Data Processing Addendum (DPA)
Vendux LLC dba Shiny
Effective Date: February 25, 2026
This Data Processing Addendum (“DPA”) forms part of the Terms of Use between Vendux LLC dba Shiny (“Shiny,” “Company,” “Processor,” “we,” “us,” or “our”) and any customer, client, or user (“Customer,” “Controller,” or “you”) that uses the Shiny platform and services (the “Services”).
This DPA applies where Shiny processes Personal Data on behalf of Customer and is intended to satisfy the requirements of the EU General Data Protection Regulation (“GDPR”), UK GDPR, and similar data protection laws.
- Definitions
For purposes of this DPA:
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Processing” has the meaning given under applicable data protection law.
- “Controller” means the entity that determines the purposes and means of processing Personal Data.
- “Processor” means the entity that processes Personal Data on behalf of a Controller.
- “Sub Processor” means any third party engaged by Shiny to process Personal Data.
Capitalized terms not defined here have the meaning given in the Terms of Use or Privacy Policy.
- Scope and Roles of the Parties
2.1 Independent Controllers
Shiny operates a technology platform that connects organizations and fractional professionals. In many situations:
- Shiny acts as an independent data controller for Personal Data related to account management, platform operations, analytics, security, and matching functionality.
- Customers and other Users act as independent controllers with respect to their business relationships and communications outside of the platform.
2.2 Processor Activities
To the extent Shiny processes Personal Data solely on behalf of Customer — such as hosting profile information, facilitating communications, or enabling transactions — Shiny acts as a Processor under applicable law.
This DPA applies only to those Processor activities.
- Subject Matter and Duration of Processing
Subject Matter: Provision of the Services, including platform hosting, matching functionality, communications tools, and related technical operations.
Duration: For as long as Shiny provides the Services or processes Personal Data on behalf of Customer, unless retention is required by law.
- Nature and Purpose of Processing
Shiny processes Personal Data to:
- operate and maintain the platform
- enable matching between Users
- provide technical hosting and infrastructure
- process payments through integrated providers
- provide customer support
- maintain platform security and prevent fraud
- Categories of Data and Data Subjects
5.1 Categories of Personal Data may include:
- name and contact information
- professional background and profile details
- account credentials
- communications through the platform
- billing and transaction data
- technical usage data
5.2 Categories of Data Subjects:
- platform users
- fractional professionals
- company representatives
- candidates and clients
- Processor Obligations
Shiny agrees to:
- Process Personal Data only on documented instructions from the Customer unless required by law.
- Ensure personnel authorized to process Personal Data are subject to confidentiality obligations.
- Implement appropriate technical and organizational security measures.
- Assist Customer in responding to data subject rights requests where applicable.
- Assist Customer with data protection impact assessments when required and reasonably feasible.
- Notify Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting Customer data.
- Security Measures
Shiny implements commercially reasonable technical and organizational measures designed to protect Personal Data, including:
- access controls and authentication mechanisms
- encryption in transit where applicable
- infrastructure security monitoring
- vendor security reviews
Specific technical details may evolve as industry practices change.
- Sub Processors
Customer authorizes Shiny to engage Sub Processors to provide parts of the Services, including:
- hosting and cloud infrastructure providers
- analytics platforms
- payment processors
- communication and support tools
Shiny requires Sub Processors to enter into data protection agreements that impose obligations substantially similar to those in this DPA.
A current list of Sub Processors may be made available upon request.
- International Data Transfers
Shiny is headquartered in the United States. Personal Data may be transferred outside the European Economic Area, United Kingdom, or Switzerland.
Where required by law, Shiny relies on:
- Standard Contractual Clauses (SCCs)
- contractual safeguards with vendors
- other lawful transfer mechanisms
- Data Subject Requests
If Shiny receives a request directly from a data subject regarding Personal Data processed on behalf of Customer, Shiny will:
- notify Customer where legally permitted
- refrain from responding directly unless instructed by Customer or required by law
- Data Retention and Deletion
Upon termination of the Services or upon written request:
- Shiny will delete or return Personal Data processed on behalf of Customer, unless retention is required by law or necessary for legitimate business purposes such as fraud prevention or legal compliance.
- Audits and Information Requests
Shiny will make available information reasonably necessary to demonstrate compliance with this DPA.
Audits must:
- be limited to once annually unless required by law
- avoid disruption to Shiny’s systems or other customers
- be subject to confidentiality obligations
- Liability
Each party’s liability under this DPA is subject to the limitations set forth in the Terms of Use, except where prohibited by applicable data protection law.
- Governing Terms
Except as modified by this DPA, the Terms of Use remain in full force and effect.
In the event of conflict between this DPA and the Terms of Use regarding Personal Data processing, this DPA shall prevail.
- Contact Information
Vendux LLC dba Shiny
420 Nichols Rd., 2nd Floor
Kansas City, MO 64112 USA
Email: privacy@useshiny.com
