Անցնել բովանդակությանը

Data Processing Addendum

Տարբերակ 1.0 · Ուժի մեջ է 2026-04-20

Availability. This Data Processing Addendum is published in English only. If you need a translation for internal purposes, contact support@vcr.am.

When it applies. This DPA is offered to business Customers who, in the course of using the VCR.AM service, cause personal data of their own end-users (for example, their buyers) to be processed by us. Typical individual users of the Service are governed by the Privacy Policy alone and do not need a separate DPA.

1. Definitions

Capitalised terms have the meanings given below. Where a term is used in the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") or the Law of the Republic of Armenia on the Protection of Personal Data ("RA PDPA"), it carries the same meaning here.

  • "Processor" means Blob Solutions LLC (Tax ID 02906081), the provider of the VCR.AM service ("Processor", "we").
  • "Customer" means the legal entity or individual entrepreneur that has accepted the Public Offer and to which this DPA applies ("Customer", "you").
  • "Customer Personal Data" means personal data relating to the Customer's end-users or representatives that the Processor processes on the Customer's behalf under the Agreement.
  • "Agreement" means the Public Offer and any other binding terms between the Processor and the Customer governing the use of the Service.
  • "Sub-processor" means any third party engaged by the Processor to process Customer Personal Data. The current list is published at /legal/sub-processors.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission (most recently in Commission Implementing Decision (EU) 2021/914, Module Two: Controller-to-Processor).

Terms such as "Controller", "Processor", "Data Subject", "Personal Data Breach", "Processing", and "Supervisory Authority" have the meanings given in GDPR Art. 4 and the corresponding provisions of the RA PDPA.

2. Scope and roles

2.1. This DPA supplements the Agreement and governs the Processor's processing of Customer Personal Data.

2.2. The parties acknowledge that, with respect to Customer Personal Data, the Customer acts as the Controller and the Processor acts as a processor within the meaning of the GDPR and the RA PDPA. Where the Customer itself acts as a processor for an upstream controller, this DPA applies to the Processor as a sub-processor on back-to-back terms.

2.3. With respect to personal data that the Processor processes as a controller in its own right (for example, account data of the Customer's administrators) the Privacy Policy applies, not this DPA.

3. Subject matter, duration, nature and purpose

3.1. Subject matter and duration — the Processor processes Customer Personal Data for the duration of the Agreement and for the retention periods described in the Privacy Policy.

3.2. Nature and purpose — processing necessary to provide the VCR.AM service: registering transactions with the Armenian State Revenue Committee, generating and delivering PDF receipts, maintaining the Customer's account, and ensuring the security and integrity of the Service.

3.3. Types of personal data typically processed — names, email addresses, tax identification numbers (TIN), transaction amounts and line items, receipt recipient emails, and technical identifiers (IP address, user agent).

3.4. Categories of data subjects — the Customer's end-users (buyers, recipients of receipts) and authorised representatives of the Customer.

4. Instructions

4.1. The Processor processes Customer Personal Data only on the Customer's documented instructions, which consist of: (a) this DPA; (b) the Agreement; (c) the Customer's lawful configuration and use of the Service; (d) any further written instructions reasonably agreed between the parties.

4.2. The Processor will inform the Customer promptly if it believes that an instruction infringes the GDPR, the RA PDPA, or other applicable data-protection law.

4.3. The Processor may also process Customer Personal Data where it is required to do so by applicable law. In such cases the Processor will inform the Customer of the legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.

5. Confidentiality

The Processor ensures that personnel authorised to process Customer Personal Data are bound by contractual or statutory obligations of confidentiality.

6. Security

6.1. The Processor implements appropriate technical and organisational measures to protect Customer Personal Data, including those described in Section 7 of the Privacy Policy and summarised below:

  • TLS 1.2+ encryption in transit.
  • Encryption at rest for the primary database and for stored credentials using AES-based encryption with per-entity keys — consistent with Article 19(2) RA PDPA.
  • Role-based access control and data isolation per business entity.
  • Multi-factor authentication on administrative accounts; least-privilege access.
  • Continuous monitoring of errors and anomalies; security-relevant dependency audits.
  • A documented incident-response procedure with the notification timelines in Clause 9 below.

