This Data Processing Agreement (“DPA”) is incorporated by reference into the Terms of Service between United Vows (“Processor”) and you (“Controller”) when you use United Vows to process Personal Data on behalf of your customers (couples) or other end users. It is intended to satisfy the processor-controller terms required by Article 28 GDPR, the UK GDPR, the California Consumer Privacy Act, and similar laws.
When this applies: This DPA applies when a vendor uses United Vows to manage couple data (RSVPs, contact details, contracts, payments) and acts as a Controller for that data while United Vows acts as a Processor. It also applies to United Vows' sub-processing relationships with the third-party vendors listed in Section 7.
1. Definitions
- Personal Data means any information relating to an identified or identifiable natural person.
- Processing means any operation performed on Personal Data — collection, recording, storage, retrieval, use, disclosure, erasure, etc.
- Data Subject means the natural person whose Personal Data is being processed.
- Sub-processor means any third party engaged by Processor to process Personal Data.
- Other terms (Controller, Processor, Personal Data Breach, Supervisory Authority) have the meanings given in the GDPR.
2. Subject matter and duration
Subject matter: Processor's provision of the United Vows platform services to Controller as described in the Terms of Service.
Duration: For the duration of the underlying agreement and until all Personal Data is deleted or returned (Section 9).
3. Nature and purpose of processing
Processor processes Personal Data only as needed to provide the platform services, including: hosting and storage, sending notifications and emails, executing automated workflows (RSVP reminders, payment milestones), generating AI insights (where Controller has enabled AI features), and providing analytics dashboards.
Processor will not use Personal Data for its own purposes, will not sell Personal Data, and will not use Personal Data to train external general-purpose machine- learning models without explicit Controller instruction.
4. Categories of Data Subjects and Personal Data
Data Subjects: Couples planning weddings, their wedding guests, vendor employees, vendor team members.
Categories of Personal Data:
- Identity data: name, email, phone, postal address.
- Account data: hashed passwords, sign-in timestamps, IP addresses.
- Wedding-planning data: dates, budgets, guest lists, dietary preferences, RSVPs, seating arrangements.
- Communication data: messages exchanged through the platform, AI chat transcripts, audit notes.
- Payment metadata: amounts, milestone references, Stripe customer IDs.
- Special category data: dietary restrictions and accessibility needs (collected only for guest-list functionality and only with the data subject's consent via the RSVP form).
5. Controller's instructions
Processor processes Personal Data only on Controller's documented instructions, including with regard to transfers to a third country. Documented instructions include the Terms of Service, this DPA, configuration choices Controller makes within the platform, and written instructions provided via dpa@unitedvows.com.
6. Confidentiality
Processor ensures all personnel authorized to process Personal Data are subject to an obligation of confidentiality (employment agreements, contractor NDAs).
7. Sub-processors
Controller authorizes Processor to engage the sub-processors listed below for the services indicated. Processor will impose data-protection terms on each sub- processor that are no less protective than this DPA.
- Vercel Inc. (US) — application hosting + edge network + analytics.
- Neon, Inc. (US) — managed PostgreSQL database hosting.
- Stripe, Inc. (US) — payment processing + Connect-based escrow (Stripe acts as an independent Controller for tokenized card data).
- Resend, Inc. (US) — transactional email delivery.
- Anthropic PBC (US) — AI model inference for chat, insights, and drafts. Configured to disable training on inputs.
- OpenAI, L.L.C. (US) — AI model inference (fallback). Configured to disable training on inputs.
- Google LLC (US) — Gemini AI model inference (fallback). Configured to disable training on inputs.
- Upstash, Inc. (US) — Redis-backed caching and rate limiting.
Processor will provide at least 30 days' advance notice of any new sub-processor and the right to object on reasonable data-protection grounds.
8. International transfers
Where Personal Data is transferred outside the EEA, UK, or Switzerland, Processor relies on Standard Contractual Clauses (EU 2021/914) for the relevant transfer. Vendor sub-processors located in the US who are certified under the EU-US Data Privacy Framework are relied upon under that framework where applicable.
9. Security measures
Processor implements appropriate technical and organizational measures, including:
- TLS 1.2+ for all data in transit; AES-256 for data at rest in the database.
- Role-based access control with least-privilege defaults.
- Audit logging of administrative actions on Personal Data.
- Encrypted backups with rotation; tested restore procedures.
- Vulnerability scanning + dependency monitoring.
- Multi-factor authentication required for all administrative accounts.
- Documented incident-response runbook.
10. Personal Data Breach notification
Processor will notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Controller's data, including the nature of the breach, categories and approximate number of affected Data Subjects, and measures taken to mitigate adverse effects.
11. Data Subject Rights assistance
Processor will assist Controller in fulfilling its obligations to respond to Data Subject Rights requests (access, rectification, erasure, objection, portability, restriction). Processor provides admin-side tooling at /dashboard/admin/users/[id]/export to fulfill access requests.
12. DPIAs and prior consultation
Processor will provide reasonable assistance with Data Protection Impact Assessments and prior consultations with Supervisory Authorities, taking into account the nature of processing and information available to Processor.
13. Audits
Once per twelve-month period, on at least 30 days' advance written notice and at Controller's expense, Controller may audit Processor's compliance with this DPA. In lieu of an on-site audit, Processor may provide a recent third-party audit report (e.g., SOC 2 Type II once available) covering the same scope.
14. Deletion or return
On termination of the underlying agreement, Processor will, at Controller's choice, delete or return all Personal Data to Controller within 90 days, and delete existing copies (excluding back-ups, which are deleted on their normal rotation schedule of 90 days).
15. Governing law
This DPA is governed by the laws of the State of [JURISDICTION] except where superseded by mandatory data-protection law applicable to a Data Subject.
16. Contact
Data-protection requests, sub-processor objections, breach reports: dpa@unitedvows.com.
Note for legal review: This is a working draft for counsel consideration. Items requiring lawyer-side decisions are flagged with [JURISDICTION] placeholders or marked “DRAFT” in section headers. The sub-processor list reflects the current production stack (April 2026) and should be re-verified before publication.