Vertical Monkey
Draft pending legal review. This DPA is based on the European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/915) for controller-to-processor relationships and has been drafted in good faith. It will be reviewed by qualified Luxembourg counsel before the first paying customer is onboarded. For contractual-weight inquiries please use our contact form.

Data Processing Agreement

Article 28 GDPR agreement between the Club (controller) and Modmatrix Innovations Sàrl-S (processor)

1. Parties

This Data Processing Agreement (the "DPA") is entered into between:

Controller: the Customer entity identified in the Vertical Monkey account settings (the "Club", "Controller", "you").

Processor: Modmatrix Innovations Sàrl-S, RCS Luxembourg B285027, 5 Am For, L-5351 Oetrange, Grand Duchy of Luxembourg ("Vertical Monkey", "Processor", "we").

This DPA forms an integral part of the Terms of Service and takes effect automatically upon your acceptance of the Terms. It governs any processing of personal data we perform on your behalf in the context of providing the Vertical Monkey platform (the "Service").

2. Definitions

Terms used in this DPA have the meaning given in the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), including "personal data", "processing", "controller", "processor", "data subject", "sub-processor", "supervisory authority", and "personal-data breach". Capitalised terms not defined in this DPA have the meaning set out in the Terms of Service.

3. Subject matter, nature, purpose, and duration of processing

Subject matter: the processing of personal data by the Processor on behalf of the Controller for the provision of the Service described in the Terms.

Nature of processing: collection, storage, organisation, structuring, retrieval, consultation, transmission, erasure, and destruction of personal data as necessary to operate the Service.

Purpose: enabling the Club to manage its members, events, courses, payments, and communications through the Service.

Duration: the term of the subscription, extended by post-termination periods for data export (30 days) and for residual deletion from encrypted backups (maximum 35 days).

The detailed categories of data subjects, types of data, and operations are set out in Annex 1.

4. Instructions of the Controller

The Processor processes personal data only on documented instructions of the Controller, including for transfers of personal data to a third country, unless required to do so by Union or Member State law; in such case, the Processor informs the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Controller's instructions are issued through: (a) the configuration made within the admin dashboard; (b) the use of the Service's features and APIs; (c) this DPA and the Terms; (d) express written instructions sent via the contact form.

The Processor immediately informs the Controller if, in its opinion, an instruction infringes the GDPR or other data-protection provisions of the Union or a Member State.

5. Confidentiality

The Processor ensures that persons authorised to process personal data on its behalf have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data is granted on a strict need-to-know basis.

6. Security of processing (Art. 32 GDPR)

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures are described in Annex 2 and include in particular:

  • pseudonymisation and encryption of personal data where applicable;
  • measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • regular testing, assessing, and evaluating the effectiveness of technical and organisational measures.

The Processor keeps the measures in Annex 2 up to date; material degradations of the security posture are notified to the Controller in advance.

7. Engagement of sub-processors

The Controller grants general authorisation to the Processor to engage sub-processors for the processing activities listed in Annex 3. The list of current sub-processors is published at verticalmonkey.eu/legal/dpa#sub-processors.

The Processor informs the Controller of any intended addition or replacement of a sub-processor affecting the personal data at least 30 days in advance by email or in-app banner. During this period the Controller may object on reasonable grounds related to data protection. If the objection cannot be resolved, the Controller may terminate the affected Service with pro-rata refund of unused prepaid fees.

The Processor imposes on each sub-processor, by written contract, the same data-protection obligations as those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Where a sub-processor fails to fulfil its data-protection obligations, the Processor remains fully liable to the Controller for the performance of that sub-processor's obligations.

8. Assistance with data subject rights

Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection, rights relating to automated decision-making). The Processor forwards without undue delay any data-subject request addressed directly to it, and does not itself respond to the request except on documented instructions from the Controller.

9. Personal-data breach notification

The Processor notifies the Controller without undue delay and in any event within 48 hours after becoming aware of a personal-data breach affecting the Controller's data. The notification is sent to the admin email address on file and via the contact channel in the admin dashboard.

The notification includes, to the extent available: (a) the nature of the breach, including where possible the categories and approximate number of data subjects and records concerned; (b) the name and contact details of a point of contact where more information can be obtained; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach and mitigate its effects.

The Processor assists the Controller in complying with its obligations under Articles 33 and 34 GDPR (notification to supervisory authority and communication to data subjects) and in conducting any related impact assessment.

10. Assistance with DPIAs and prior consultation (Art. 35 and 36 GDPR)

The Processor provides reasonable assistance to the Controller in the performance of data-protection impact assessments and in any prior consultation of the competent supervisory authority, where required under the GDPR and related to processing performed by the Processor, taking into account the information available to the Processor.

11. Return or deletion of data at end of processing

Upon termination of the Service for any reason, the Processor, at the Controller's choice, returns or deletes all personal data processed on behalf of the Controller, except where storage is required by Union or Member State law. The Controller has 30 days after termination to trigger an export; after this window, the Processor deletes personal data from live systems within 90 days and from encrypted backups within the backup rotation period (maximum 35 days). A deletion certificate is available on request.

12. Audit and information rights

The Processor makes available to the Controller all information necessary to demonstrate compliance with its obligations under Article 28 GDPR, including this DPA.

