Effective Date: July 8, 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between Vouch For Us, LLC (“Vouch,” “Processor,” “Service Provider,” “we,” or “us”) and the client identified in the applicable service agreement (“Client,” “Controller,” or “Business”).
This DPA supplements the Terms of Service and governs Vouch’s processing of personal information and other Client Data in connection with the professional marketing, reputation management, local search optimization, review management, customer engagement, reporting, consulting, and related services provided by Vouch.
In the event of any conflict between this DPA and the Terms of Service, this DPA shall control solely with respect to the processing of personal information.
Vouch is a marketing agency that provides professional marketing services to businesses.
As part of those Services, Clients may authorize Vouch to process certain information on their behalf, including information available through Google Business Profile APIs and other business information reasonably necessary to perform the Services.
The Client Portal provided by Vouch exists solely to facilitate communication, reporting, collaboration, review management, and delivery of those Services. The Client Portal is not licensed or provided as a standalone software product.
For purposes of this DPA:
Applicable Privacy Laws means all privacy and data protection laws applicable to the processing activities contemplated by this DPA.
Client Data means information processed by Vouch on behalf of the Client while providing the Services.
Personal Information means information that identifies, relates to, describes, or could reasonably be associated with an identifiable individual, as defined by applicable privacy laws.
Processing means any operation performed on Personal Information including collection, storage, access, organization, use, disclosure, transmission, deletion, or destruction.
Services means the professional marketing, reputation management, review management, local SEO, customer engagement, reporting, consulting, and related services provided by Vouch.
The parties acknowledge that Vouch provides professional marketing services to Clients.
To the extent applicable under privacy law:
- the Client acts as the Controller or Business with respect to Client Data;
- Vouch acts as the Processor or Service Provider solely for the purpose of providing the Services requested by the Client.
Nothing in this DPA transfers ownership of Client Data to Vouch.
Vouch processes Client Data only on documented instructions from the Client as reflected in the applicable agreement and this DPA.
Vouch may process Client Data solely for purposes including:
- reputation management;
- review monitoring;
- review response assistance where authorized;
- local search optimization;
- reporting;
- customer engagement;
- campaign management;
- analytics;
- customer support;
- security;
- operation of the Client Portal;
- fulfillment of contractual obligations.
Vouch shall not process Client Data for purposes unrelated to providing the Services.
Depending upon the Services selected by the Client, Vouch may process:
- business contact information;
- names;
- business email addresses;
- business telephone numbers;
- job titles;
- business addresses;
- Google Business Profile information;
- customer review content;
- review ratings;
- review timestamps;
- public business information;
- authentication information;
- support communications;
- technical logs;
- IP addresses;
- device information.
Vouch does not intentionally collect sensitive personal information unless necessary to perform the Services and instructed by the Client.
Data subjects may include:
- Client personnel;
- Authorized Users;
- business owners;
- employees;
- customer reviewers;
- prospective customers communicating with the Client;
- individuals interacting with the Client’s Google Business Profile.
Clients may authorize Vouch to access Google Business Profile information through Google’s OAuth authorization process.
Google Business Profile Data is processed solely to provide the Services requested by the Client.
Vouch:
- requests only the Google Business Profile API permissions reasonably necessary to provide the Services;
- follows the principle of data minimization;
- does not request access to Google Workspace APIs;
- does not sell Google API data;
- does not use Google API data for advertising;
- does not use Google API data to develop, improve, fine-tune, or train generalized artificial intelligence or machine learning models;
- permits Clients to revoke authorization at any time through Google or by contacting Vouch.
The Client instructs Vouch to process Client Data only as necessary to provide the Services.
Additional processing instructions must be provided in writing.
If Vouch believes an instruction violates applicable law, Vouch may suspend the affected processing until the matter has been resolved.
Vouch shall ensure that personnel authorized to process Client Data:
- are subject to confidentiality obligations;
- receive appropriate training;
- access Client Data only when necessary to perform assigned responsibilities.
These obligations survive termination of employment or engagement.
Vouch shall implement and maintain reasonable administrative, technical, and organizational safeguards designed to protect Client Data against unauthorized access, acquisition, disclosure, alteration, destruction, or misuse.
Such safeguards may include, as appropriate:
- Encryption of data transmitted over public networks using HTTPS/TLS.
- Encryption of sensitive credentials and authentication tokens at rest where appropriate.
- Role-based access controls.
- Multi-factor authentication for administrative accounts where appropriate.
