Data Processing Agreement

Last updated: April 27, 2026

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the agreement between you ("Customer", "Controller") and TRD Ventures LLC, a New Mexico limited liability company doing business as "Vrge" ("Vrge", "Processor"), governing Customer's use of the Vrge software and services (the "Service"), where Vrge processes Personal Data on Customer's behalf.

1. Definitions

Capitalised terms not defined here have the meaning given in the Terms of Service or the underlying Data Protection Laws.

• Data Protection Laws— Regulation (EU) 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the Swiss FADP, and any other applicable laws governing the processing of Personal Data.
• Personal Data, Controller, Processor, Sub-processor, Data Subject, Processing — as defined in the GDPR.
• Standard Contractual Clauses ("SCCs") — the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Decision (EU) 2021/914, and as amended for the UK (the UK International Data Transfer Addendum).
• Customer Personal Data — Personal Data processed by Vrge on behalf of Customer in connection with Customer's use of the Service.

2. Roles of the parties

With respect to Customer Personal Data, Customer acts as the Controller and Vrge acts as the Processor. Vrge will only process Customer Personal Data in accordance with Customer's documented instructions, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law. Where required by law to process Customer Personal Data outside Customer's instructions, Vrge will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3. Subject matter, duration, and nature of processing

Subject matter

The provision of the Service to Customer as described in the Terms of Service.

Duration

The term of this DPA runs concurrently with Customer's subscription to or licensed use of the Service, plus any post-term retention period required by law.

Nature and purpose of processing

Vrge processes Customer Personal Data only as needed to provide, maintain, secure, and support the Service. The Service is local-first: Customer Personal Data is stored on Customer's own devices and self-hosted infrastructure. The processing performed by Vrge itself is therefore limited to:

• License issuance and validation, billing, and payment processing (via Lemon Squeezy as Merchant of Record).
• Software update delivery via the Tauri auto-updater endpoint.
• Customer support correspondence initiated by Customer.
• Optional inference relay through the Vrge Managed AI proxy at ai.getvrge.com, onlyif Customer subscribes to the Managed AI tier and only for Customer's active inference requests (metadata logged; prompts and completions are not persisted — see Security).

Categories of Data Subjects

• Customer's personnel and authorised users of the Service.
• Customer's clients, contacts, prospects, vendors, and other third parties whose Personal Data Customer processes through the Service.

Categories of Personal Data

• Identification and contact data — name, email, phone, business address.
• Professional data — job title, employer, project history, communications metadata.
• Financial data — invoice amounts, payment statuses, banking memo lines (when Customer connects banking sources).
• Communications content — email subjects and bodies, calendar event titles and descriptions, file metadata, when Customer connects those sources. Where Managed AI is used, content is redacted by default before transmission.
• No special category data is required by the Service. Customer is responsible for not introducing categories under GDPR Article 9 (e.g. health, biometrics) into the Service unless Customer has its own lawful basis to do so.

4. Confidentiality

Vrge will ensure that all personnel authorised to process Customer Personal Data are bound by written confidentiality obligations of a duration appropriate to the nature of the data, and have received appropriate data protection training.

5. Security measures

Vrge will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described in the Security page. As a baseline, those measures include:

• TLS 1.2+ for all data transmitted between Customer devices and Vrge-operated endpoints.
• Bcrypt password hashing on the optional Team self-hosted server.
• Read-only OAuth scopes for all third-party data sources Customer chooses to connect (Gmail, Google Calendar, etc.). OAuth tokens are stored only on Customer devices, never transmitted to Vrge.
• Redact-by-default content handling for any Managed AI inference, with metadata-only logging on the proxy.
• Role-based access controls and least-privilege principles for Vrge personnel with access to operational systems.
• Documented incident response and breach notification processes (see Section 7).

6. Sub-processors

Customer authorises Vrge to engage Sub-processors to assist in providing the Service, subject to the conditions in this Section. A current list of Sub-processors is maintained at getvrge.com/subprocessors.

Vrge will impose data protection terms on each Sub-processor that provide at least the same level of protection for Personal Data as set out in this DPA, and Vrge remains liable for the acts and omissions of its Sub-processors.

Notification of changes

Vrge will provide Customer with at least 30 days' prior notice of any new Sub-processor or material change to an existing Sub-processor that processes Customer Personal Data. Notice will be given by updating the Sub-processors page and, for material changes, by email to the address on file for Customer.

