VebboPay Logo
Back to VebboPay

Data Processing Agreement

Last Updated: February 2026

1. Definitions

For the purposes of this Data Processing Agreement ("DPA"), the following terms shall have the meanings set out below:

  • "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In the context of this DPA, the Controller is the customer ("you") who uses VebboPay services and on whose behalf Cibeeo Inc SRL processes Personal Data.
  • "Processor" means the natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. In the context of this DPA, the Processor is Cibeeo Inc SRL, the operator of VebboPay.
  • "Sub-processor" means any third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
  • "Personal Data" means any information relating to a Data Subject, as defined in Article 4(1) of the GDPR.
  • "Processing" means any operation or set of operations performed on Personal Data or sets of Personal Data, as defined in Article 4(2) of the GDPR.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  • "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR. The lead supervisory authority for Cibeeo Inc SRL is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) of Romania.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed, as defined in Article 4(12) of the GDPR.

2. Scope and Purpose of Processing

This DPA applies where Cibeeo Inc SRL (operating as VebboPay) processes Personal Data on behalf of the Controller in connection with the provision of VebboPay's financial technology services. The subject matter, duration, nature, and purpose of the processing, the types of Personal Data processed, and the categories of Data Subjects are described below:

  • Subject Matter: Processing of Personal Data as necessary for the provision of VebboPay payment processing, AI Agent automation, financial management, and related services
  • Duration: For the duration of the agreement between the Controller and Cibeeo Inc SRL, plus any retention period required by applicable law
  • Nature and Purpose: Payment processing, transaction execution, identity verification, fraud prevention, AI Agent operations, financial reporting, regulatory compliance, and customer support
  • Types of Personal Data: Name, email address, phone number, postal address, date of birth, government identification numbers, financial account information, transaction data, IP addresses, device identifiers, and AI Agent interaction data
  • Categories of Data Subjects: The Controller's customers, employees, contractors, authorized representatives, payment recipients, and other individuals whose Personal Data is processed through VebboPay services

3. Obligations of the Processor

Cibeeo Inc SRL, as Processor, undertakes to:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject (Article 28(3)(a) GDPR)
  • Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR)
  • Take all measures required pursuant to Article 32 of the GDPR (security of processing)
  • Respect the conditions for engaging Sub-processors as set out in Section 6 of this DPA (Article 28(3)(d) GDPR)
  • Assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights (Article 28(3)(e) GDPR)
  • Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor (Article 28(3)(f) GDPR)
  • At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data (Article 28(3)(g) GDPR)
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Article 28(3)(h) GDPR)

4. Obligations of the Controller

The Controller undertakes to:

  • Ensure that it has a lawful basis for the processing of Personal Data and that all necessary consents have been obtained or other legal bases apply
  • Provide the Processor with documented instructions regarding the processing of Personal Data
  • Ensure that the Personal Data provided to the Processor is accurate, complete, and up to date
  • Comply with all applicable data protection laws in relation to its use of VebboPay services and the instructions it provides to the Processor
  • Conduct Data Protection Impact Assessments (DPIAs) where required by Article 35 of the GDPR in relation to its use of VebboPay services
  • Notify the Processor without undue delay of any changes to applicable data protection laws that may affect the Processor's obligations under this DPA
  • Respond to and resolve Data Subject requests, with the assistance of the Processor as described in this DPA

5. Data Security Measures

In accordance with Article 32 of the GDPR, Cibeeo Inc SRL implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including but not limited to:

  • Encryption: Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
  • Pseudonymization: Application of pseudonymization techniques where appropriate to minimize the risk of identification
  • Confidentiality: Measures to ensure the ongoing confidentiality of processing systems and services, including role-based access controls, multi-factor authentication, and principle of least privilege
  • Integrity: Measures to ensure the ongoing integrity of processing systems and services, including data validation, checksums, and audit logging
  • Availability and Resilience: Measures to ensure the ongoing availability and resilience of processing systems and services, including redundant infrastructure, automated failover, disaster recovery procedures, and regular backups
  • Regular Testing: Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures, including penetration testing, vulnerability assessments, and security audits conducted at least annually
  • Physical Security: Physical security measures at data center facilities, including access controls, surveillance, and environmental controls
  • Employee Security: Background checks, security training, and confidentiality obligations for all employees with access to Personal Data
  • Incident Response: Documented incident response procedures for the detection, investigation, and remediation of security incidents

6. Sub-processor Management and Notification

6.1 Authorization

The Controller provides general written authorization to Cibeeo Inc SRL to engage Sub-processors for the processing of Personal Data in connection with VebboPay services, subject to the requirements set out in this section.

