This website uses cookies
Read our Privacy policy and Terms of use for more information.
Last reviewed: 28 April 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between Vistergy Ltd (“Vistergy”) and the Customer subscribing to a Vistergy Agent through the IBM watsonx Orchestrate Agent Connect catalogue (the “Agreement”). It governs the processing of Personal Data by Vistergy on behalf of the Customer in connection with the Agent service. Where there is a conflict between this DPA and the Agreement, this DPA prevails on data-processing matters.
“Customer Data” has the meaning given in the Agreement.
“Personal Data” means any information relating to an identified or identifiable natural person, as defined in the UK GDPR.
“Process” / “Processing” has the meaning given in the UK GDPR.
“Sub-processor” means any third party engaged by Vistergy to Process Personal Data on Vistergy’s behalf.
Other capitalised terms have the meanings given in the Agreement.
Subject matter. Vistergy’s processing of Personal Data on behalf of the Customer in delivering the Vistergy Agent service.
Duration. The duration of the Customer’s subscription to the Agent (the “Subscription Term”).
Nature and purpose. Processing Customer queries to retrieve relevant standards, facility, or compliance information; producing source-traced responses with audit trails; reading from and (where authorised) writing to the Customer’s IBM Maximo MAS instance.
Types of Personal Data. Customer’s authorised users’ identifiers (where embedded in queries); query content; audit and lineage records.
Categories of data subjects. Customer’s authorised users.
Vistergy shall:
(a) Process Personal Data only on documented instructions from the Customer (the Agreement and the Customer’s use of the Agent constitute such instructions), unless required by law to process otherwise.
(b) Ensure that personnel authorised to Process Personal Data are subject to confidentiality obligations.
(c) Implement appropriate technical and organisational measures (the “Security Measures”) to protect Personal Data, as set out in Annex C and on the Vistergy Security and Trust page at vistergy.com/legal §18.
(d) Engage Sub-processors only as set out in Section 4 below.
(e) Assist the Customer with data-subject requests, data-protection impact assessments, and consultation with supervisory authorities, as required by Articles 28(3)(e) and 28(3)(f) of the UK GDPR.
(f) Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA.
Vistergy maintains the current list of Sub-processors at vistergy.com/sub-processors (the “Sub-processors Page”). The Customer is deemed to have given general written authorisation to the Sub-processors listed on the Sub-processors Page on the date the Customer subscribes to the Agent.
Vistergy will notify the Customer of changes at least 30 days before the change takes effect, by email to the Customer’s registered support contact. The Customer may object to a new Sub-processor on reasonable grounds within 30 days by emailing [email protected]. If no alternative is reasonably available, the Customer may terminate the affected Subscription with pro-rata refund of fees paid for unused time.
The Customer shall:
(a) Comply with its obligations as Controller under applicable data-protection law, including providing required notices to data subjects and obtaining required consents.
(b) Ensure that the instructions given to Vistergy comply with applicable data-protection law.
(c) Configure the Agent (including the Maximo connector permissions) so that the Personal Data Vistergy Processes is limited to what is necessary for the agreed purpose.
Vistergy will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures (insofar as this is possible) to fulfil the Customer’s obligations to respond to requests from data subjects to exercise their rights under the UK GDPR.
Vistergy shall notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting Customer Data, providing the information required by Article 33(3) of the UK GDPR. Vistergy’s incident-response process (aligned with CLA Section 17) defines the severity classification, notification SLAs, and escalation routing; the process applies to Personal Data Breaches as a sub-class of Security Incidents.
The Customer (or an independent auditor mandated by the Customer, subject to confidentiality obligations) may audit Vistergy’s compliance with this DPA upon reasonable notice (at least 30 days), no more than once per calendar year unless an audit is required by a supervisory authority or follows a Personal Data Breach. Audits shall be conducted during business hours, with minimum disruption, at the Customer’s cost. Vistergy may provide third-party audit reports (for example, the Cyber Essentials certification at vistergy.com/legal §18) in lieu of on-site audits where the Customer’s audit objective is satisfied by such reports.
Where Personal Data is transferred outside the United Kingdom, Vistergy and any Sub-processor shall implement appropriate safeguards as required by the UK GDPR (including the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision). The Sub-processors Page identifies each Sub-processor’s location and the safeguards applied.
On termination of the Subscription Term, Vistergy will, at the Customer’s choice, return or delete all Personal Data Processed on the Customer’s behalf within 30 days of termination, and certify the deletion to the Customer, unless retention is required by law (in which case Vistergy will continue to protect the Personal Data for the duration of the legal retention period and apply the Security Measures throughout).
Liability arising under this DPA is governed by the limitation of liability provisions in the End User Licence Agreement (EULA §9). Customer’s indemnity in EULA §10(b) covers Customer’s breaches of this DPA.
This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales for any dispute arising out of or in connection with this DPA, mirroring EULA §14(c).
Annex
Annex
The current Sub-processors Page is at https://vistergy.com/sub-processors. The Sub-processors Page forms part of this DPA. Updates to the Sub-processors Page are governed by Section 4 above.
Annex
Vistergy implements the technical and organisational measures set out at vistergy.com/legal §18 Security and Trust, including:
Cyber Essentials certification (certificate ee467352-31ce-41f0-a073-e29267710ced, January 2026; renewed annually)
Audit-bundle framework: every Agent query produces a session-linked audit record, providing a complete chain of custody for each data interaction
TLS-encrypted data transmission for all Agent endpoints
Access controls and authentication, scoped to least-privilege per role
Vulnerability disclosure programme with safe-harbour wording (vistergy.com/legal §18 subsection)
The Vistergy Security and Trust page is the canonical source for TOMs and is updated as the Security Measures evolve.