/* VALDEX — Data Processing Addendum */ const UPDATED_DPA = "May 18, 2026"; function DPAPage() { return (

This Data Processing Addendum ("DPA") forms part of the Terms of Engagement and any engagement charter between VALDEX LLC (a Wyoming limited liability company —{" "} "Valdex", "Processor") and the business signing it ("Client", "Controller"). It applies whenever Valdex processes personal data on Client's behalf in the course of providing the services.

The DPA covers obligations under the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (revFADP), and the{" "} California Consumer Privacy Act / CPRA as a service-provider agreement. Where one regime imposes a stricter standard than another, the stricter standard applies.

How to execute. A counter-signed copy can be requested by emailing legal@valdexai.com. Many clients accept incorporation by reference in the engagement charter; we will do that if your procurement allows.

} sections={[ { id: "definitions", h: "1. Definitions", body: (

Capitalized terms not defined here have the meaning given to them in the GDPR, UK GDPR, or CCPA, as applicable. The following definitions apply:

"Applicable Data Protection Law" means the GDPR, the UK GDPR, the Swiss revFADP, the CCPA/CPRA, and any other privacy or data-protection law applicable to the processing of Client Personal Data.
"Client Personal Data" means personal data (as defined in Applicable Data Protection Law) that Valdex processes on behalf of Client in providing the services.
"Data Subject" means an identified or identifiable natural person whose personal data is processed under this DPA.
"EEA" means the European Economic Area.
"EU SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 — Modules in force as referenced in Schedule 4.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data.
"Sub-processor" means any third party engaged by Valdex to process Client Personal Data on behalf of Client.
"Supervisory Authority" means an independent public authority responsible for monitoring the application of data-protection law.
"UK Addendum" means the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.

)}, { id: "roles", h: "2. Roles of the parties", body: (

The parties acknowledge that, with respect to the processing of Client Personal Data under this DPA:

Client is the Controller and Valdex is the Processor for the personal data Client provides or makes accessible.
Where Client is itself a processor acting on behalf of one of its own controllers, Client warrants it has the authority to engage Valdex as a sub-processor on those controllers' behalf, and Valdex will be a sub-processor.
For the purposes of the CCPA, Valdex acts as a service provider to Client and not as a third party.
For Valdex's separate processing of Client's own business-contact and billing data (rather than Client's end-user data), Valdex is an independent controller and the privacy notice applies.

)}, { id: "scope", h: "3. Scope and processing instructions", body: (

The subject matter, duration, nature, and purpose of the processing, the types of Client Personal Data, and the categories of Data Subjects are described in{" "} Schedule 1.

Valdex will process Client Personal Data only on documented instructions from Client, including the engagement charter, this DPA, and any subsequent written instructions Client provides. The Terms of Engagement, the engagement charter, and this DPA constitute Client's initial documented instructions.

Valdex will inform Client without undue delay if, in Valdex's opinion, an instruction infringes Applicable Data Protection Law. Valdex may suspend processing under the instruction (without liability) until Client confirms or amends it.

Valdex will not (a) sell Client Personal Data; (b) share Client Personal Data for cross-context behavioral advertising; (c) retain, use, or disclose Client Personal Data for any purpose other than the specific purpose of providing the services, including for any commercial purpose other than the services; (d) retain, use, or disclose Client Personal Data outside the direct business relationship between the parties; or (e) combine Client Personal Data with personal information received from another source, except as expressly permitted by the CCPA. Valdex certifies that it understands and will comply with these restrictions.

Valdex will not use Client Personal Data to develop, train, or improve any AI/ML model — including Valdex's own internal tools, third- party generative-model providers, or any model whatsoever — without Client's prior written authorization for a specific, scoped purpose.

)}, { id: "confidentiality", h: "4. Confidentiality of personnel", body: (

Valdex will ensure that personnel authorized to process Client Personal Data have committed themselves to confidentiality (either contractually or under a statutory obligation of confidentiality), are made aware of the confidential nature of the data, and receive the training necessary to handle it.

)}, { id: "security", h: "5. Security of processing", body: (

Valdex will implement and maintain appropriate technical and organizational measures ("TOMs") to ensure a level of security appropriate to the risk, including the measures described in{" "} Schedule 2. Specifically, Valdex will:

Encrypt Client Personal Data in transit (TLS 1.2+) and at rest where the storage provider supports it.
Maintain the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
Maintain the ability to restore the availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident.
Have a process for regularly testing, assessing, and evaluating the effectiveness of the TOMs.
Apply least-privilege access; require strong authentication including phishing-resistant second factor for all personnel.
Maintain access logs to systems holding Client Personal Data and review them as part of the security program.

