Data Processing Agreement

Last updated: 30 April 2026

This Data Processing Agreement ("DPA") forms part of the Vask Terms of Service between ADDFUEL LTD (trading as Vask) ("Vask", "Processor") and the customer entity that has accepted those Terms ("Customer", "Controller"). It governs the processing of Personal Data by Vask on behalf of the Customer in connection with the Vask Service.

If there is any conflict between this DPA and the Terms of Service, this DPA takes precedence in respect of personal-data processing.

1. Definitions

  • "Applicable Data Protection Law": UK GDPR, the Data Protection Act 2018, and (where relevant) the EU GDPR (Regulation 2016/679), and any successor or replacement legislation.
  • "Personal Data", "Process", "Controller", "Processor", "Sub-processor", "Data Subject", "Supervisory Authority", "Personal Data Breach": as defined in Applicable Data Protection Law.
  • "Customer Personal Data": Personal Data that the Customer or its end-users transmit through, or store using, the Service.
  • "Service": the Vask service as defined in the Terms.
  • "International Transfer Mechanism": the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, the EU SCCs, or any successor mechanism.

2. Roles and scope

In respect of Customer Personal Data, the Customer is the Controller and Vask is the Processor. Vask is the Controller for personal data described in its Privacy Policy (account, billing, support, marketing, analytics relating to the Customer itself).

This DPA applies to all Processing of Customer Personal Data carried out by Vask in providing the Service.

3. Processing details (Schedule 1 in narrative form)

  • Subject matter: provision of a Pusher-compatible WebSocket service.
  • Duration: for the term of the Customer's Vask subscription, plus up to 30 days' deletion period.
  • Nature and purpose: transmitting realtime messages and presence information between the Customer's servers, the Customer's end-user devices, and the Vask infrastructure; storing limited operational metadata.
  • Type of Personal Data: typically channel names, end-user identifiers chosen by the Customer (e.g. private-user-123), presence-channel user_id and user_info payloads, message payloads to the extent the Customer chooses to transmit Personal Data through Vask, and IP addresses of connecting clients (transient).
  • Categories of Data Subjects: the Customer's end-users and any other person whose Personal Data the Customer transmits through the Service.
  • Special categories of data: none expected. The Customer must not transmit special-category data (health, biometric, etc.) through the Service without first agreeing additional safeguards in writing with Vask.

4. Customer instructions

Vask will only Process Customer Personal Data:

  • to provide and maintain the Service in accordance with the Terms;
  • as necessary to comply with applicable law (Vask will notify the Customer first where legally permitted);
  • on the Customer's documented written instructions, including instructions given via the dashboard, API, or the Terms.

If Vask believes a Customer instruction infringes Applicable Data Protection Law, Vask will notify the Customer.

5. Vask's obligations

Vask will:

  • Process Customer Personal Data only as set out in this DPA;
  • ensure that personnel authorised to Process Customer Personal Data are bound by confidentiality obligations;
  • implement appropriate technical and organisational measures (TOMs) — see Schedule 2 below;
  • assist the Customer, taking into account the nature of Processing and the information available to Vask, in fulfilling its obligations to respond to Data Subject requests and in ensuring compliance with Articles 32-36 UK GDPR (security, breach notification, DPIA, prior consultation);
  • on termination of the Service, delete or return all Customer Personal Data and copies, unless retention is required by law (in which case Vask will continue to protect the data and limit further Processing).

6. Sub-processors

The Customer authorises Vask's use of the Sub-processors listed at vask.dev/legal/subprocessors. For the purposes of this DPA — i.e. processing Customer Personal Data flowing through the Service from the Customer's end-users — the relevant Sub-processor at the date of this DPA is:

Sub-processor Purpose Location
Cloudflare, Inc. Hosting, edge network, Durable Objects, DNS — carries WebSocket sessions, channels, presence data, and message payloads Global edge

Other vendors (Stripe, Resend, Fathom, incident.io) process personal data about the Customer itself (account, billing, support) and are listed in our Privacy Policy. They do not process Customer Personal Data flowing through the Service.

