Cadence
How it worksFeaturesPricingAffiliateFAQ
Get started→
← Back to Cadence

Data Processing Agreement (DPA)

Last updated: May 5, 2026

This Data Processing Agreement ("DPA") supplements the Terms of Service entered into between you, the customer ("Controller" or "Customer"), and VAUNTED LABS LLC, a Delaware limited liability company ("Cadence", "Processor"), and governs the processing of personal data through the Cadence platform (the "Service").

This DPA is designed to comply with Article 28 of the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA) and other applicable data protection laws.

In case of conflict between this DPA and the Terms, the DPA prevails for personal data processing matters.

1. Definitions

Capitalised terms not defined here have the meaning given in the Terms or the GDPR.

  • Customer Personal Data: any personal data processed by Cadence on behalf of the Customer in connection with the Service.
  • Data Subject: an identified or identifiable natural person whose data is processed.
  • Sub-processor: any third party engaged by Cadence to process Customer Personal Data.
  • Standard Contractual Clauses (SCCs): the standard contractual clauses approved by EU Commission Decision 2021/914 of 4 June 2021.

2. Roles and scope

2.1 Roles

  • The Customer is the Controller of Customer Personal Data.
  • Cadence is the Processor, processing Customer Personal Data per the Customer's documented instructions.

2.2 Processing scope

Cadence processes Customer Personal Data only:

  • To provide and maintain the Service per the Terms;
  • On the Customer's written instruction;
  • When the law requires it (in which case Cadence informs the Customer unless prohibited).

3. Description of processing

Element Description
Subject matter Provision of the Cadence Service (AI marketing automation)
Duration Duration of the Customer's subscription, plus any post-termination retention required by law or set out in the Privacy Policy
Nature and purpose Hosting, storing, processing, transforming and transmitting Customer Personal Data to operate the Service: brand profile creation, content generation, social publishing, engagement and revenue analysis
Categories of Data Subjects Customer's employees, contractors, end users; Customer's customers (where their data is part of the brand profile or attribution data)
Categories of Personal Data Identification data (name, email), professional data, content uploaded by the Customer, social media metadata, transaction metadata from connected payment platforms, IP addresses, technical data
Sensitive data Not intentionally processed. Customer must not upload sensitive data

4. Cadence's obligations

Cadence undertakes to:

4.1 Process on instruction

Process Customer Personal Data only on the Customer's documented instructions, including for international transfers, unless required by EU or Member State law.

4.2 Confidentiality

Ensure that persons authorised to process Customer Personal Data are bound by confidentiality obligations.

4.3 Security measures

Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, per Article 32 GDPR. See Annex II.

4.4 Sub-processors

Engage Sub-processors only in accordance with Section 5.

4.5 Assistance to the Customer

Help the Customer, taking into account the nature of processing, to:

  • Respond to Data Subject requests (access, rectification, erasure, etc.);
  • Ensure compliance with obligations relating to security, breach notification, impact assessments and prior consultation (Articles 32-36 GDPR).

4.6 Return or deletion of data

At the Customer's choice, return or delete all Customer Personal Data after the end of the Service, unless legally required to retain.

4.7 Audits

Make available to the Customer all information necessary to demonstrate compliance with this DPA, and allow and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates (subject to confidentiality and reasonable scheduling).

4.8 Notification of unlawful instruction

Immediately inform the Customer if, in Cadence's view, an instruction infringes the GDPR or other applicable law.

5. Sub-processors

5.1 General authorisation

The Customer gives Cadence general authorisation to engage Sub-processors for Service provision.

5.2 List and changes

An up-to-date list of Sub-processors is maintained and provided on request at hello@cadencelab.app. Categories:

  • Cloud infrastructure (AWS, Google Cloud, Cloudflare)
  • AI/LLM providers (Anthropic, OpenAI)
  • Payment processing (Stripe)
  • Email delivery (Postmark, SendGrid, Resend)
  • Product analytics (PostHog, Plausible)
  • Customer support tools

Cadence will notify the Customer of any planned addition or replacement of Sub-processors at least 14 days in advance, giving the Customer the opportunity to object on reasonable data-protection grounds. In case of unresolved objection, the Customer may terminate the affected portion of the Service without penalty.

5.3 Sub-processor obligations

Cadence imposes on Sub-processors the same data protection obligations as in this DPA, in particular sufficient guarantees regarding implementation of appropriate technical and organisational measures. Cadence remains fully liable to the Customer for Sub-processor performance.

6. International data transfers

6.1 Transfers outside EEA / UK / Switzerland

When Customer Personal Data is transferred from the EEA, UK or Switzerland to a country without an adequacy decision, the parties rely on:

  • The EU Standard Contractual Clauses (Module 2: Controller to Processor), incorporated by reference into this DPA;
  • The UK International Data Transfer Addendum for UK data;
  • Equivalent mechanisms for Swiss data.

