this addendum covers business customers who send personal data of their own users through our ai product description generator or apis. it supplements our terms of service.
last updated: 2026-04-19
this data processing addendum applies when a vøiddo customer submits personal data of end users, staff, or contractors through our services and that data is protected by gdpr, uk gdpr, or comparable regulation. it does not apply to account data you provide about yourself.
the customer acts as the data controller and decides what personal data enters our systems. vøiddo acts as a processor and only processes that data to deliver the agreed service. we do not use customer data for our own marketing, training of foundational models, or resale.
we use a small set of sub-processors: paddle for billing, cloudflare for network protection, an AI inference partner for model calls, and digitalocean for compute. each sub-processor is bound by its own data processing terms and is listed in this document. we will notify customers of material changes before they take effect.
we encrypt data in transit with tls 1.2 or higher and at rest on managed disks. access to production systems is limited to authorised staff, protected by multi-factor authentication, and logged. backups are encrypted and retained for a maximum of thirty days.
personal data may be processed in the european union, the united states, and israel. where required, we rely on the european commission's standard contractual clauses and the uk international data transfer addendum. additional safeguards are applied when a destination country is not recognised as adequate.
if an end user of your service asks to access, correct, or delete their personal data held by us, we will assist you in responding within the statutory deadlines. usually this means locating and deleting records in our dashboard, api logs, and backup archives on your behalf.
if we become aware of a personal data breach affecting customer data we will notify the affected customers without undue delay and in any case within seventy-two hours of confirmation. the notice will include the nature of the breach, affected data categories, and the mitigations in progress.
once per calendar year, business customers can request documentation of our security posture: a written summary of controls, copies of any third-party audit reports we hold, and confirmation of sub-processor compliance. on-site audits are accepted on reasonable notice and within working hours, paid for by the requesting customer.
on termination of the service agreement, customers can choose to either receive an export of their personal data in a structured machine-readable format, or request irreversible deletion. unless otherwise instructed, we default to deletion after thirty days, with backup archives purged within ninety days.
where the customer is required to carry out a data protection impact assessment or consult a supervisory authority, we will make available all information reasonably necessary to fulfil that obligation, taking into account the nature of the processing and the information available to us.
most business customers accept this addendum by reference through our terms of service. customers with a written contract or procurement process can request a countersigned pdf copy from support@voiddo.com. we aim to return a signed version within two business days.