Vask will:

  • impose data-protection terms on each Sub-processor that are no less protective than this DPA in respect of Customer Personal Data;
  • remain liable to the Customer for the acts and omissions of its Sub-processors;
  • give the Customer at least 30 days' prior notice (by email and dashboard update) of any new Sub-processor or material change. The Customer may object on reasonable, documented grounds; if the parties cannot agree a resolution within 30 days, the Customer's exclusive remedy is to terminate the affected portion of the Service without further fees, and receive a pro-rata refund for any pre-paid amount covering the unused period.

In an emergency where a Sub-processor change is required for security reasons, Vask may make the change on shorter notice and inform the Customer as soon as reasonably possible.

7. International transfers

Where Vask transfers Customer Personal Data outside the UK or EEA to a country without an adequacy decision, the parties agree that the appropriate International Transfer Mechanism applies (UK IDTA or EU SCCs with UK Addendum, with Vask as data exporter or importer as the case requires). The Customer agrees that this DPA together with the relevant published transfer mechanism implements those safeguards.

A copy of the transfer mechanism in force is available on request to [email protected].

8. Personal Data Breach

Vask will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, likely consequences, and the measures taken or proposed to address it. Vask will keep the Customer informed as more information becomes available.

The Customer is responsible for any onward notification to its end-users and to Supervisory Authorities.

9. Audit

The Customer may, on reasonable notice and not more than once in any 12-month period (except where required by a Supervisory Authority or following a Personal Data Breach), request information necessary to demonstrate Vask's compliance with this DPA. Vask will respond to reasonable written requests within 30 days. On-site audits are not standard for self-serve plans; Scale customers may agree on-site or independent third-party audit terms by separate written agreement.

10. Data Subject requests

Vask will, taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures (insofar as possible) to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.

If Vask receives a request directly from a Data Subject regarding Customer Personal Data, Vask will redirect the Data Subject to the Customer and will not respond further except on the Customer's instructions or as required by law.

11. Return and deletion

On termination of the Service, or earlier at the Customer's written request, Vask will delete (or, if the Customer requests in writing, return) all Customer Personal Data within 30 days, save where retention is required by law (e.g. transactional billing records).

12. Liability

Liability under this DPA is subject to the limitation of liability set out in the Terms.

13. Governing law

This DPA is governed by the laws of England and Wales, with exclusive jurisdiction of the English courts.

Schedule 1 — Processing summary

See Section 3 above.

Schedule 2 — Technical and organisational measures (TOMs)

Vask implements the following measures, reviewed at least annually:

  • Encryption in transit: TLS 1.2+ on all Customer-facing endpoints (vask.dev, wss.vask.dev, REST API).
  • Encryption at rest: Customer credentials (App keys, App secrets, hashed account passwords) are encrypted at rest in our key-value store; Stripe holds card data and Vask never stores PANs.
  • Access control: least-privilege role-based access, MFA enforced for personnel with production access, audit logs of administrative actions.
  • Network security: Cloudflare WAF, DDoS protection, automated abuse detection on connection-open and broadcast rates.
  • Application security: input validation at API boundary, rate-limited authentication endpoints, security.txt at /.well-known/security.txt for vulnerability reports.
  • Personnel: confidentiality obligations in employment/contractor terms, security training on onboarding.
  • Sub-processor management: written contracts with all Sub-processors imposing data-protection terms.
  • Backup and recovery: Cloudflare-backed regional redundancy; recovery objectives appropriate to a self-serve realtime service.
  • Incident response: 24/7 alerting on infrastructure faults; documented breach-notification process under Section 8.
  • Logging: access and operational logs retained for at least 30 days for security investigation purposes.
  • Retention and deletion: automated deletion routines per Section 11 and the Privacy Policy retention table.

Contact

ADDFUEL LTD (trading as Vask) 3 Eider Close, Thornton-Cleveleys, England, FY5 2UT Company number 17048912