6.2. The measures above take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of data subjects.

7. Sub-processors

7.1. The Customer provides general authorisation for the Processor to engage sub-processors, provided that the Processor:

  • Imposes on each sub-processor data-protection obligations materially equivalent to those set out in this DPA.
  • Publishes an up-to-date list of sub-processors at /legal/sub-processors.
  • Notifies the Customer at least 14 days in advance of any new or replacement sub-processor, or any material change to an existing sub-processor's scope.

7.2. The Customer may object to a new sub-processor on reasonable data-protection grounds by writing to support@vcr.am within 14 days of notification. If the parties cannot agree a solution, the Customer may terminate the Agreement without penalty in respect of the affected processing. Mandatory fiscal retention obligations will continue to apply.

7.3. The Processor remains fully liable to the Customer for any failure by a sub-processor to fulfil its data-protection obligations.

8. International data transfers

8.1. The parties acknowledge that the Processor and certain sub-processors are located outside the Republic of Armenia and the European Economic Area.

8.2. For transfers of Customer Personal Data to countries that have not received an adequacy decision, the parties rely on the Standard Contractual Clauses or equivalent mechanisms, supplemented where appropriate by additional technical and organisational measures (for example, encryption in transit and at rest, pseudonymisation).

8.3. By entering into this DPA, the Customer is deemed to have entered into the SCCs with the Processor (and, where applicable, with the Processor on behalf of its sub-processors) for any onward transfer necessary to provide the Service.

9. Personal data breaches

9.1. The Processor will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and in any event within 72 hours.

9.2. The notification will include, to the extent known: (a) the nature of the breach and categories and approximate number of data subjects and records affected; (b) the likely consequences; (c) the measures taken or proposed to address the breach and mitigate its possible adverse effects; and (d) the name and contact details of the point of contact where more information can be obtained.

9.3. The Processor will also notify the Personal Data Protection Agency and the Police of the Republic of Armenia where required by Article 21(4) RA PDPA, regardless of whether the Customer also elects to notify its own supervisory authority.

10. Assistance with data subject rights

The Processor will, taking into account the nature of processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the Customer's obligation to respond to requests from data subjects exercising their rights under the GDPR (Articles 12–22) or the RA PDPA (Articles 15, 17).

11. Assistance with DPIAs and consultations

The Processor will provide the Customer with reasonable assistance in carrying out Data Protection Impact Assessments (GDPR Art. 35) and prior consultations with supervisory authorities (Art. 36), taking into account the nature of processing and the information available to the Processor.

12. Audit rights

12.1. The Processor will make available to the Customer all information necessary to demonstrate compliance with the obligations in this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

12.2. The Customer agrees to exercise audit rights primarily through reasonable written questionnaires and review of current third-party audit reports (SOC 2, ISO 27001) where available. On-site audits are reserved for cases where such reports do not satisfy a specific, documented concern. The Customer bears its own costs for audits and will minimise disruption to the Service.

13. Deletion or return at end of services

On termination of the Agreement, the Processor will, at the Customer's choice, delete or return all Customer Personal Data, except data that must be retained by law — in particular, fiscal records under the RA Tax Code and the Law on Accounting. Data retained by legal obligation will continue to be protected in accordance with this DPA until it is lawfully destroyed.

14. Liability

14.1. The liability of each party under or in connection with this DPA is subject to the liability limits set out in the Agreement (see Clause 11 of the Public Offer).

14.2. Nothing in this DPA limits any liability that cannot be lawfully limited, including liability for gross negligence or wilful misconduct.

15. Order of precedence

In the event of a conflict between this DPA and the Agreement concerning the processing of Customer Personal Data, this DPA prevails. In the event of a conflict between this DPA and the SCCs, the SCCs prevail.

16. Changes

The Processor may update this DPA from time to time. Material changes — those that affect the rights and obligations of the Customer under the GDPR or the RA PDPA — will be announced at least 30 days in advance by email and through an updated version number at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated DPA. A Customer that does not accept a material change may terminate the Agreement under Clause 13.2 of the Public Offer.

17. Execution

This DPA is effective automatically when a business Customer accepts the Agreement and begins processing Customer Personal Data through the Service. Business Customers that require a countersigned PDF copy of this DPA may request one at support@vcr.am with the subject "DPA counter-signature request".

18. Change log

  • v1.0 — 2026-04-20 — Initial publication.

19. Contact

Blob Solutions LLC Tax ID: 02906081 Jurisdiction: Republic of Armenia Email: support@vcr.am

For the general Privacy Policy, see /legal/privacy. For the list of current sub-processors, see /legal/sub-processors.