The Processor allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to: (a) 30 days advance written notice; (b) conduct during business hours; (c) no more than once per calendar year (except for reasonable cause or following a personal-data breach); (d) compliance with applicable confidentiality, security, and access rules at the Processor's facilities and at those of sub-processors. The Controller bears its own audit costs; the Processor bears the reasonable cost of facilitation.

The Processor may satisfy the audit obligation, where applicable, by making available summaries of independent third-party audits or certifications (e.g. ISO 27001, SOC 2) covering the same scope.

13. International data transfers

Personal data are stored and processed within the European Economic Area. Where a transfer to a third country outside the EEA becomes necessary in the context of a sub-processor, the Processor relies on an adequate legal mechanism under Chapter V GDPR, in particular the EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914) with appropriate supplementary measures where required.

14. Liability

Each party's liability under this DPA is subject to the limitations of liability agreed in the Terms of Service, except where such limitation is prohibited by Articles 82 or 83 GDPR or other mandatory law.

15. Conflict and ordering of documents

In the event of conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA prevails. In the event of conflict between this DPA and any order form or individually negotiated schedule, the more specific document prevails for that specific subject matter.

16. Governing law

This DPA is governed by the laws of the Grand Duchy of Luxembourg and, for matters of personal-data protection, by the GDPR and the Luxembourg Data Protection Act of 1 August 2018. The courts of the city of Luxembourg have jurisdiction over disputes arising out of or in connection with this DPA, subject to mandatory provisions of the GDPR regarding judicial remedies.

Annex 1 — Description of processing

Categories of data subjects

  • Members of the Club (active, former, pending), including minors where the Club offers youth programmes;
  • Club administrators, instructors, and volunteers with access to the Service;
  • Parents or legal guardians of members who are minors;
  • Prospective members, trial-day participants, and guests.

Categories of personal data

  • Identity: first name, last name, date of birth, nationality (where provided);
  • Contact details: email, phone, postal address;
  • Account data: username, password hash, role, preferred language, 2FA status;
  • Membership data: membership status, join date, expiry, attendance records, climbing-level attestations;
  • Billing data: invoice records, Stripe customer ID, VAT ID (for corporate members), IBAN (if the Club opts into SEPA);
  • Health data (special category, Art. 9 GDPR): medical notes, allergies, emergency contact — only where the Club collects these for safety reasons with appropriate legal basis;
  • Communication data: in-app messages, email interactions with staff, support tickets;
  • Technical data: IP address, user-agent, session metadata, audit-log events.

Processing operations

Collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, alignment, restriction, erasure, and destruction, as necessary to provide the Service.

Annex 2 — Technical and organisational measures

The Processor implements the following technical and organisational measures in accordance with Art. 32 GDPR:

Access control

  • Strong authentication for all administrative access (password + optional TOTP);
  • Role-based access control with tenant isolation (Club A cannot access Club B data);
  • Per-account lockout after 5 failed login attempts in 15 minutes;
  • Cloudflare Turnstile CAPTCHA on login, registration, and password-reset forms;
  • Session management via HttpOnly, Secure, SameSite cookies with CSRF double-submit token;
  • Least-privilege principle for infrastructure access (SSH via YubiKey, passwords disabled).

Encryption

  • TLS 1.2/1.3 for all network traffic; HSTS with preload;
  • Per-club Fernet envelope encryption for sensitive fields (medical notes, IBAN, private chat) using a master KEK and per-tenant DEK;
  • Bcrypt password hashing with high work factor;
  • Encryption at rest for database volumes and encrypted backups.

Integrity and availability

  • Immutable append-only audit logs for administrative actions;
  • Daily encrypted backups with 7-day rotation; documented restoration procedure;
  • Centralised structured logging, error monitoring via Sentry with PII scrubbing, uptime monitoring;
  • Rate limiting on public and authentication endpoints to mitigate abuse;
  • Network-level abuse detection (fail2ban, firewall, Cloudflare WAF).

Organisational measures

  • Staff training on data protection and secure development practices;
  • Code review before deployment of changes affecting personal data;
  • Incident-response procedure with 48-hour notification target;
  • Documented deletion and retention procedures aligned with this DPA;
  • Vendor-risk assessment before engaging a new sub-processor.

Annex 3 — Authorised sub-processors

The following sub-processors are authorised as of the effective date of this DPA:

Provider Service Location Transfer safeguard
Hetzner Online GmbH Infrastructure (servers, storage, backups) Germany · Finland EEA, GDPR Art. 28 DPA in place
Cloudflare, Inc. CDN, DDoS protection, WAF, Turnstile (CAPTCHA) EU edge, US parent EU SCCs (2021 modules), DPA in place
Stripe Payments Europe, Ltd. Subscription billing, invoicing, tax, payment-method storage Ireland EEA, GDPR Art. 28 DPA in place
Functional Software Inc. (Sentry) Error monitoring with PII scrubbing EU region (hosted in Germany) EEA, GDPR Art. 28 DPA in place

A current, dated version of this list is available on request. The Processor notifies the Controller at least 30 days in advance of any intended addition or replacement of a sub-processor.

Effective date: 2026-04-23. Last revised: 2026-04-23.