The complete current statement of TOMs is at /trust and in Schedule 2.

)}, { id: "subprocessors", h: "6. Sub-processors", body: (

Client provides general authorization for Valdex to engage Sub-processors, subject to the conditions in this Section.

The current list of Sub-processors is published at{" "} /subprocessors and at Schedule 3. Before engaging a new Sub-processor that will process Client Personal Data, Valdex will:

Update the published Sub-processor list at least 30 days in advance of the new Sub-processor beginning processing.
Notify Client by email (or via the subscription mechanism on the Sub-processors page).
Enter into a written agreement with the Sub-processor imposing data-protection obligations no less protective than those in this DPA, including obligations sufficient to provide adequate safeguards for cross-border transfers.

Right to object. Client may object to the engagement of a new Sub-processor on reasonable grounds within the 30-day notice period. The parties will discuss the objection in good faith. If Valdex cannot reasonably accommodate the objection, Client may terminate the affected engagement on written notice, without penalty for the unfulfilled balance of that engagement (Client remains responsible for amounts due for work already performed).

Valdex remains liable to Client for the acts and omissions of its Sub-processors to the same extent it would be liable for its own.

)}, { id: "dsr", h: "7. Assistance with Data-Subject requests", body: (

Taking into account the nature of the processing, Valdex will assist Client by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Client's obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law — including access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.

If Valdex receives a request directly from a Data Subject relating to Client Personal Data, Valdex will (a) not respond to the request other than to confirm receipt and refer the Data Subject to Client, and (b) forward the request to Client without undue delay. Valdex will respond to Client's instructions on how to handle the request within the time required by Applicable Data Protection Law.

)}, { id: "breach", h: "8. Personal Data Breach notification", body: (

Valdex will notify Client without undue delay, and in any event within{" "} 72 hours of becoming aware, of a Personal Data Breach affecting Client Personal Data. The notification will include, to the extent known:

A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
The likely consequences of the breach.
The measures taken or proposed to address the breach and mitigate its possible adverse effects.
The contact point for further information.

Where it is not possible to provide all information at once, Valdex will provide it in phases without further undue delay.

Valdex will cooperate with Client and provide reasonable assistance in investigating, mitigating, and remediating the breach, and in fulfilling Client's notification obligations to Supervisory Authorities and Data Subjects.

)}, { id: "dpia", h: "9. Data-protection impact assessments and prior consultation", body: (

Valdex will provide reasonable assistance to Client with any data-protection impact assessments and prior consultations with Supervisory Authorities that Client is required to carry out under Applicable Data Protection Law, where the assistance relates to the processing carried out by Valdex.

)}, { id: "audits", h: "10. Audits and information rights", body: (

Valdex will make available to Client all information necessary to demonstrate compliance with this DPA. Client may exercise audit rights as follows:

Information requests. Valdex will respond to reasonable Client information requests (security questionnaires, evidence of certifications, summary penetration-test results) within a reasonable time at no charge.
Documentary audits. Once per 12 months, Client may request a remote documentary audit of Valdex's processing practices. Valdex will provide its current TOMs description, sub-processor list, and any then-current third-party attestations (e.g. SOC 2 report when available).
On-site audits. Where Applicable Data Protection Law requires an on-site audit, or following a confirmed Personal Data Breach affecting Client, the parties will agree on the scope, timing, and conduct of the audit. On-site audits will be conducted during business hours, with reasonable advance notice, by Client or by an independent auditor agreed with Valdex (not a competitor of Valdex), under terms of confidentiality, at Client's expense.

Audit findings are confidential and will be used solely for verifying Valdex's compliance with this DPA. Valdex will remediate confirmed material non-conformities within a reasonable timeline.

)}, { id: "transfers", h: "11. International data transfers", body: (

Where Client Personal Data originating in the EEA, the United Kingdom, or Switzerland is transferred to a country outside the originating jurisdiction that does not benefit from an adequacy decision, the transfer is subject to the appropriate safeguards described below and detailed in{" "} Schedule 4.

EU/EEA transfers

The parties incorporate the EU SCCs by reference. The Module used depends on the parties' roles:

Module 2 (Controller-to-Processor) applies where Client is the controller and Valdex is the processor.
Module 3 (Processor-to-Processor) applies where Client is itself a processor and Valdex acts as a sub-processor.

The optional docking clause is not used. The optional language for independent dispute resolution is selected. Clause 17 (governing law) is completed with the law of Ireland. Clause 18(b) (forum) is completed with the courts of Ireland.

UK transfers

Transfers of UK personal data are governed by the UK Addendum to the EU SCCs. The UK Addendum is incorporated by reference, with Table 1 completed as in Schedule 1, Table 2 selected as "the latest version of the EU SCCs in force as referenced above," and Table 3 completed as in Schedule 1.

