Loading...
VAOS logoVAOS logo
LoginLogin
  • VAOS App
  • Screenshots
  • Pricing
  • Security
  • Contact
Login Login Start 7-Day Free Trial Start 7-Day Free Trial

Data Processing Agreement

Last updated: 01/MAY/2026

Effective date: 01/MAY/2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written agreement between DEEP BRIDGE MARITIME CONSULTING (“VAOS”, “Processor”, “we”, “us”) and the customer organisation using VAOS (“Customer”, “Controller”, “you”).

This DPA applies where VAOS processes personal data on behalf of the Customer in the course of providing the Services.

1. Definitions

The terms “personal data”, “processing”, “controller”, “processor”, “data subject”, “personal data breach” and “supervisory authority” have the meanings given to them in the GDPR.

“Customer Personal Data” means personal data processed by VAOS on behalf of the Customer through the Services.

“Services” means the VAOS platform and related services described in the Terms of Service.

2. Roles of the Parties

For Customer Personal Data:

  • the Customer acts as controller;
  • VAOS acts as processor.

The Customer determines the purposes and means of processing Customer Personal Data.

VAOS processes Customer Personal Data only on documented instructions from the Customer, unless required to do so by applicable law.

3. Subject Matter and Duration

Subject matter

Processing of Customer Personal Data submitted to, stored in or generated through VAOS for the purpose of providing maritime audit workflow software.

Duration

Processing continues for the duration of the Customer’s use of the Services and until Customer Personal Data is deleted or returned in accordance with this DPA, the Terms of Service or applicable law.

4. Nature and Purpose of Processing

VAOS may process Customer Personal Data to:

  • host and operate the VAOS platform;
  • create and manage user accounts;
  • store audit-related content;
  • support trip, vessel, audit and observation workflows;
  • provide reporting and dashboard features;
  • secure, monitor and troubleshoot the Services;
  • provide customer support;
  • comply with legal obligations;
  • perform deletion, export or retention actions requested by the Customer.

Processing operations may include collection, recording, organisation, structuring, storage, retrieval, consultation, use, transmission, restriction, deletion and destruction.

5. Categories of Personal Data

Depending on Customer use, Customer Personal Data may include:

  • names;
  • email addresses;
  • job titles;
  • company or organisation details;
  • user account identifiers;
  • login and usage records;
  • audit comments and observations;
  • inspection-related notes;
  • photographs or uploaded evidence;
  • vessel contact or operational information;
  • support communications;
  • technical identifiers such as IP address and device information.

The Customer controls what data is uploaded or entered into VAOS.

6. Categories of Data Subjects

Customer Personal Data may relate to:

  • Customer users;
  • maritime auditors;
  • superintendents;
  • vetting team members;
  • customer employees or contractors;
  • vessel contacts;
  • ship managers or operators;
  • support contacts;
  • other individuals included by the Customer in audit materials or uploaded content.

7. Customer Instructions

The Customer instructs VAOS to process Customer Personal Data as necessary to provide the Services and as further documented through:

  • the Terms of Service;
  • this DPA;
  • account settings;
  • support requests;
  • written instructions from authorised Customer representatives.

VAOS will not process Customer Personal Data for purposes unrelated to providing the Services unless required by law.

8. Confidentiality

VAOS ensures that persons authorised to process Customer Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

Access to Customer Personal Data is limited to personnel or service providers who need access to provide, secure or support the Services.

9. Security Measures

VAOS implements appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Measures may include:

  • access controls;
  • authentication;
  • least-privilege permissions;
  • encryption in transit where applicable;
  • secure hosting configuration;
  • logging and monitoring;
  • backup practices;
  • vulnerability and dependency management;
  • incident response procedures;
  • confidentiality obligations.

Further information is available in the Security Measures page.

10. Subprocessors

The Customer authorises VAOS to use subprocessors to provide the Services.

Current subprocessors are listed on the Subprocessors page.

VAOS will ensure that subprocessors are subject to data protection obligations that are substantially similar to those in this DPA.

