Legal
GDPR
Last updated June 2026
Vadal is built to help organisations meet their obligations under the EU and UK General Data Protection Regulation. This page summarises our approach; a Data Processing Agreement (DPA) is available to customers.
1.Roles
For employee data processed in the platform, your organisation is the controller and Vadal is the processor, acting only on documented instructions.
2.Lawful basis & data minimisation
We help controllers collect only what's needed for engagement and experience use cases, and to define retention that fits their lawful basis.
3.Data subject rights
The platform provides tools to support access, rectification, erasure and portability requests so controllers can respond within statutory timeframes.
4.International transfers
Where data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses, and offer data residency options.
5.Sub-processors
We maintain a current list of sub-processors and notify customers of changes in line with the DPA.
6.Security & breach notification
Technical and organisational measures protect personal data, and we operate a process to notify controllers of any personal data breach without undue delay.
7.Requesting a DPA
Customers can request Vadal's Data Processing Agreement by contacting privacy@vadal.ai. (Illustrative for this build — confirm final terms with counsel.)