Version 2026-04 · Last updated: April 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Serso BV, acting under the trade name VibeDeploy, a company registered in Belgium under VAT number BE0899100423 with its registered office at Bosstraat 52, 3560 Lummen, Belgium (“VibeDeploy”, “we”, “us”, “Processor”), and the customer that has agreed to the VibeDeploy Terms of Service (“Customer”, “you”, “Controller”).
This DPA applies whenever Customer deploys or operates any application, website, or other material via the VibeDeploy platform that causes Customer to be a controller of personal data within the meaning of Regulation (EU) 2016/679 (“GDPR”), and VibeDeploy to be a processor of that personal data on Customer's behalf. It reflects the requirements of Article 28 GDPR.
By accepting the VibeDeploy Terms of Service, Customer accepts this DPA. No separate signature is required; VibeDeploy will issue a counter-signed version on written request to privacy@vibedeploy.be.
Capitalised terms not defined in this DPA have the meaning given to them in the GDPR. “Customer Personal Data” means personal data processed by VibeDeploy on behalf of Customer under this DPA, including personal data contained within files, databases, logs, or other content deployed or stored through the VibeDeploy platform.
2.1 Roles. Customer is the controller of Customer Personal Data. VibeDeploy is the processor. Where VibeDeploy determines the purposes and means of processing in respect of its own users (e.g. account data, payment data, security logs) it acts as an independent controller; such processing is governed by our Privacy Policy, not by this DPA.
2.2 Subject matter and duration. The subject matter is the provision of the VibeDeploy Service (web hosting, deployment, and related features) as described in the Terms of Service. The duration of processing equals the term of the Terms of Service plus any post-termination retention window described therein.
2.3 Nature and purpose of processing. VibeDeploy processes Customer Personal Data solely to host, serve, back up, monitor, and otherwise make available the content and applications that Customer deploys, and to provide the features of Customer's subscription plan.
2.4 Types of personal data. Whatever Customer chooses to upload, deploy, or generate through the Service. VibeDeploy does not inspect or classify Customer content.
2.5 Categories of data subjects. Whoever interacts with Customer's deployed applications (end users, site visitors, form submitters, API clients).
3.1 VibeDeploy will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers, unless required to do so by Belgian or EU law. The VibeDeploy Terms of Service, this DPA, and the configuration choices Customer makes through the dashboard or API constitute Customer's complete and final documented instructions.
3.2 VibeDeploy will inform Customer if, in its opinion, an instruction infringes GDPR or other applicable data protection law, before carrying out the instruction.
VibeDeploy ensures that every person authorised to process Customer Personal Data is subject to an appropriate obligation of confidentiality (by contract or by law) and is trained in their privacy and security responsibilities.
VibeDeploy implements the following technical and organisational measures, taking into account the state of the art, cost of implementation, and the nature, scope, context and purposes of processing:
The measures evolve with the state of the art. A current snapshot is available on request.
6.1 Customer grants VibeDeploy general authorisation to engage sub-processors for the performance of the Service. VibeDeploy will impose on each sub-processor, by contract, data protection obligations that are no less protective than those set out in this DPA.
6.2 The current list of sub-processors is:
| Sub-processor | Purpose | Location |
|---|---|---|
| Mollie N.V. | Payment processing, subscription mandates | Netherlands (EU) |
| Cloudflare, Inc. | DDoS protection, traffic routing, bot mitigation | US, with EU data-processing opt-in; SCCs in place |
| Gandi SAS | Domain registration on Customer request | France (EU) |
| Transactional email provider | Delivery of system emails (verification, security, billing) | EU |
6.3 Changes. VibeDeploy will give at least 30 days' prior notice of any intended addition or replacement of a sub-processor, by posting an updated list on this page and notifying registered Customer contacts by email. Customer may object to a change by emailing privacy@vibedeploy.be within 30 days; if the objection cannot be reasonably resolved, Customer may terminate the affected part of the Service with a prorated refund.
VibeDeploy stores Customer Personal Data exclusively within the European Union under normal operating conditions. Where processing by a sub-processor necessarily involves an international transfer (for example, Cloudflare's network), VibeDeploy ensures that the transfer is covered by Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or another transfer mechanism recognised under Chapter V GDPR.
8.1 Data subject rights. Taking into account the nature of the processing, VibeDeploy will assist Customer through appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligation to respond to requests to exercise data subject rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection).
8.2 DPIAs, security, notifications. VibeDeploy will assist Customer in ensuring compliance with Articles 32 to 36 GDPR, including by providing reasonable information about the security measures applied and by notifying Customer without undue delay of any personal data breach affecting Customer Personal Data.
8.3 Breach notification. VibeDeploy will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, by email to the address on file for the Customer's billing contact. The notification will describe, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address it and mitigate its possible adverse effects.
9.1 VibeDeploy will make available to Customer, on written request, all information reasonably necessary to demonstrate compliance with this DPA.
9.2 Where Customer reasonably believes that the information made available is insufficient, Customer may carry out an audit (including inspection) at its own cost, subject to reasonable advance notice (at least 30 days), scheduling during business hours, confidentiality undertakings, and a scope limited to verifying VibeDeploy's compliance with this DPA. Audits may occur no more than once per calendar year, except in the event of a documented regulatory request or a material breach.
On termination of the Terms of Service, VibeDeploy will, at Customer's choice, return or delete all Customer Personal Data, save to the extent required by Belgian or EU law to retain it (notably the 7-year retention of invoicing data under the Belgian VAT Code and Code of Income Taxes). The default behaviour is a 7-day soft-delete grace window followed by permanent deletion, as described in the Terms of Service.
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
This DPA is governed by the laws of Belgium. Where this DPA conflicts with the Terms of Service or any other agreement between the parties in respect of the processing of Customer Personal Data, this DPA prevails.