VigilPath

Legal

Data Processing Agreement

Last updated 1 June 2026

This Data Processing Agreement ("DPA") forms part of the Master Subscription Agreement between VigilPath UK Limited ("Processor") and the customer ("Controller") and governs the processing of personal data carried out by VigilPath on the Controller's behalf. It is drafted to satisfy Article 28 of UK GDPR.

1. Subject matter and duration

VigilPath processes personal data submitted by the Controller to the VigilPath platform for the duration of the subscription term and any post-termination retention period set out in Section 9.

2. Nature and purpose of processing

Hosting, organising, displaying, retrieving and exporting case material to support financial-crime investigations and Suspicious Activity Report drafting and submission.

3. Categories of data subjects

  • Controller's employees and authorised investigators.
  • Individuals who are subjects of investigations conducted by the Controller.
  • Third parties named in transaction records (counterparties, beneficial owners).

4. Categories of personal data

  • Identification data, contact data, transaction data, device/IP data.
  • Special-category and criminal-offence data only where uploaded by the Controller in the course of a lawful investigation under Schedule 1 Part 2 DPA 2018.

5. Obligations of the Processor

  • Process personal data only on documented instructions from the Controller.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement the technical and organisational measures in Annex A (Security).
  • Assist the Controller with data subject rights, DPIAs and breach notification.
  • Notify the Controller of a personal data breach without undue delay and within 48 hours.
  • At the Controller's choice, delete or return all personal data at end of services.
  • Make available all information necessary to demonstrate compliance and submit to audits.

6. Sub-processors

The Controller grants general authorisation for VigilPath to engage sub-processors listed at /sub-processors. VigilPath will give 30 days' notice of any intended change, during which the Controller may object on reasonable grounds.

7. International transfers

Personal data is stored in the United Kingdom by default. Any transfer outside the UK / EEA relies on a UK adequacy regulation or the UK International Data Transfer Addendum to the EU SCCs, together with a transfer risk assessment.

8. Security (Annex A summary)

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Row-level multi-tenant isolation enforced at the database layer.
  • Role-based access control, least privilege, mandatory MFA for staff.
  • Immutable audit log of administrative actions.
  • Daily encrypted backups with 30-day point-in-time recovery.
  • Documented incident response plan with 48-hour breach notification.

9. Retention and return

On termination, personal data is exported on request and securely deleted within 30 days unless retention is required by law (e.g. Money Laundering Regulations 2017).

10. Liability and governing law

Liability under this DPA is subject to the limits in the Master Subscription Agreement. This DPA is governed by the laws of England and Wales.

11. Acceptance

By using the VigilPath platform under a paid or trial subscription, the Controller accepts this DPA. A countersigned PDF is available on request from dpo@vigilpath.co.uk.