- Security logging and monitoring.
- System patch management and software updates.
- Malware protection.
- Secure backup and disaster recovery procedures.
- Access reviews.
- Personnel confidentiality obligations.
- Secure software development practices where applicable.
Vouch may modify its security measures from time to time provided the overall level of protection is not materially reduced.
Vouch shall limit access to Client Data to personnel, contractors, and service providers who:
- require access to perform the Services;
- are subject to confidentiality obligations;
- receive appropriate training where applicable; and
- access Client Data only for legitimate business purposes.
Vouch shall maintain appropriate procedures for granting, reviewing, and removing access privileges.
The Client acknowledges that Vouch may engage third-party service providers (“Subprocessors”) to assist in providing the Services.
Examples may include providers of:
- cloud infrastructure;
- secure hosting;
- authentication;
- email delivery;
- payment processing;
- customer support;
- monitoring;
- backup services;
- security services;
- analytics;
- infrastructure management.
Vouch shall:
- conduct reasonable diligence before engaging a Subprocessor;
- require Subprocessors to protect Client Data through written contractual obligations appropriate to the services provided;
- remain responsible for the performance of its Subprocessors with respect to the processing of Client Data.
A current list of Subprocessors is available upon written request by contacting:
Vouch shall maintain procedures designed to identify, investigate, contain, and remediate Security Incidents affecting Client Data.
For purposes of this DPA, a “Security Incident” means unauthorized access to, acquisition of, disclosure of, alteration of, or destruction of Client Data.
Upon becoming aware of a Security Incident affecting Client Data, Vouch shall:
- promptly investigate the incident;
- take reasonable steps to contain and remediate the incident;
- notify affected Clients without undue delay where notification is appropriate or required by applicable law;
- provide information reasonably necessary for the Client to satisfy applicable legal obligations, to the extent such information is reasonably available.
Notification of a Security Incident does not constitute an admission of fault or liability.
Vouch shall retain Client Data only for as long as reasonably necessary to:
- provide the Services;
- comply with applicable law;
- satisfy contractual obligations;
- resolve disputes;
- enforce legal rights;
- maintain backup and disaster recovery systems.
Retention periods may vary depending upon the nature of the information processed.
Upon termination of the Services, and upon the Client’s written request, Vouch shall, within a reasonable period:
- return Client Data in a commercially reasonable format where practicable; or
- securely delete or anonymize Client Data.
Vouch may retain information:
- required by applicable law;
- contained within routine backup systems until overwritten in the normal course of business;
- necessary to establish, exercise, or defend legal claims.
Where Google Business Profile authorization has been revoked, Vouch will discontinue access to Google Business Profile APIs.
Recognizing the nature of the Services and the need to protect the confidential information of all Clients, Vouch does not permit unrestricted onsite audits.
Upon reasonable written request, and no more than once annually unless required by applicable law or following a confirmed Security Incident, Vouch shall make available information reasonably necessary to demonstrate compliance with this DPA.
Such information may include:
- security policies;
- summaries of technical safeguards;
- compliance questionnaires;
- independent security assessments, audit reports, certifications (such as SOC 2, if available), or other documentation reasonably demonstrating compliance;
- other documentation reasonably demonstrating compliance.
Any audit or review shall:
- be limited to information relevant to the Client;
- avoid disruption of Vouch’s operations;
- protect confidential information of other clients; and
- be subject to reasonable confidentiality obligations.
Vouch primarily stores and processes Client Data within the United States.
If Client Data is transferred internationally, Vouch shall implement appropriate safeguards required by applicable privacy laws.
Unless prohibited by law, Vouch shall promptly notify the Client of any legally binding governmental request for Client Data.
Where appropriate, Vouch may object to or seek to limit disclosure of Client Data consistent with applicable law.
Taking into account the nature of the Services, Vouch shall provide reasonable assistance to the Client in responding to verified requests from individuals exercising rights under applicable privacy laws, to the extent the request relates to Client Data processed by Vouch.
The Client remains responsible for responding to such requests unless otherwise agreed in writing.
Upon reasonable request, Vouch shall provide information reasonably necessary to assist the Client in demonstrating compliance with applicable privacy laws, provided such assistance is proportionate to the nature of the Services and does not require disclosure of confidential information relating to other clients.
To the extent the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), applies to the processing of Client Data, Vouch acts as a “Service Provider” or “Contractor,” as those terms are defined under the CCPA, when processing Personal Information on behalf of the Client.
