Data processing information
Introduction
This Data Processing Information describes how Besticoder processes personal data in its role as data processor on behalf of customers and as data controller for certain account-level processing. It is intended to support GDPR and similar privacy law transparency obligations.
This document is a contractual and informational draft, not legal advice. Customers remain responsible for their own compliance programs.
Controller and processor roles
For workspace content, customer records, messages, files, and configuration data that you instruct us to process through the Service, you (or your organization) act as data controller and Vmoox acts as data processor.
For account registration, authentication, billing, platform security, product analytics where applicable, and website operations, Vmoox acts as an independent data controller. The Privacy Policy describes controller processing in more detail.
Subject matter and duration
Processing concerns provision of the Vmoox cloud workspace platform, including storage, organization, search, automation, collaboration, integrations, and related support services.
Processing continues for the duration of your subscription or workspace use and for retention periods described in our Privacy Policy, Terms, and any executed Data Processing Agreement ("DPA").
Nature and purpose of processing
Processing operations may include collection, storage, organization, structuring, adaptation, retrieval, consultation, use, disclosure by transmission, alignment, restriction, erasure, and destruction of personal data as necessary to provide the Service.
Purposes include hosting customer content, enabling user collaboration, delivering integrations you enable, securing the platform, providing support, and complying with legal obligations.
Categories of data and data subjects
Depending on your use, processed data may include identification data, contact details, employment or customer relationship data, communication content, usage metadata, and technical logs.
Data subjects may include your employees, contractors, customers, leads, and other individuals whose data you upload or generate through the Service. You are responsible for providing appropriate privacy notices to data subjects.
Customer instructions
We process controller data only on documented instructions from you, as expressed through account configuration, workspace settings, API calls, support requests within scope, and the Terms of Service.
If we believe an instruction infringes applicable data protection law, we will inform you without undue delay unless prohibited by law.
Confidentiality of processing
We require personnel authorized to process personal data to respect confidentiality obligations appropriate to the nature of the Service and applicable law.
Access by Vmoox personnel is limited to those with a legitimate business need and is subject to internal access controls.
Security measures
We implement technical and organizational measures designed to provide a level of security appropriate to the risk, which may include encryption in transit, access controls, logging, and vulnerability management.
You acknowledge that you are responsible for securing your accounts, workspaces, integrations, and endpoints, and for determining whether our measures are adequate for your specific regulatory requirements. See our Security page for the shared responsibility model.
Subprocessors
We engage subprocessors to provide infrastructure, communications, payment, monitoring, and support services. Subprocessors process personal data only to deliver their delegated functions and under contractual data protection terms.
A current subprocessor list is available on request at support@vmoox.com. We will provide notice of material subprocessor changes as required by our DPA or applicable law.
International transfers
Personal data may be transferred to and processed in Israel and other countries where we or subprocessors operate. Israel has received a European Commission adequacy decision for GDPR purposes, and we implement additional safeguards such as Standard Contractual Clauses where required for transfers to other destinations.
You are responsible for assessing lawful transfer mechanisms for your use case and providing required notices to data subjects.
Assistance with data subject rights
Taking into account the nature of processing, we will assist you by appropriate technical and organizational measures, insofar as possible, in fulfilling your obligations to respond to data subject requests to exercise access, rectification, erasure, restriction, portability, and objection rights.
Requests concerning workspace data should generally be routed through your organization as controller. We may direct individuals to contact their controller where appropriate.
Personal data breach notification
We will notify you without undue delay after becoming aware of a personal data breach affecting controller data in our systems, where notification is required by applicable law or our DPA, and provide information reasonably available to assist your regulatory and individual notifications.
You are responsible for assessing whether a breach triggers obligations to regulators and data subjects in your capacity as controller.
Deletion and return of data
Upon termination of the Service, you are responsible for exporting controller data before access ends. Following termination, we will delete or anonymize controller data within timeframes described in our Terms, Privacy Policy, and DPA, except where retention is required by law or legitimate documented business needs such as billing records.
Backups may persist for a limited period before rolling deletion according to operational schedules.
DPA requests and contact
Business customers may request a Data Processing Agreement incorporating GDPR Article 28 terms by contacting support@vmoox.com.
For privacy inquiries: support@vmoox.com. For billing-related processor records tied to invoices: billing@vmoox.com.