6.2 Supplementary measures

Cadence implements supplementary measures: encryption in transit and at rest, access controls, contractual safeguards, and a transparency report on government access requests where applicable.

6.3 Government access

If Cadence receives a binding request from a government authority concerning Customer Personal Data, Cadence will, where legally permitted, notify the Customer and challenge any request that is not legally valid.

7. Personal data breaches

In case of a personal data breach affecting Customer Personal Data:

  • Cadence will notify the Customer without undue delay after becoming aware, and in any event within 48 hours;
  • The notification will include, to the extent known: nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, measures taken or proposed to address it;
  • Cadence will assist the Customer in meeting its own notification obligations under Articles 33 and 34 GDPR.

8. Data Subject rights

When a Data Subject contacts Cadence directly to exercise their rights, Cadence will, where legally permitted, redirect them to the Customer.

Cadence will assist the Customer, by appropriate technical and organisational measures, in responding to Data Subject requests within applicable legal deadlines.

9. CCPA / CPRA specifics

For Customer Personal Data subject to CCPA/CPRA:

  • Cadence acts as a Service Provider under CCPA/CPRA;
  • Cadence will not "sell" or "share" Customer Personal Data, and will not retain, use or disclose it for any purpose other than the specific business purpose of providing the Service, or as permitted by law;
  • Cadence will not combine Customer Personal Data with personal information received from other sources, unless permitted by CCPA/CPRA;
  • Cadence certifies that it understands and complies with these restrictions.

10. Liability

Each party's liability under this DPA is subject to the limitation of liability set out in the Terms.

Where the GDPR or applicable law provides otherwise (e.g. joint and several liability between Controller and Processor), nothing in this DPA limits that legal liability towards Data Subjects.

11. Term and termination

This DPA takes effect upon the Customer's acceptance of the Terms or upon the Customer beginning to use the Service, whichever is earlier.

It remains in force as long as Cadence processes Customer Personal Data, and survives termination of the Terms to the extent Cadence retains Customer Personal Data, in which case the obligations of this DPA continue to apply.

12. Miscellaneous

12.1 Conflicts

In case of conflict between this DPA and the Terms, the DPA prevails for data protection matters. In case of conflict between this DPA and the SCCs, the SCCs prevail.

12.2 Governing law

The DPA is governed by the law applicable to the Terms, except that the SCCs are governed by the law of an EU Member State allowing third-party beneficiary rights (default: Ireland for EU SCCs, England & Wales for the UK Addendum).

12.3 Changes

Cadence may update this DPA to reflect legal or operational changes, with at least 30 days' notice for material changes.

13. Contact

For any question about this DPA:

VAUNTED LABS LLC 254 Chapman Rd, Ste 208 Newark, DE 19702 United States

Email: hello@cadencelab.app

Annex I — Processing details

Subject matter, duration, nature, purpose, categories of Data Subjects and personal data: see Section 3 of this DPA.

Frequency of transfer: continuous, on demand, throughout the duration of the Service.

Retention: see Section 7 of the Privacy Policy.

Annex II — Technical and organisational security measures

Cadence implements the following measures (or equivalent), subject to update to reflect evolving security practices:

Encryption

  • TLS 1.2+ for all data in transit
  • Encryption at rest for sensitive data (AES-256 or equivalent)

Access control

  • Role-based access controls (RBAC)
  • Multi-factor authentication for administrative access
  • Least privilege principle
  • Periodic access reviews

Network security

  • Firewalls, network segmentation
  • DDoS protection, intrusion detection
  • Regular vulnerability scans

Application security

  • Secure SDLC
  • Code review for changes affecting personal data
  • Regular dependency updates and patches
  • Penetration testing on critical changes

Operational security

  • Logging and monitoring of access to personal data
  • Incident response plan and procedures
  • Regular backups, with restore testing

Personnel

  • Confidentiality agreements with all personnel
  • Security training
  • Background checks for personnel with access to sensitive data, where legally permitted

Sub-processor management

  • Due diligence before engagement
  • Contractual data protection obligations
  • Periodic review of practices

Business continuity

  • Backup and disaster recovery procedures
  • Defined RTO and RPO objectives

Minimisation and pseudonymisation

  • Collect only what is necessary
  • Pseudonymise where possible

These measures are reviewed periodically and updated as needed.

Annex III — Sub-processors

An up-to-date list is maintained and provided on request at hello@cadencelab.app, showing for each Sub-processor: name, location and processing activity.

Other documentsPrivacy PolicyCookies PolicyTerms of Service
CadenceLab

The fastest way to turn what's winning into on-brand content that drives revenue.

ProductHow it worksFeaturesPricingFAQ
CompanyAboutBlogContactAffiliate
LegalPrivacyTermsCookiesDPAIntegrations
© 2026 Cadence Lab. All rights reserved.