6.2 Sub-processor List

Cibeeo Inc SRL maintains a current list of Sub-processors, which is available to the Controller upon request and is updated on our website. The list includes the name, location, and nature of processing performed by each Sub-processor.

6.3 Notification of Changes

Cibeeo Inc SRL will provide the Controller with prior written notice of at least thirty (30) calendar days before engaging a new Sub-processor or replacing an existing Sub-processor. The notice will include the identity of the Sub-processor, the nature of the processing to be performed, and the location of processing.

6.4 Objection Right

The Controller may object to the engagement of a new Sub-processor within fourteen (14) calendar days of receiving notification, provided that the objection is based on reasonable grounds relating to data protection. If the Controller objects, Cibeeo Inc SRL will make reasonable efforts to make available to the Controller a change in the services or recommend a commercially reasonable alternative. If no alternative is available, either party may terminate the affected services with respect to the processing that requires the objected-to Sub-processor.

6.5 Sub-processor Obligations

Cibeeo Inc SRL ensures that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA, by way of a written contract. Cibeeo Inc SRL remains fully liable to the Controller for the performance of each Sub-processor's obligations.

7. International Data Transfers

Cibeeo Inc SRL processes Personal Data primarily within the European Economic Area (EEA). Where Personal Data is transferred to countries outside the EEA that have not been recognized by the European Commission as providing an adequate level of data protection, Cibeeo Inc SRL ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs): The European Commission's Standard Contractual Clauses adopted pursuant to Commission Implementing Decision (EU) 2021/914, as applicable
  • Adequacy Decisions: Reliance on European Commission adequacy decisions pursuant to Article 45 of the GDPR where available for the recipient country
  • Supplementary Measures: Where required following a transfer impact assessment, additional technical, organizational, or contractual measures to ensure an essentially equivalent level of protection
  • Binding Corporate Rules (BCRs): Where applicable and approved by the relevant supervisory authority

Cibeeo Inc SRL conducts transfer impact assessments for data transfers to third countries to evaluate the laws and practices of the recipient country and the effectiveness of the safeguards in place, in accordance with the guidance of the European Data Protection Board (EDPB).

8. Data Subject Rights Assistance

Cibeeo Inc SRL assists the Controller in responding to requests from Data Subjects exercising their rights under the GDPR, including:

  • Right of Access (Article 15): Providing the Controller with the Personal Data processed and relevant information about the processing
  • Right to Rectification (Article 16): Correcting inaccurate Personal Data upon instruction from the Controller
  • Right to Erasure (Article 17): Deleting Personal Data upon instruction from the Controller, subject to legal retention obligations
  • Right to Restriction of Processing (Article 18): Restricting the processing of Personal Data upon instruction from the Controller
  • Right to Data Portability (Article 20): Providing Personal Data in a structured, commonly used, and machine-readable format upon instruction from the Controller
  • Right to Object (Article 21): Ceasing the processing of Personal Data upon instruction from the Controller where the Data Subject has exercised their right to object
  • Rights Related to Automated Decision-Making (Article 22): Assisting the Controller in providing human intervention, explanation, and the ability to contest automated decisions

If a Data Subject contacts Cibeeo Inc SRL directly with a request, we will promptly redirect the request to the Controller and will not respond directly to the Data Subject without the Controller's instruction, unless legally required to do so.

9. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed on behalf of the Controller, Cibeeo Inc SRL will:

  • Notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of the Data Breach, in accordance with Articles 33 and 34 of the GDPR
  • Provide the Controller with sufficient information to enable the Controller to meet its own notification obligations to the relevant Supervisory Authority and, where applicable, to affected Data Subjects
  • Include in the notification, to the extent available: a description of the nature of the Data Breach including the categories and approximate number of Data Subjects and records concerned; the name and contact details of the Data Protection Officer or other contact point; a description of the likely consequences of the Data Breach; and a description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects
  • Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Data Breach
  • Document the Data Breach, including its facts, effects, and remedial actions taken, in accordance with Article 33(5) of the GDPR

10. Data Retention and Deletion

Upon termination or expiry of the services agreement between the Controller and Cibeeo Inc SRL, and upon the Controller's written request, Cibeeo Inc SRL will:

  • Return all Personal Data to the Controller in a commonly used, machine-readable format; and/or
  • Securely delete all Personal Data in its possession or control, including all copies and backups, using industry-standard data destruction methods

Cibeeo Inc SRL will complete the return or deletion within ninety (90) calendar days of receiving the Controller's request, unless applicable Union or Member State law requires continued storage, in which case Cibeeo Inc SRL will inform the Controller of the legal requirement and limit further processing to the extent required by law. Cibeeo Inc SRL will provide written confirmation of deletion upon request.

11. Audit Rights

The Controller has the right to audit Cibeeo Inc SRL's compliance with this DPA, subject to the following conditions:

  • The Controller shall provide at least thirty (30) calendar days' prior written notice of any audit
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with Cibeeo Inc SRL's business operations
  • The Controller may engage a qualified, independent third-party auditor, provided the auditor has entered into appropriate confidentiality obligations
  • The scope of the audit is limited to Cibeeo Inc SRL's compliance with its obligations under this DPA and applicable data protection laws
  • Cibeeo Inc SRL may satisfy audit requests by providing the Controller with copies of relevant certifications, audit reports (e.g., SOC 2 Type II), or summaries prepared by independent third-party auditors, to the extent they address the Controller's audit objectives
  • The Controller shall bear its own costs of the audit, except where the audit reveals material non-compliance by Cibeeo Inc SRL, in which case Cibeeo Inc SRL shall bear the reasonable costs of the audit

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the underlying services agreement between the Controller and Cibeeo Inc SRL. Without prejudice to any mandatory provisions of the GDPR:

  • Each party shall be liable for damage caused by processing that infringes the GDPR in accordance with Article 82 of the GDPR
  • The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside of or contrary to the lawful instructions of the Controller
  • Each party agrees to indemnify and hold harmless the other party from and against any fines, claims, demands, actions, settlements, costs, and expenses (including reasonable legal fees) arising from the indemnifying party's breach of this DPA or applicable data protection laws
  • Where both Controller and Processor are involved in processing that causes damage to a Data Subject, each party shall be held liable for the entire damage in order to ensure effective compensation of the Data Subject, in accordance with Article 82(4) of the GDPR. The party that has paid full compensation may exercise a right of contribution against the other party

13. Term and Termination

This DPA shall come into effect on the date the Controller begins using VebboPay services and shall remain in effect for as long as Cibeeo Inc SRL processes Personal Data on behalf of the Controller. The obligations of Cibeeo Inc SRL under this DPA shall survive any termination or expiration of the services agreement to the extent necessary to fulfill the data return, deletion, and confidentiality obligations described herein.

Either party may terminate this DPA upon written notice if:

  • The underlying services agreement between the parties is terminated or expires
  • The other party commits a material breach of this DPA and fails to remedy such breach within thirty (30) calendar days of receiving written notice of the breach
  • A Supervisory Authority orders the cessation of processing
  • Changes in applicable data protection law render continued processing under this DPA unlawful

14. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Romania and the European Union. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent courts of Bucharest, Romania, without prejudice to the right of either party or any Data Subject to lodge a complaint with a Supervisory Authority.

15. Severability

If any provision of this DPA is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that most closely reflects the intent of the original provision.

16. Contact Information

For questions, requests, or notices related to this Data Processing Agreement, please contact our Data Protection Officer:

  • Email: dpo@vebbopay.com
  • Company: Cibeeo Inc SRL
  • Subject Reference: Data Processing Agreement Inquiry