VICIfast

Data processing addendum

Last updated · May 21, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer”) and VICIfast(“Processor”) governing use of the managed VICIdial hosting service at vicifast.com. It documents how Processor processes personal data on Customer’s behalf, in compliance with applicable data protection law (GDPR, UK GDPR, and equivalent regimes). In the event of any conflict between this DPA and the Terms, this DPA governs to the extent of the conflict, but only as to processing of personal data.

1. Definitions

Terms in initial capitals not defined here have the meaning given in the Terms or in applicable data protection law. For the purpose of this DPA:

  • “Customer Data” means all personal data processed by VICIfaston Customer’s behalf via the Service — including lead contact information, agent identifiers, call recordings, IVR audio, dispositions, and dialer event metadata stored on the Customer’s VICIdial server.
  • “Account Data” means personal data VICIfast processes as a controller for its own account / billing purposes — Customer’s name, email, billing address, login activity, and payment metadata (card details themselves never reach our systems).
  • “Sub-processor” means any third party engaged by VICIfast to process Customer Data — see §6 and the public list at /sub-processors.

2. Roles + scope

Customer is the controller of Customer Data. VICIfast is the processorof Customer Data and acts only on Customer’s documented instructions (the Terms, the Service’s configuration UI, and this DPA together constitute those instructions).

VICIfast is the controller of Account Data; that processing is governed by the Privacy Policy, not this DPA.

Subject matter:hosting and operation of the Customer’s VICIdial dialer instance. Duration: the term of the underlying subscription, plus the deletion window set out in §8. Nature + purpose:provisioning, security hardening, backup, monitoring, support, and termination of the Customer’s dialer server. Categories of data subjects:Customer’s leads, agents, supervisors, and any third parties Customer chooses to call. Categories of personal data: identifiers (name, phone, email), call audio (recordings + voicemail), dialer event metadata (timestamps, durations, dispositions), agent activity logs.

3. Customer responsibilities

Customer is solely responsible for (a) the lawfulness of personal data Customer dials, uploads, or otherwise places into the Service; (b) obtaining all necessary consents, notices, and lawful bases under applicable law (including TCPA, DNC, GDPR, and equivalent regimes); and (c) configuring the Service consistent with Customer’s compliance obligations. VICIfast provides infrastructure; Customer operates the dialer.

4. Processor obligations + instructions

  • Process Customer Data only on Customer’s documented instructions. If VICIfast is required by law to process Customer Data outside those instructions, we will notify Customer first unless the law forbids it.
  • Ensure that personnel authorised to process Customer Data are bound by confidentiality.
  • Implement and maintain the technical + organisational measures set out in §5 and at /security.
  • Engage sub-processors only as permitted in §6.
  • Reasonably assist Customer in responding to data subject requests addressed to Customer (see §7) and in carrying out data protection impact assessments where the Service is the subject of the assessment.

5. Security measures

VICIfast maintains the technical and organisational measures described at /security, which include — without limitation:

  • Hardened base image on every provisioned server (TLS via Let’s Encrypt, firewall on, fail2ban active, password authentication disabled, default passwords removed before ACTIVE).
  • SSH access via a per-provision ephemeral keypair and short-lived (1h) certificates signed by a sealed certificate authority — no shared static keys.
  • Encryption at rest (AES-256-GCM) for sensitive secrets — Cloudflare tokens, VICIdial admin passwords, CA private keys. TLS for database connections.
  • Card data handled exclusively by Stripe (SAQ-A scope); VICIfast never sees card numbers.
  • Account auth: WebAuthn passkeys, TOTP 2FA, breach-corpus check (HaveIBeenPwned) on signup / reset / change, suspicious-login alerts.
  • Audit log of every server state transition, billing event, admin action, and impersonation session; admin impersonation time-limited to 1 hour with on-screen banner.
  • Sub-user RBAC (Owner / Billing / Operator / Viewer) with destructive actions gated to Owner. Session revocation cascades on sub-user removal.

