Data Processing Addendum
Last updated: 18 December 2025
This Data Processing Addendum ("DPA") forms part of the Terms of Use between CardITvisio ("Processor," "we," "us") and the Customer ("Controller," "you") for the use of CardITvisio services.
This DPA applies where CardITvisio processes personal data on behalf of the Customer, particularly in compliance with the General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws.
1. Definitions
- "Controller" means the entity that determines the purposes and means of processing personal data (you, the Customer).
- "Processor" means the entity that processes personal data on behalf of the Controller (CardITvisio).
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on personal data, including collection, storage, use, and deletion.
- "Sub-processor" means any third party engaged by the Processor to process personal data.
- "Data Subject" means an identified or identifiable natural person whose personal data is processed.
- "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
2. Scope of Processing
CardITvisio processes personal data solely for the purpose of providing the Service as described in the Terms of Use. This includes:
- Processing uploaded images to generate PDF files
- Managing user accounts and authentication
- Processing payments through our payment provider
- Providing customer support
- Maintaining service security and preventing fraud
Types of Personal Data
| Category | Data Types | Data Subjects |
|---|---|---|
| Account Data | Email address, password hash | Registered users |
| Payment Data | Transaction IDs, payment method type | Paying customers |
| Uploaded Content | Images (may contain personal data) | Determined by user uploads |
| Usage Data | IP address, browser info, usage patterns | All users |
3. Processor Obligations
CardITvisio agrees to:
3.1 Processing Instructions
- Process personal data only on documented instructions from the Controller
- Inform the Controller if any instruction infringes applicable data protection law
- Not process personal data for any purpose other than providing the Service
3.2 Confidentiality
- Ensure that persons authorized to process personal data are bound by confidentiality obligations
- Limit access to personal data to personnel who need it to perform their duties
3.3 Security Measures
Implement appropriate technical and organizational measures including:
- Encryption of data in transit (HTTPS/TLS)
- Secure hosting with reputable providers
- Regular security assessments
- Access controls and authentication
- Incident response procedures
3.4 Assistance
- Assist the Controller in responding to data subject requests
- Assist with data protection impact assessments when required
- Assist with regulatory consultations when required
4. Sub-processors
The Controller provides general authorization for CardITvisio to engage sub-processors. We will:
- Maintain a list of current sub-processors
- Notify the Controller of any intended changes to sub-processors
- Ensure sub-processors are bound by equivalent data protection obligations
- Remain liable for sub-processor compliance
Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Netlify, Inc. | Website hosting and CDN | United States |
| Paystack Payments Ltd. | Payment processing | Nigeria / Global |
| Railway Corp. | Backend infrastructure | United States |
For the current list of sub-processors, contact support@carditvisio.com.
5. International Data Transfers
Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States and South Africa.
For such transfers, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): EU-approved data transfer agreements with sub-processors
- Adequacy Decisions: Where the destination country has been deemed adequate by the European Commission
- Supplementary Measures: Additional technical and organizational protections where required
6. Data Breach Notification
In the event of a personal data breach, CardITvisio will:
- Notify the Controller without undue delay (and within 72 hours where feasible) after becoming aware of the breach
- Provide information about the nature of the breach, categories of data affected, and approximate number of data subjects
- Describe likely consequences and measures taken to address the breach
- Cooperate with the Controller's breach response and regulatory notifications
7. Data Subject Requests
If CardITvisio receives a request from a data subject to exercise their rights (access, rectification, erasure, etc.), we will:
- Promptly notify the Controller of the request
- Not respond directly to the data subject unless authorized by the Controller
- Provide reasonable assistance to enable the Controller to respond within required timeframes
- Implement technical measures to facilitate data subject rights
8. Data Deletion and Return
Upon termination of the Service or at the Controller's request:
- CardITvisio will delete or return all personal data within 30 days
- Deletion includes all copies in our systems and sub-processor systems
- We will provide written confirmation of deletion upon request
- Retention may be required where necessary for legal compliance (e.g., tax records)
Automatic Deletion
The following data is automatically deleted:
- Uploaded images: Immediately after PDF generation
- Inactive accounts: After 24 months of inactivity (with prior notice)
9. Audit Rights
CardITvisio will make available to the Controller information necessary to demonstrate compliance with this DPA and applicable data protection laws.
The Controller may:
- Request information about our data protection practices
- Request evidence of compliance (certifications, audit reports)
- Conduct or commission audits with reasonable notice and during business hours
Any on-site audit shall be at the Controller's expense and subject to reasonable confidentiality obligations.
10. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Use, except where such limitation is prohibited by applicable data protection law.
Nothing in this DPA limits either party's liability for breaches of its obligations under applicable data protection laws.
11. Governing Law
This DPA is governed by the laws specified in the Terms of Use (Republic of South Africa), except that:
- For EU/EEA data subjects, GDPR provisions and interpretations apply
- For UK data subjects, UK GDPR and Data Protection Act 2018 apply
- Mandatory provisions of local data protection law take precedence
12. Contact Information
For questions about this DPA or to exercise any rights, please contact:
Email: support@carditvisio.com
Subject Line: DPA Inquiry