VAOS remains responsible to the Customer for the performance of its subprocessors’ data protection obligations.

11. Changes to Subprocessors

VAOS may update the list of subprocessors from time to time.

Where required by applicable law or contract, VAOS will provide reasonable notice of material subprocessor changes and allow the Customer to object on reasonable data protection grounds.

If the Customer objects and the parties cannot reach a commercially reasonable solution, the Customer may terminate the affected Services according to the Terms of Service.

12. International Transfers

Where Customer Personal Data is transferred outside the European Economic Area, VAOS will ensure that appropriate safeguards are in place where required, such as:

  • an adequacy decision;
  • Standard Contractual Clauses;
  • Data Privacy Framework participation, where applicable;
  • supplementary safeguards where appropriate.

The Customer authorises such transfers where necessary to provide the Services, subject to the safeguards described above.

13. Assistance to the Customer

Taking into account the nature of processing and the information available to VAOS, VAOS will provide reasonable assistance to the Customer with:

  • responding to data subject requests;
  • implementing appropriate security measures;
  • personal data breach notifications;
  • data protection impact assessments, where required;
  • consultations with supervisory authorities, where required.

VAOS may charge reasonable fees for assistance that is not included in standard support or requires significant additional work.

14. Data Subject Requests

If VAOS receives a request from a data subject relating to Customer Personal Data, VAOS will, where legally permitted:

  • notify the Customer;
  • not respond substantively unless instructed by the Customer or required by law;
  • provide reasonable assistance to enable the Customer to respond.

15. Personal Data Breach

If VAOS becomes aware of a personal data breach affecting Customer Personal Data, VAOS will notify the Customer without undue delay.

The notification will include, where available:

  • description of the nature of the breach;
  • categories and approximate number of affected data subjects and records;
  • likely consequences;
  • measures taken or proposed to address the breach;
  • contact point for further information.

The Customer is responsible for determining whether notification to a supervisory authority or data subjects is required.

16. Deletion or Return of Data

Upon termination of the Services or upon documented Customer request, VAOS will delete or return Customer Personal Data, unless retention is required by law.

Deletion may be subject to:

  • backup retention cycles;
  • legal obligations;
  • fraud prevention;
  • security investigations;
  • dispute resolution;
  • accounting or tax requirements.

17. Audits

VAOS will make available information reasonably necessary to demonstrate compliance with this DPA.

Audits must:

  • be requested with reasonable prior notice;
  • be limited to data protection matters relevant to the Services;
  • avoid disruption to VAOS operations;
  • protect confidential information of VAOS and other customers;
  • be performed no more than once per year unless required due to a confirmed security incident or mandatory law.

Where possible, VAOS may satisfy audit requests by providing security documentation, policies, certificates, questionnaires or third-party reports.

18. Customer Obligations

The Customer is responsible for:

  • complying with applicable data protection laws;
  • providing required notices to data subjects;
  • ensuring a valid legal basis for processing;
  • ensuring that Customer Personal Data is accurate and lawful;
  • limiting personal data uploaded to what is necessary;
  • managing user access and permissions;
  • responding to data subject requests;
  • ensuring that use of VAOS complies with internal policies and professional obligations.

19. Liability

Liability under this DPA is governed by the liability provisions of the Terms of Service or applicable written agreement between the parties.

20. Governing Law

This DPA is governed by the laws of Spain, unless otherwise required by applicable data protection law.

21. Contact

For data protection questions, contact:

DEEP BRIDGE MARITIME CONSULTING
Email: vaos@vaos.es
Website: https://vaos.es
VAOS logo

A professional workspace for maritime auditors, superintendents and vetting teams.

Subscribe to VAOS updates

Receive important product updates, early access news and maritime audit workflow insights.

Verification loads only after you start filling out the form.

No spam. Unsubscribe anytime.

Copyright © 2026 Deep Bridge Maritime Consulting.

  • Legal Center
  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Contact