Swiss transfers

For transfers governed by the Swiss revFADP, the EU SCCs apply with references adapted: references to the GDPR are read as references to the revFADP, references to a Supervisory Authority and to EU/EEA Member States are read as references to the Swiss Federal Data Protection and Information Commissioner and Switzerland respectively, and references to the law of an EU Member State are read as references to Swiss law.

U.S. Data Privacy Framework

Where a Sub-processor is certified under the EU–U.S. Data Privacy Framework (DPF), the UK Extension, or the Swiss–U.S. DPF, transfers to that Sub-processor may rely on the DPF in lieu of the SCCs, at Client's election.

Transfer impact assessment

Valdex has carried out a transfer impact assessment for each then-current international transfer and will share the relevant analysis with Client on reasonable request. The assessment is updated when underlying law, jurisprudence, or facts materially change.

)}, { id: "ccpa", h: "12. CCPA / CPRA service-provider terms", body: (

For Client Personal Data subject to the CCPA, the parties agree:

Valdex receives Client Personal Data solely to perform the services described in the engagement charter, which constitutes a "business purpose" under the CCPA.
Valdex will not sell or share (including for cross-context behavioral advertising) Client Personal Data.
Valdex will not retain, use, or disclose Client Personal Data for any purpose other than for the specific business purpose of providing the services, including for any commercial purpose other than providing the services.
Valdex will not retain, use, or disclose Client Personal Data outside the direct business relationship between Client and Valdex.
Valdex will not combine Client Personal Data with personal information that Valdex receives from another source, except as expressly permitted by CCPA § 1798.140(j)(1).
Valdex certifies that it understands these restrictions and will comply with them.
Client has the right to take reasonable and appropriate steps to ensure that Valdex uses Client Personal Data consistent with Client's obligations under the CCPA, and to stop and remediate unauthorized use of Client Personal Data.
Valdex will notify Client if it can no longer meet its CCPA obligations, and Client may, on notice, direct Valdex to stop processing or to take other reasonable and appropriate steps to remediate unauthorized use.

)}, { id: "return", h: "13. Return or deletion of Client Personal Data", body: (

On termination of the relevant engagement, Valdex will, at Client's choice expressed in writing:

Return all Client Personal Data to Client in a structured, commonly-used, machine-readable format, and delete copies; or
Delete all Client Personal Data and confirm in writing that it has done so.

In either case, deletion will be completed within 30 days of termination, unless Applicable Data Protection Law requires further storage of personal data — in which case Valdex will inform Client of the requirement, the data concerned, and the retention period.

Valdex's standard practice is described in the privacy notice §6 and the trust & security page.

)}, { id: "liability", h: "14. Liability", body: (

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability in the Terms of Engagement, except that nothing in those limitations excludes or limits a party's liability for personal injury or death caused by its negligence, for fraud, for fraudulent misrepresentation, or for any other liability that cannot be excluded under applicable law.

)}, { id: "term", h: "15. Term, termination, and survival", body: (

This DPA takes effect on the start date of the engagement to which it relates and remains in effect until Valdex ceases processing Client Personal Data. Provisions that by their nature should survive termination — including confidentiality, breach notification, audit rights, and liability — survive termination of this DPA and of the underlying engagement.

)}, { id: "precedence", h: "16. Order of precedence and miscellaneous", body: (

In case of any conflict, this DPA prevails over the Terms of Engagement for matters of data protection. The engagement charter prevails over this DPA only where the charter expressly identifies a clause of this DPA being overridden.
Where the EU SCCs apply, the SCCs prevail over this DPA in case of conflict to the extent necessary to ensure the integrity of the SCCs.
This DPA is governed by the law of Wyoming, United States, except that the EU SCCs (where they apply) are governed by the law of Ireland as set out in Section 11.
Notices under this DPA go to the addresses in the engagement charter and to legal@valdexai.com.
Severability, no waiver, and assignment follow the Terms of Engagement.

