Data Processing Agreement

1. Parties and Background

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller" or "Customer") and Vaionex Corporation ("Data Processor" or "Taxation.ai"), incorporated in the State of Delaware, United States.

This DPA is entered into pursuant to Article 28 of the EU General Data Protection Regulation (GDPR) and the UK GDPR, and governs the processing of personal data by Taxation.ai on behalf of the Customer in connection with the provision of the Taxation.ai platform.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
• "Sub-Processor" means any third party engaged by Taxation.ai to process Personal Data on behalf of the Customer.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Scope of Processing

Taxation.ai processes Personal Data solely for the purpose of providing the AI-powered tax preparation service as described in the Terms of Service. Processing is carried out on documented instructions from the Customer (i.e., through the Customer's use of the Platform).

3.1 Categories of Data Subjects

• Registered users of the Taxation.ai platform
• Individuals whose information is included in tax returns prepared through the Platform (e.g., spouses, dependents)

3.2 Categories of Personal Data

• Personal identifiers: Name, email address, date of birth, national identification numbers (e.g., SSN, TIN)
• Financial data: Income records, bank account details, investment information, employment income
• Tax return data: Tax forms, deductions, credits, filing status, prior year returns
• Account data: Authentication credentials (hashed), session information
• Payment data: Billing address, payment method information (processed by Stripe)

3.3 Processing Purposes

• Providing AI-assisted tax preparation and analysis
• Generating tax return documents and summaries
• Authenticating users and managing accounts
• Processing payments for the service
• Providing customer support

4. Obligations of the Processor

Taxation.ai shall:

• Process Personal Data only on documented instructions from the Customer, unless required by EU or Member State law
• Ensure that persons authorized to process Personal Data are bound by obligations of confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 6)
• Assist the Customer in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
• Assist the Customer in ensuring compliance with GDPR Articles 32-36 (security, breach notification, data protection impact assessments)
• At the Customer's choice, delete or return all Personal Data upon termination of the service (see Section 8)
• Make available all information necessary to demonstrate compliance and allow for audits (see Section 9)

5. Sub-Processors

The Customer provides general authorization for Taxation.ai to engage the following sub-processors. We will notify the Customer of any intended changes to sub-processors, providing the Customer with an opportunity to object.

Each sub-processor is bound by data processing terms that provide at least the same level of data protection as this DPA. Taxation.ai remains liable for the acts and omissions of its sub-processors.

6. Security Measures

Taxation.ai implements the following technical and organizational measures pursuant to GDPR Article 32:

• Encryption: AES-256 encryption at rest; TLS 1.2+ encryption in transit
• Access controls: Role-based access control; principle of least privilege; row-level security (RLS) at the database level
• Authentication: Secure password hashing (bcrypt); HTTP-only session cookies; email verification
• Infrastructure: EU-hosted servers (Hetzner, Germany); network isolation between environments; automated encrypted backups
• Monitoring: Security monitoring and alerting; audit logging of access to sensitive data
• Personnel: Confidentiality obligations for all personnel with access to Personal Data; security awareness practices
• Development: Code review processes; dependency vulnerability scanning; input validation and sanitization

For full details, see our Security page.

7. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed under this DPA:

• Taxation.ai shall notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach, in compliance with GDPR Article 33.
• The notification shall include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
• Taxation.ai shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
• Taxation.ai shall document all Data Breaches, including the facts, effects, and remedial actions taken, regardless of whether notification to the supervisory authority is required.

8. Data Return and Deletion

• Upon termination of the service or upon the Customer's request, Taxation.ai shall, at the Customer's choice, return all Personal Data in a structured, commonly used, machine-readable format or delete all Personal Data.
• Deletion shall be completed within 30 days of the request, subject to any legal obligations requiring retention of certain data (e.g., tax record retention requirements).
• Taxation.ai shall certify the deletion in writing upon the Customer's request.
• Customers may exercise data export and deletion through the self-service features in their account settings, or by contacting one@vaionex.com.

9. Audit Rights

• The Customer has the right to conduct audits, including inspections, to verify Taxation.ai's compliance with this DPA, either directly or through an independent third-party auditor bound by confidentiality obligations.
• Taxation.ai shall make available all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and GDPR Article 28.
• Audit requests shall be made with reasonable advance notice (at least 30 days) and shall be conducted during normal business hours in a manner that minimizes disruption to operations.
• Where Taxation.ai obtains independent third-party certifications or audit reports (e.g., SOC 2), these may be provided to the Customer in lieu of a direct audit, subject to confidentiality obligations.

10. International Data Transfers

Personal Data is primarily stored within the EU (Hetzner servers, Germany). Where transfers to sub-processors outside the EU/EEA are necessary (OpenAI and Stripe in the United States), such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented by transfer impact assessments and additional technical safeguards (encryption in transit and at rest).

11. Term and Termination

This DPA shall remain in effect for the duration of the Customer's use of the Taxation.ai platform. The obligations of Taxation.ai regarding the processing and security of Personal Data shall survive the termination of this DPA for as long as Taxation.ai retains any Personal Data processed on behalf of the Customer.

12. Governing Law

This DPA shall be governed by the laws of the State of Delaware, United States, except to the extent that GDPR or UK GDPR mandatorily applies, in which case those provisions shall take precedence.

13. Contact

For questions regarding this DPA or to exercise any rights under it, please contact:

Vaionex Corporation
Email: one@vaionex.com