Promotion Vault — Data Processing
Data Processing Addendum (DPA)
This Data Processing Addendum (“Addendum”) forms part of the Privacy Policy available at https://promotionvault.com/privacy-policy/ (“Privacy Policy”) and applies to the extent Promotion Vault processes personal data in connection with its services.
By using Promotion Vault’s services, you agree to this Addendum, which reflects the parties’ agreement on the processing of personal data in compliance with applicable data protection laws.
1. Definitions
1.1 Data Controller: The entity that determines the purposes and means of processing personal data.
1.2 Data Processor: The entity that processes personal data on behalf of the Data Controller.
1.3 End User: An individual whose personal data is processed under this Addendum.
1.4 Recipient: The end user who logs into their Vault account and establishes a direct data relationship with Promotion Vault.
1.5 Data Protection Laws: All applicable privacy and data protection laws and regulations, including the General Data Protection Regulation (GDPR).
1.6 Services: The reward and engagement services provided by Promotion Vault.
2. Roles and Responsibilities
2.1 Joint Data Controller Relationship: Promotion Vault and its client act as joint data controllers when processing personal data for the purpose of enabling rewards and incentives with the consent of the End User.
2.2 Sole Data Controller Relationship: Upon the End User logging into their Vault account, Promotion Vault assumes the role of sole data controller and establishes a direct data usage relationship with the End User.
2.3 Responsibilities of Promotion Vault:
- Ensure compliance with applicable data protection laws as a joint and sole data controller.
- Promotion Vault and its subscriber act as joint data controllers when processing personal data for the purpose of enabling rewards and incentives with the consent of the End User.
- Implement appropriate technical and organizational measures to safeguard personal data.
2.4 Responsibilities of Subscribers:
- Obtain the End User’s consent for sharing personal data with Promotion Vault.
- Ensure data shared with Promotion Vault is accurate, lawful, and relevant for the intended processing.
3. Liability and Indemnity
3.1 Each party shall be responsible for its compliance with applicable data protection laws in its role as a data controller.
3.2 To the extent permitted by law, each party agrees to indemnify and hold the other party harmless from any damages, claims, or liabilities arising from the indemnifying party’s breach of its obligations under this Addendum.
3.3 Promotion Vault’s total liability for all claims under this Addendum will not exceed the amount paid by the subscriber for the services in the twelve months preceding the claim.
4. Data Deletion Obligations
4.1 Upon termination of services, Promotion Vault will delete or anonymize all personal data processed on behalf of the subscriber unless applicable laws require retention.
4.2 Subscribers must ensure their systems facilitate the removal of personal data upon request by the End User.
4.3 Promotion Vault will maintain a data retention policy aligned with its legal and business requirements.
5. Term and Termination
5.1 This Addendum remains in effect for the duration of the subscriber’s use of Promotion Vault’s services.
5.2 Either party may terminate this Addendum upon 30 days’ written notice if the other party materially breaches its terms and fails to cure the breach within the notice period.
5.3 Upon termination, Promotion Vault will ensure the orderly deletion of all subscriber-shared personal data, as outlined in Section 4.
6. Miscellaneous
6.1 In the event of any conflict between this Addendum and other agreements between the parties, this Addendum shall prevail with regard to data processing.
6.2 Any disputes under this Addendum shall be governed by the governing law and jurisdiction specified in the Privacy Policy.
7. Contact Information
For questions about this Addendum or Promotion Vault’s data processing practices, please contact:
Address: 7339 E Williams Dr #27101, Scottsdale, AZ 85255
8. Relationship to Other Agreements
8.1 This Addendum operates alongside the Promotion Vault Terms of Service – Subscriber and the Promotion Vault Service Level Agreement. The Terms govern the parties’ overall commercial relationship; the SLA governs service availability, technical support, and Reward Link fulfillment commitments; and this Addendum governs the processing of personal data.
8.2 Except where this Addendum expressly addresses data processing, the Terms control. The limitations of liability set forth in the Terms apply to obligations under this Addendum to the extent not inconsistent with applicable Data Protection Laws.
9. Security and Technical Measures
9.1 Promotion Vault implements commercially reasonable administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. Current measures include:
- Google Cloud Platform–native architecture inheriting Google’s SOC 2, ISO 27001, and PCI controls.
- Cloudflare for additional network, web application, and DDoS protection.
- Google Workspace for secure email and document collaboration.
- Secure Stripe integration; no payment account data is stored or processed on the Promotion Vault platform.
- Role-based access controls, encryption of personal data in transit and at rest, logging and monitoring of platform activity, and regular review of access privileges.
9.2 Promotion Vault will notify the subscriber without undue delay after becoming aware of a personal data breach affecting the subscriber’s personal data, and will provide such information as is reasonably necessary to enable the subscriber to meet its own notification obligations under applicable Data Protection Laws.
9.3 Upon written request, and subject to reasonable confidentiality obligations, Promotion Vault will make available to the subscriber information reasonably necessary to demonstrate compliance with this Addendum, including summary descriptions of its technical and organizational measures and current Sub-Processor list set forth in Exhibit A.
10. Sub-Processors
10.1 Promotion Vault engages the third-party Sub-Processors listed in Exhibit A to support the Services. The subscriber consents to Promotion Vault’s use of these Sub-Processors, provided that Promotion Vault remains responsible for their compliance with the obligations of this Addendum.
10.2 Promotion Vault will provide reasonable advance notice of any addition or replacement of a Sub-Processor by updating Exhibit A at https://promotionvault.com/dpa/. If the subscriber reasonably objects to a new Sub-Processor on data protection grounds, the parties will work in good faith to resolve the objection; if no resolution is reached, the subscriber may terminate the affected Services without penalty for the remaining term.
Exhibit A
Promotion Vault Sub-Processors
| Sub-Processor | Purpose | Data Categories | Location / Notes |
|---|---|---|---|
| Google Cloud Platform | Database, hosting, infrastructure | All Service personal data (Subscriber and End User) | United States; SOC 2, ISO 27001, PCI |
| Google Workspace | Business email and productivity | Internal correspondence; limited Subscriber contact data | United States |
| Cloud AMQP | Asynchronous task queue / message broker | Task payloads containing End User identifiers and reward metadata | United States / EU |
| Stripe | Payment processing | Subscriber billing information (no payment data stored on PV platform) | United States; PCI DSS Level 1 |
| SendGrid | Transactional and notification email | End User and Subscriber email addresses, reward delivery content | United States |
| Twilio | Transactional SMS | End User phone numbers and reward notification content (per Subscriber instructions) | United States |
| Cloudflare | Web application firewall, CDN, DDoS protection | Network metadata; access logs | Global edge network |
| Zendesk | Customer support tickets | Support correspondence and contact details | United States |
| ABC Financial / Alder | Gym member identifiers and employee eligibility data | Member identifiers and eligibility attributes (per Subscriber instructions) | United States |
| Giftango | Reward fulfillment | Reward recipient details and order data | United States |
| OpenAI | Survey and feedback analysis | Survey response content; no direct identifiers transmitted where avoidable | United States |
| Zerobounce | Email address validation | Email addresses submitted for validation | United States |
| Emailable | Email address validation | Email addresses submitted for validation | United States |
| Reoon | Email address validation | Email addresses submitted for validation | Global |
| APILayer | Phone number validation | Phone numbers submitted for validation | Global |