Data Processing Agreement

Last updated: 17/06/2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Vendor Check Pro and the customer organisation using the Vendor Check Pro service (the “Customer”). It applies where Vendor Check Pro processes Customer Personal Data on behalf of the Customer in connection with the provision of the service.

This DPA is intended to support the Customer’s compliance with applicable data protection laws, including, where relevant, the GDPR and the UAE Personal Data Protection Law.

1. Purpose of this DPA

The purpose of this DPA is to set out the terms on which Vendor Check Pro processes Customer Personal Data on behalf of the Customer in connection with the Vendor Check Pro platform and related support services.

This DPA applies only to Customer Personal Data processed by Vendor Check Pro as a processor or service provider on behalf of the Customer. It does not apply to personal data processed by Vendor Check Pro as controller for its own business purposes, such as website enquiries, support administration, billing, or supplier management.

2. Roles of the Parties

For the purposes of this DPA:

  • the Customer acts as the controller or equivalent decision-maker in respect of Customer Personal Data processed through the service

  • Vendor Check Pro acts as the processor or service provider in respect of that Customer Personal Data

The Customer determines the purposes for which Customer Personal Data is processed through the service and the categories of personal data, data subjects, documents, and workflows it chooses to manage through the platform.

Vendor Check Pro processes Customer Personal Data only on behalf of the Customer and in accordance with the terms of this DPA, the main service agreement, and the Customer’s documented instructions.

3. Scope and Nature of Processing

Vendor Check Pro provides a business-to-business platform designed to support vendor compliance workflows, document handling, review processes, auditability, and related administrative functions.

In connection with providing the service, Vendor Check Pro may process Customer Personal Data in order to:

  • host, store, organise, and make available data within the platform

  • support access control and account administration

  • process uploads and related document workflows

  • provide audit and activity logging

  • maintain, secure, support, troubleshoot, and improve service reliability

  • respond to support requests and service incidents

  • carry out backup, recovery, and operational continuity functions

The nature of the processing may include collection, recording, organisation, structuring, storage, consultation, retrieval, use, disclosure by transmission where required for the service, restriction, deletion, or destruction.

4. Duration of Processing

Vendor Check Pro will process Customer Personal Data for the duration of the service relationship and for any additional period required to:

  • provide agreed transition, export, deletion, or support services

  • comply with applicable legal or contractual obligations

  • maintain necessary backup, security, audit, or dispute-resolution records for a limited period where legitimately required

Processing under this DPA will end when Vendor Check Pro no longer processes Customer Personal Data on behalf of the Customer in connection with the service.

5. Categories of Personal Data

Depending on the Customer’s use of the service, Customer Personal Data processed under this DPA may include:

  • names

  • work email addresses

  • user role and access information

  • organisation and vendor profile information

  • vendor contact details

  • vendor personnel records

  • uploaded compliance documents and supporting records

  • licences, certificates, permits, and related compliance evidence

  • safeguarding-related records where required by the Customer

  • identity and eligibility-related records where required by the Customer

  • review, approval, expiry, and compliance status data

  • audit logs, activity records, and account-access history

  • technical and support-related information associated with use of the service

Vendor Check Pro does not determine which categories of personal data the Customer requires through the platform and does not require the Customer to upload any particular category of personal data except as necessary to provide the service features configured and used by the Customer.

6. Categories of Data Subjects

Depending on the Customer’s use of the service, data subjects may include:

  • Customer personnel and authorised users

  • vendor contacts

  • vendor personnel

  • contractors or workers linked to a vendor

  • other individuals whose information the Customer chooses to manage through the platform in connection with vendor compliance

7. Documented Instructions

The Customer instructs Vendor Check Pro to process Customer Personal Data as necessary to provide the service in accordance with:

  • the main service agreement

  • this DPA

  • the Customer’s configuration and use of the platform

  • documented communications and support instructions provided by the Customer

  • any additional written instructions agreed between the parties

Vendor Check Pro will not process Customer Personal Data for its own unrelated purposes and will notify the Customer if, in Vendor Check Pro’s opinion, an instruction infringes applicable data protection law, unless prohibited from doing so by law.

8. Vendor Check Pro Obligations

Vendor Check Pro will:

  • process Customer Personal Data only on documented instructions from the Customer, unless otherwise required by law

  • ensure that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations

  • implement and maintain appropriate technical and organisational measures to protect Customer Personal Data

  • assist the Customer, taking into account the nature of the processing and the information available to Vendor Check Pro, where reasonably required to support the Customer’s compliance obligations

  • notify the Customer of a Personal Data Breach affecting Customer Personal Data without undue delay after becoming aware of it

  • make available information reasonably necessary to demonstrate compliance with this DPA

  • ensure that subprocessors engaged in relation to Customer Personal Data are subject to appropriate written data protection obligations

9. Confidentiality and Authorised Access

Vendor Check Pro will ensure that access to Customer Personal Data is limited to persons who require access for the purpose of providing, securing, supporting, or administering the service.