)}, { id: "schedule1", h: "Schedule 1 — Details of processing", body: (

Subject matter of processing	Provision of digital advertising agency services — Generative Engine Optimization, Search Engine Optimization, AI content engineering, paid acquisition, attribution analytics, and agent workflows — as described in the engagement charter.
Duration of processing	The term of the underlying engagement, plus any retention period required by Section 13 or by Applicable Data Protection Law.
Nature of processing	Storage, retrieval, analysis, transformation, and transmission of Client Personal Data as necessary to provide the services.
Purpose of processing	To deliver the services agreed in the engagement charter; to produce the documents of record; and to communicate with Client about the engagement.
Categories of Data Subjects	Client's employees and contractors; Client's customers and prospects whose data Client makes accessible; visitors to Client's web properties; recipients of Client's marketing communications.
Types of Personal Data	Contact details (name, email, phone, role, company); device and online identifiers (cookies, advertising IDs) where Client uses them; analytics data (pages viewed, events, attribution); content of communications Client shares for the work; commercial information (transaction history) where Client provides it. Sensitive / special-category data is not processed unless specifically agreed in the engagement charter and the corresponding TOMs are confirmed.
Frequency of transfer	Continuous, for the duration of the engagement.
Retention period	As specified in Section 13 of this DPA and the engagement charter; in default, 30 days post-termination for active Client Personal Data and 7 years for contractual records.
Competent Supervisory Authority (Module 2 SCCs)	If Client is established in an EU/EEA Member State, the Supervisory Authority of that Member State. If Client is not established in the EU/EEA but has a representative in the Union, the Supervisory Authority of the Member State of the representative. Otherwise, the Irish Data Protection Commission as the default.

)}, { id: "schedule2", h: "Schedule 2 — Technical and organizational measures", body: (

The TOMs in force at the time of this DPA are summarized below and described in detail at /trust:

Pseudonymization and encryption. TLS 1.2+ for all transport; AES-256-equivalent at rest via the storage provider; credentials encrypted end-to-end in 1Password Business.
Ongoing confidentiality, integrity, availability, and resilience. Reliance on certified providers (Google Workspace, Stripe, Cloudflare) for the underlying infrastructure. No self-hosted database holds Client Personal Data.
Restoration of availability. Provider-native backup and recovery for Google Workspace and Stripe. Engagement workspaces are reproducible from source.
Testing and evaluation. Annual internal review of security controls; external penetration test scheduled (Q3 2026); SOC 2 Type I scheduled (Q1 2027).
Identity and access. SSO via Google Workspace; phishing-resistant hardware-key 2FA mandatory; least-privilege role assignment; quarterly access reviews; same-day deprovisioning on personnel departure.
Personnel. Confidentiality and IP-assignment agreements signed before access; training on data-protection responsibilities.
Physical and operational security. Endpoint full-disk encryption; auto-lock; OS auto-update; managed by an MDM-equivalent profile.
Incident response. Documented runbook; 72-hour breach notification commitment; post-incident review.
Vendor management. Written DPA with each Sub-processor (Schedule 3); periodic review of Sub-processor certifications.
Data minimization. We request from Client only the data necessary to perform the engagement.

)}, { id: "schedule3", h: "Schedule 3 — Sub-processors", body: (

The current list of Sub-processors authorized to process Client Personal Data is maintained at /subprocessors and is incorporated into this DPA by reference. Each Sub-processor is bound by a written agreement imposing data-protection obligations no less protective than those in this DPA.

)}, { id: "schedule4", h: "Schedule 4 — Standard Contractual Clauses (incorporated)", body: (

The EU SCCs are incorporated into this DPA by reference and form an integral part of it. The following selections complete the SCCs:

Module: Module 2 (Controller-to-Processor) by default; Module 3 (Processor-to-Processor) where Client acts as a processor on behalf of a separate controller.
Clause 7 (Docking clause): not used.
Clause 9(a) (Use of Sub-processors): Option 2 (General written authorization) applies — Sub-processors listed in Schedule 3, with at least 30 days' prior notice for changes.
Clause 11(a) (Redress): the optional language is selected — independent dispute-resolution body.
Clause 17 (Governing law): the law of Ireland.
Clause 18(b) (Choice of forum and jurisdiction): the courts of Ireland.
Annex I.A (Parties): Client (data exporter) and Valdex (data importer), with contact details from the engagement charter.
Annex I.B (Description of transfer): as set out in Schedule 1.
Annex I.C (Competent supervisory authority): as set out in Schedule 1.
Annex II (Technical and organizational measures): as set out in Schedule 2.
Annex III (List of Sub-processors): as set out in Schedule 3.

The UK Addendum is incorporated where UK personal data is transferred, with Tables 1–4 completed as described in Section 11.

)}, { id: "signature", h: "Execution", body: (

Self-executing. Where Client's procurement process accepts incorporation by reference, this DPA is in force from the start of the engagement.

Counter-signed. For Client procurement that requires a signed copy, request one at{" "} legal@valdexai.com{" "} with subject "DPA signature request" — we will return a signed copy within 5 business days, ordinarily via DocuSign.

VALDEX LLC
1309 Coffeen Ave, Ste 1200
Sheridan, WY 82801, United States
legal@valdexai.com · (762) 760-1179

)}, ]} /> ); } ReactDOM.createRoot(document.getElementById("root")).render();