Policy Center
Vantus legal policies
Client-facing terms, privacy, accessibility, data processing, copyright, security reporting, and vendor disclosures for Vantus Systems public services.
Data Processing Agreement
This page summarizes the data-processing terms Vantus uses when it processes customer personal data as a processor, service provider, contractor, or similar role. The signed agreement controls the actual engagement.
When a DPA applies
A Data Processing Agreement applies when a customer asks Vantus to process personal data on the customer's behalf. The DPA is designed to support obligations under applicable privacy and security laws, including GDPR-style processor terms where relevant, U.S. state privacy laws, the Florida Digital Bill of Rights when applicable, the Florida Information Protection Act, and customer-specific contract requirements.
This public page is a summary. It does not replace a signed DPA, master service agreement, statement of work, business associate agreement, or security addendum.
Core processing commitments
Documented instructions
When Vantus acts as a processor or service provider, we process customer personal data only on documented customer instructions and for the engagement purposes described in the agreement.
Confidentiality
Personnel and contractors with access to customer data are bound by confidentiality and access-control obligations appropriate to their role.
Security measures
We use reasonable technical and organizational safeguards, including access controls, encryption in transit, audit logging, credential protection, and incident-response workflows.
Subprocessors
We maintain a public subprocessor list and use subprocessors only for documented delivery, hosting, security, support, analytics, billing, or communication purposes.
Assistance with rights requests
We assist customers with access, deletion, correction, portability, opt-out, and appeal requests when the customer is responsible for responding to the individual.
Deletion and return
At termination or request, we return, delete, anonymize, or securely retain customer personal data as required by the agreement and applicable law.
Security and breach support
Vantus maintains administrative, technical, and organizational controls appropriate to the nature of the engagement. These may include least-privilege access, multi-factor authentication for administrative systems, encryption in transit, secure credential storage, audit trails, vulnerability handling, incident triage, and vendor-risk management.
If Vantus becomes aware of a security incident involving customer personal data, we will notify the customer without undue delay and provide information reasonably needed to meet the customer's legal obligations. For Florida personal information, vendor agreements should support the 10-day third-party agent notice window and the customer's 30-day breach-notification workflow where applicable.
Sensitive, child, biometric, geolocation, and health data
Vantus does not need sensitive data, child data, biometric data, precise geolocation data, protected health information, or personal health record data for ordinary public-site use. Customers must not submit those categories unless the signed agreement expressly authorizes the processing and identifies the safeguards, purposes, retention limits, consent or authorization basis, and vendor duties.
If a customer engagement involves protected health information, personal health records, health-app integrations, or HIPAA-regulated workflows, Vantus will use the applicable business associate agreement, health-data addendum, vendor assurances, and breach procedures before processing that data.
Subprocessors and vendor changes
The public subprocessor list is available at /legal/subprocessors. Customer agreements may provide notice periods, objection rights, or additional controls for subprocessor changes. Vantus requires subprocessors to process data only for authorized purposes and to maintain reasonable security measures.
Data lifecycle
Customer personal data is retained only for the engagement, support, legal, security, tax, accounting, audit, and dispute needs described in the agreement. When retention is no longer required, Vantus deletes, anonymizes, returns, or otherwise disposes of data using reasonable measures designed to prevent unauthorized access or use.
Requesting a DPA
Existing or prospective customers can request the current DPA, technical and organizational measures summary, or regulated-data addendum by emailing legal@vantus.systems or using the contact form.