Persons authorised to process Customer Personal Data will be subject to confidentiality obligations, whether contractual, professional, or statutory, and access will be limited in accordance with role, responsibility, and business need.

10. Security Measures

Vendor Check Pro will implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

These measures may include:

  • encryption in transit using HTTPS/TLS

  • controlled authentication and access management

  • role-based access control

  • organisation-level data segregation

  • restricted administrative access

  • audit logging and monitoring of key actions

  • secure hosting and infrastructure controls

  • endpoint and administrative device security controls

  • procedures for access review and removal

  • backup, recovery, and incident response processes

The Customer acknowledges that the appropriateness of security measures should be assessed in light of the nature of the processing, the categories of data involved, and the Customer’s own use of the service.

11. Subprocessors

The Customer authorises Vendor Check Pro to engage subprocessors where reasonably necessary to host, support, secure, maintain, or operate the service.

Vendor Check Pro will:

  • ensure that subprocessors are engaged under written terms that impose data protection obligations appropriate to the nature of the services provided

  • remain responsible for the performance of its subprocessors in relation to Customer Personal Data to the extent required by applicable law and contract

  • make a current subprocessor or service-provider list available on request as part of due diligence or contractual review

12. Assistance with Data Subject Rights and Compliance

Taking into account the nature of the processing and the information available to Vendor Check Pro, Vendor Check Pro will provide reasonable assistance to the Customer where required to help the Customer:

  • respond to data subject requests

  • investigate and respond to privacy or security issues affecting Customer Personal Data

  • assess and manage data protection obligations relevant to the service

  • comply with obligations relating to security, breach response, or regulatory engagement where applicable

The Customer remains responsible for evaluating and fulfilling its own legal obligations as controller.

13. Personal Data Breach Notification

If Vendor Check Pro becomes aware of a Personal Data Breach affecting Customer Personal Data, Vendor Check Pro will notify the Customer without undue delay.

Where reasonably possible, the notification will include available information such as:

  • the nature of the incident

  • the categories or approximate volume of data affected, where known

  • the likely or potential impact, where known

  • the steps taken or proposed to contain, investigate, and remediate the issue

  • any further information reasonably required by the Customer, as it becomes available

Vendor Check Pro will take reasonable steps to investigate, contain, and address the incident.

14. Return, Export, and Deletion of Data

Upon termination or expiry of the service, and subject to the terms of the main agreement, Vendor Check Pro will, as applicable:

  • allow for agreed export or retrieval of Customer Personal Data

  • delete or render inaccessible Customer Personal Data after the relevant retention or transition period

  • retain only such limited information as is required for legal, security, audit, backup, or dispute-resolution purposes, and only for as long as legitimately necessary

Specific export, retention, and deletion arrangements may be governed by the main agreement, the Customer’s service configuration, and any agreed transition process.

15. International Transfers

Vendor Check Pro may use service providers located in, or operating from, different jurisdictions. As a result, Customer Personal Data may be processed or accessed outside the jurisdiction in which it was originally collected.

Where applicable, Vendor Check Pro will take reasonable steps to support lawful cross-border processing or transfers by using appropriate contractual, organisational, and operational safeguards relevant to the service and the applicable data protection law.

The Customer acknowledges that it remains responsible for assessing its own legal basis and transfer requirements as controller in relation to its use of the service.

16. Audit and Compliance Information

Vendor Check Pro will make available information reasonably necessary to demonstrate compliance with this DPA.

Where the information made available is not reasonably sufficient and the Customer has a legitimate need for additional assurance, the parties may agree a further review, questionnaire, or audit process, subject to:

  • reasonable prior notice

  • reasonable confidentiality protections

  • reasonable scope and frequency

  • no unnecessary disruption to Vendor Check Pro’s business, systems, or other customers

  • the Customer bearing its own costs unless otherwise agreed

Nothing in this section requires Vendor Check Pro to disclose information that would compromise the security, confidentiality, or rights of other customers or the security of the service.

17. Liability

This DPA is subject to any liability limits, exclusions, and contractual allocation of risk set out in the main service agreement, except to the extent such limitations are not permitted by applicable law.

18. Term and Precedence

This DPA applies for so long as Vendor Check Pro processes Customer Personal Data on behalf of the Customer in connection with the service.

If there is a conflict between this DPA and the main service agreement in relation to the processing of Customer Personal Data, this DPA will prevail to the extent of that conflict.

19. Contact

If you have questions about this DPA or about data processing arrangements relating to Vendor Check Pro, please contact:

Vendor Check Pro
Email: info@vendorcheckpro.com
Website: www.vendorcheckpro.com