Accordingly, Vouch agrees that it shall:
- Process Personal Information solely for the limited and specified purposes described in the applicable agreement, this DPA, and the documented instructions of the Client.
- Not sell or share Personal Information, as those terms are defined by the CCPA.
- Not retain, use, or disclose Personal Information for any purpose other than providing the Services, complying with applicable law, or as otherwise permitted by the CCPA.
- Not combine Personal Information received from one Client with Personal Information received from another Client except as permitted by applicable law and as necessary to provide the Services.
- Notify the Client if Vouch determines that it can no longer meet its obligations under the CCPA.
The Client may take reasonable and appropriate steps to help ensure Vouch’s use of Personal Information remains consistent with the Client’s obligations under applicable law.
If the processing of Client Data is subject to the General Data Protection Regulation (GDPR), the parties agree that:
- The Client acts as the Controller.
- Vouch acts as the Processor.
- Vouch shall process Personal Data only on documented instructions from the Client unless otherwise required by applicable law.
- Vouch shall assist the Client in fulfilling obligations relating to data subject rights where reasonably appropriate.
- Vouch shall implement appropriate technical and organizational measures to protect Personal Data.
- Vouch shall require personnel with access to Personal Data to maintain confidentiality.
- Vouch shall assist the Client with Security Incident notifications where applicable.
- Vouch shall return or delete Personal Data following termination of the Services, subject to applicable legal retention obligations.
Nothing in this Section expands Vouch’s obligations beyond those required by applicable law.
Vouch may update this DPA from time to time to:
- Reflect changes in applicable privacy laws.
- Reflect changes in the Services.
- Improve security practices.
- Reflect changes in processing activities.
- Address new regulatory guidance.
If a material change affects the processing of Client Data, Vouch will provide reasonable notice before the updated DPA becomes effective.
The most current version of this DPA will be made available to Clients upon request or through other reasonable means.
If a conflict exists among the applicable agreements, the following order of precedence shall apply solely with respect to privacy and data processing matters:
- This Data Processing Addendum.
- The applicable written Service Agreement, Statement of Work, or Order Form.
- The Terms of Service.
- The Privacy Policy.
This DPA becomes effective on the date the Client first engages Vouch to provide the Services and remains in effect for so long as Vouch processes Client Data on behalf of the Client.
Termination of the Services does not relieve either party of obligations that are intended to survive termination, including confidentiality, data security, and data deletion obligations.
Questions regarding this Data Processing Addendum or Vouch’s privacy practices may be directed to:
Vouch For Us, LLC
Email: [email protected]
Website: https://vouchforus.com
Nature and Purpose of Processing
Vouch processes Client Data solely for the purpose of providing professional marketing, reputation management, local search optimization, review management, customer engagement, reporting, consulting, and related services requested by the Client.
Categories of Personal Information
Depending upon the Services provided, processing may include:
- Business contact information
- Authorized User account information
- Google Business Profile information
- Public customer review content
- Review ratings
- Review timestamps
- Business profile information
- Technical logs
- Authentication information
- Support communications
- Device and browser information
- IP addresses
Categories of Data Subjects
- Client personnel
- Authorized Users
- Business owners
- Employees
- Individuals who publish reviews regarding the Client
- Individuals who communicate with the Client through supported services
Processing Activities
Processing activities may include:
- Collection
- Storage
- Organization
- Retrieval
- Analysis
- Reporting
- Transmission
- Display
- Deletion
- Anonymization
Duration of Processing
Client Data is processed only for the duration necessary to provide the Services and as otherwise permitted or required by applicable law.
Vouch maintains security measures appropriate to the nature of the Client Data processed, which may include:
Organizational Measures
- Confidentiality obligations for personnel
- Access approval procedures
- Security awareness training
- Internal privacy procedures
- Vendor due diligence
- Incident response procedures
Technical Measures
- HTTPS/TLS encryption for data in transit
- Encryption of sensitive credentials where appropriate
- Role-based access controls
- Multi-factor authentication for administrative access where appropriate
- Security logging and monitoring
- Secure authentication mechanisms
- Routine software updates
- Malware protection
- Secure backup procedures
- Access logging where appropriate
Physical Measures
Where Vouch relies upon third-party cloud infrastructure providers, physical security is primarily provided by those providers in accordance with their published security programs and contractual obligations.
Vouch periodically reviews and updates its security practices as appropriate to address evolving security risks, technological developments, and changes in applicable legal requirements.