1. Scope and Purpose
This Data Processing Agreement governs the processing of personal data by VARYN ("Processor") on behalf of the client ("Controller") in connection with services delivered under the parties' engagement agreement. This DPA applies to all personal data processed by VARYN as part of providing its software engineering services and shall be read alongside the Terms of Service.
2. Roles and Responsibilities
The client is the Controller of personal data and determines the purposes and means of processing. VARYN acts as Processor and processes personal data solely on the documented instructions of the Controller. VARYN shall not process personal data for any purpose other than performing the agreed services unless required to do so by applicable law, in which case VARYN shall inform the Controller of that requirement before processing, unless prohibited by law.
3. Nature and Purpose of Processing
VARYN may process the following categories of personal data on behalf of the Controller: contact and identity information of the Controller's staff and end users; project-related data including system credentials, API keys, and configuration data provided for development purposes; and any personal data contained within systems, codebases, or databases accessed as part of the engagement. Processing activities include development, testing, debugging, deployment, and maintenance of software systems.
4. Data Subjects
The data subjects whose personal data VARYN may process include employees, contractors, and authorised users of the Controller; end users of systems developed or maintained by VARYN on behalf of the Controller; and any other individuals whose personal data is contained in systems accessed in the course of the engagement.
5. Processing Instructions
VARYN shall process personal data only in accordance with the Controller's documented instructions. The engagement agreement, this DPA, and any written instructions provided during the engagement constitute the complete set of processing instructions. Where VARYN reasonably believes an instruction would infringe applicable data protection law, it shall promptly notify the Controller.
6. Confidentiality
VARYN shall ensure that persons authorised to process personal data on behalf of the Controller are subject to confidentiality obligations, whether by contract or professional duty. Access to personal data is limited to personnel who require it to fulfil the agreed services.
7. Security Measures
VARYN implements technical and organisational measures appropriate to the risk presented by the processing, including: encryption of data in transit and at rest where applicable; access controls and principle of least privilege; secure development practices; and regular review of security posture. Specific measures for a given engagement may be documented in the relevant project agreement.
8. Sub-processors
VARYN engages the following sub-processors in the provision of its services. The Controller hereby authorises VARYN's use of these sub-processors subject to the conditions in this section.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting and deployment infrastructure | USA (SCCs in place) |
| Amazon Web Services | Cloud infrastructure and storage | USA / EU (region-dependent) |
| GitHub, Inc. | Source code version control | USA (SCCs in place) |
VARYN will notify the Controller at least 14 days in advance of any intended addition or replacement of sub-processors. If the Controller objects on reasonable grounds related to data protection, the parties will work in good faith to resolve the concern.
9. Data Subject Rights Assistance
VARYN shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, objection). VARYN shall forward any data subject request it receives directly to the Controller without undue delay.
10. International Data Transfers
Where personal data is transferred outside the country in which it was collected, VARYN shall ensure an adequate level of protection through mechanisms recognised by applicable data protection law, including standard contractual clauses where required. The sub-processors listed in Section 8 are covered by appropriate transfer mechanisms as noted.
11. Retention and Deletion
Upon termination of the engagement agreement, VARYN shall, at the Controller's choice, delete or return all personal data processed on behalf of the Controller and delete existing copies unless applicable law requires continued storage. VARYN will confirm completion of deletion or return in writing upon request.
12. Audit Rights
VARYN shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and agreed confidentiality obligations. VARYN may satisfy audit obligations by providing relevant certifications or third-party audit reports where available.
13. Contact and DPA Enquiries
For questions about this Data Processing Agreement, requests to exercise audit rights, or sub-processor notifications, contact: hello@varyn.ltd. To enter into a counter-signed DPA for enterprise engagements, include "DPA Request" in your email subject line.