The measures may evolve to reflect changes in industry practice; VICIfast will not materially weaken them during the term of the subscription.

6. Sub-processors

Customer authorises VICIfast to engage the sub-processors listed at /sub-processors for the purposes described there. VICIfast will:

  • Impose data protection terms on each sub-processor that are no less protective than this DPA, including the security obligations in §5.
  • Remain liable to Customer for each sub-processor’s performance.
  • Publish notice of any new sub-processor on the sub-processors page at least 30 days before that sub-processor begins processing Customer Data. Customer may object in writing within that window; if the objection cannot be reasonably resolved, Customer may terminate the affected portion of the Service for convenience and receive a pro-rata refund of unused prepaid fees (no other refund obligation applies).

7. Data subject rights

Because Customer is the controller of Customer Data, requests from data subjects (access, rectification, erasure, restriction, portability, objection) are addressed to Customer, not to VICIfast. The Service provides Customer with the operational surface to fulfil those requests:

  • Lead and recording data is held inside the Customer’s own VICIdial database; Customer has direct SQL + filesystem access (root SSH).
  • The /dashboard surface exposes lead lookup, recording download, and lead-deletion actions that flow through the audit log.
  • If Customer asks VICIfastto assist (e.g. exporting a specific data subject’s records platform-side), we will use commercially reasonable efforts to do so; the cost of significant assistance may be passed through at our then-current rates.

8. Retention + deletion

Customer Data lives on the Customer’s VICIdial server for the duration of the subscription. On termination:

  • The server enters a wind-down state. Customer has access to download recordings and export data for 30 days after the final invoice paid date.
  • At the end of the wind-down window, the server is securely destroyed (Hetzner secure erase of the VPS storage) and the encrypted termination backup is retained for 90 days then deleted. Customer may request earlier purge in writing to security@vicifast.com.
  • Account Data follows the retention rules in the Privacy Policy (typically 7 years for billing records under tax law; immediate purge for non-billing personal data on Customer request).

9. International transfers

Customer Data lives in the Hetzner region Customer chose at order time and is not transferred outside that region by VICIfast except (a) for sub-processor functions whose location is disclosed at /sub-processors, and (b) for Customer’s own use (e.g. when Customer dials a lead in another country, the call audio routes through Customer’s SIP carrier — not through VICIfast).

Where Customer Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a third country that is not the subject of an adequacy decision, VICIfast relies on the EU Standard Contractual Clauses (Module 2 or 3 as appropriate) and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference. Sub-processor contracts incorporate the same.

10. Breach notification

VICIfastwill notify Customer without undue delay — and in any event within 72 hours — of becoming aware of a personal data breach affecting Customer Data. The notice will include, to the extent then known, the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and the measures taken or proposed in response. Notice is provided to the email address on the Customer’s account and to the security contact registered in the dashboard, if any.

11. Audit

On reasonable written request and no more than once per twelve-month period (except following a personal data breach affecting Customer Data), VICIfast will make available the information necessary to demonstrate compliance with this DPA. VICIfastmay satisfy this obligation by providing the latest third-party attestation, penetration test executive summary, or written responses to Customer’s security questionnaire.

Where applicable law mandates an on-site audit and the standard documentation does not suffice, the parties will agree the scope, timing, and reasonable cost allocation of that audit in advance.

12. Liability

Each party’s liability under this DPA is subject to the limits set out in the Terms. Nothing in this DPA limits either party’s liability where applicable law prohibits limitation.

13. Contact

Data-protection enquiries: dpo@vicifast.com. Security disclosures: security@vicifast.com. General contact: /contact.

14. Execution

This DPA is incorporated by reference into the Terms of Service and is binding without further signature. A Customer that requires a counter-signed copy on letterhead may request one by emailing dpo@vicifast.com; we counter-sign without negotiation provided the request specifies a legal entity name and address.