contractual safeguards (no-training clauses, data minimisation clauses, retention caps) are applied where the destination country is not recognised by the european commission as providing an adequate level of protection.
data subject rights
if one of your end users exercises a gdpr right against you — the right of access, the right of rectification, the right of erasure (article 17), the right of portability, or the right to object — we will assist you in responding within the statutory thirty-day deadline. in practice this usually means a member of our team locating the relevant records in the production database, the api access logs, and the active backup archives, and either exporting them in a structured machine-readable format or deleting them irreversibly on your behalf. requests come in via support@voiddo.com with the subject line “dsar assistance” and are routed to the engineer on duty; the realistic turnaround is two to three working days for a complete export, longer only if a request requires us to reconstruct historical state from cold backups.
breach notification
if we become aware of a personal data breach affecting customer data — meaning unauthorised access, accidental disclosure, ransomware, an over-permissive backup leaking outside its acl, or any incident that would meet the gdpr article 4(12) definition — we will notify the affected customers without undue delay and in any case within seventy-two hours of confirmation that a breach has occurred. the notification will include the nature of the breach as known at that point, the categories and approximate number of data subjects and records concerned, the likely consequences, the mitigations we are running, and the named contact for follow-up questions. we will not bury a breach inside a quiet email to one mailbox; we will write to every active business customer who could have been affected and we will publish a public post-mortem on the blog once the incident is closed.
audit rights
once per calendar year, on at least thirty days written notice, a business customer can request documentation of our security posture — a written summary of the controls described above, copies of any third-party audit reports or penetration test results we currently hold, the current list of sub-processors with their relevant data-processing terms, and a statement of compliance signed by the founder. on-site audits are accepted on the same notice window, conducted within working hours at our discretion, scoped to systems and personnel directly relevant to your data, and paid for by the requesting customer. we will not refuse a reasonable audit; we will also not pretend we have controls we do not have.
return and deletion of data
on termination of the service agreement — whether by you cancelling, by us cancelling, or by the contract simply running out — the customer can choose to either receive an export of all personal data we hold on their behalf in a structured machine-readable format (json or csv, depending on the product), or to request irreversible deletion. unless otherwise instructed, we default to deletion: active database records are purged within thirty days, backup archives that include the data are rotated out within ninety days, and after ninety days no recoverable copy exists on our infrastructure. an export request received during the thirty-day window is delivered as a one-time download link with seven-day validity; longer deliveries can be arranged for unusually large estates.
assistance with impact assessments
where the customer is required by gdpr article 35 to carry out a data protection impact assessment, or article 36 to consult a supervisory authority, we will make available all information reasonably necessary to fulfil that obligation, taking into account the nature of the processing and the information available to us. in practice this means a written response to a structured questionnaire covering data flows, sub-processor list, security controls, transfer mechanisms, and retention windows; we maintain a master copy of the questionnaire internally so that responses are consistent across customers and across time.
signing and contact
most business customers accept this addendum by reference through our terms of service when they create an account — the terms incorporate this dpa and the privacy policy by url. customers with a written contract or a procurement process that requires a separately signed pdf can request a countersigned copy from support@voiddo.com; we aim to return a signed version within two working days, with the legal entity named as “voiddo oÜ” (estonian private limited company), the registered office at järveküla tee 64-9, kohtla-järve 30322, estonia, the founder named as egor michurin (ceo), and the contact email for data-protection matters as the same support inbox. if your procurement template needs an alternative signatory clause, an information-security exhibit, or a fixed liability cap, propose it in the same email and we will reply with what we can and cannot accept in writing.