Right to object

If Customer has a reasonable, documented objection to a new Sub-processor based on data protection grounds, Customer may notify Vrge in writing within the 30-day notice period. Vrge will use reasonable efforts to make the Service available without the objected-to Sub-processor; if Vrge cannot reasonably do so within a reasonable period, Customer may terminate the affected portion of the Service for cause and receive a pro-rata refund of any prepaid fees for the unused portion of the term.

7. Data Subject requests and assistance

Vrge will, taking into account the nature of the processing, assist Customer through appropriate technical and organisational measures to fulfil Customer's obligations to respond to Data Subject requests under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection).

The Service's local-first architecture means most Customer Personal Data resides on Customer-controlled devices, where Customer can directly fulfil such requests. For Personal Data that Vrge processes (e.g., support correspondence, billing records), Vrge will respond to Customer's reasonable requests promptly and at no additional cost beyond the Service fees.

8. Personal data breach notification

Vrge will notify Customer without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data breach affecting Customer Personal Data. The notification will include, to the extent known:

• The nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
• The likely consequences of the breach.
• The measures Vrge has taken or proposes to take to address the breach and mitigate its possible adverse effects.

Vrge will cooperate with Customer and provide reasonable assistance in investigating the breach and notifying competent supervisory authorities and affected Data Subjects where required.

9. International data transfers

To the extent that processing under this DPA involves transfers of Personal Data from the EEA, the United Kingdom, or Switzerland to a country not deemed adequate by the European Commission (or equivalent UK/Swiss authority), the parties agree that the SCCs (Module 2: Controller-to-Processor) are hereby incorporated into this DPA by reference, with the following selections:

• Clause 7 (docking clause) — included.
• Clause 9 (sub-processors) — Option 2 (general written authorisation), with the 30-day notice period specified in Section 6 of this DPA.
• Clause 11 (redress) — the optional independent dispute resolution body language is not included.
• Clause 17 (governing law) — the law of Ireland.
• Clause 18 (forum and jurisdiction) — the courts of Ireland.
• Annexes — the descriptions in Section 3 of this DPA serve as Annex I; the security measures in Section 5 of this DPA and the Security page serve as Annex II.

For UK transfers, the parties incorporate the UK International Data Transfer Addendum (Version B1.0) on the same terms.

10. Audit rights

Vrge will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, in each case subject to:

• Reasonable advance notice (no less than 30 days, except in the case of a documented breach affecting Customer).
• Conducting any on-site audit during business hours and in a manner that does not unreasonably interfere with Vrge's operations.
• Customer's auditor entering into reasonable confidentiality obligations.
• Customer bearing its own audit costs and Vrge's reasonable costs of cooperating with the audit.

Vrge may satisfy this obligation by providing copies of any third-party security audit reports (e.g., SOC 2 once available) where they reasonably address Customer's audit objectives.

11. Term, return, and deletion

This DPA terminates automatically on termination of the underlying Terms of Service or on Customer's cessation of use of the Service, whichever is later. On termination, Vrge will, at Customer's option, return or delete Customer Personal Data in Vrge's possession or control within 30 days, except to the extent retention is required by law (in which case Vrge will continue to protect the data in accordance with this DPA).

Customer Personal Data that resides on Customer-controlled devices (the bulk of data the Service handles) is unaffected by this process — Customer retains direct control of that data at all times.

12. Liability

Each party's liability arising out of or related to this DPA is subject to the aggregate limitations of liability set out in the Terms of Service. Nothing in this DPA limits any liability that cannot be excluded under applicable law, including liabilities arising under Article 82 of the GDPR.

13. How to execute this DPA

For most B2B engagements, this published DPA serves as the binding agreement between the parties as of the date Customer purchases or renews the Service — Customer's acceptance of the Terms of Service incorporates this DPA by reference.

If your procurement process requires a counter-signed copy of this DPA, or specific edits, email dpa@getvrge.com with:

• Your company legal name and registered address.
• The Vrge product or tier you are purchasing (or have purchased).
• Any specific redlines, or a request for the standard counter-signed PDF.

We respond within five business days. Counter-signed PDFs are returned via email or DocuSign equivalent.

14. Changes to this DPA

Vrge may update this DPA from time to time to reflect changes in Data Protection Laws, the Service, or Vrge's practices. Material changes will be notified to Customer by email and will take effect no earlier than 30 days after notification. The “Last updated” date at the top reflects the current revision.

Contact

Questions about this DPA, requests for counter-signature, or DPO contact requests: dpa@getvrge.com.

TRD Ventures LLC · New Mexico, USA