Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings defined below:

• “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”).
• “Processing” means any operation performed on Personal Data, such as collection, storage, use, transmission, or deletion.
• “Controller” means the entity that determines the purposes and means of Processing.
• “Processor” means the entity that processes Personal Data on behalf of the Controller.
• “Sub-processor” means a third party engaged by the Processor to carry out specific processing activities.
• “Supervisory Authority” means the data protection authority responsible for supervising compliance with GDPR in a given jurisdiction.

2. Roles & Responsibilities

The parties acknowledge that:

• You (the Customer) are the Controller of Personal Data that you submit to or generate through the Services.
• Virtuollis is a Processor acting on your instructions in connection with providing the Services.
• Virtuollis may act as an independent Controller for data collected directly about your users for its own operational and legal purposes, as described in our Privacy Policy.

3. Scope & Purpose of Processing

Virtuollis will process Personal Data only:

• As necessary to provide the Services described in your service agreement or subscription terms.
• In accordance with your documented instructions as Controller.
• As required by applicable law (in which case Virtuollis will, where permitted, inform you before processing).

4. Nature of Personal Data & Data Subjects

The categories of Personal Data we may process on your behalf include:

• Contact information (name, email address, phone number)
• Account credentials and authentication data
• Professional information (company name, job title)
• Usage data and platform interaction logs
• Any additional data submitted by you or your users through the Services

The Data Subjects whose Personal Data we process include your employees, contractors, customers, and any other individuals whose data you submit to the Services.

5. Security Measures

Virtuollis implements and maintains appropriate technical and organizational security measures to protect Personal Data against unauthorized access, loss, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest using AES-256 or equivalent.
• Role-based access controls and the principle of least privilege.
• Regular penetration testing and vulnerability assessments.
• SOC 2-aligned change management and security review processes.
• Employee training on data protection and security practices.
• Incident response and breach notification procedures (see Section 8 below).

6. Sub-processors

Virtuollis engages third-party Sub-processors to assist in delivering the Services. We maintain a list of current Sub-processors available upon request at legal@virtuollis.com. We will notify you at least 30 days in advance of adding or replacing any Sub-processor and will update sub-processing agreements to include equivalent data protection obligations.

You may object to the use of a new Sub-processor within 15 days of notification. In the event of a reasonable objection that cannot be resolved, either party may terminate the affected Services without penalty.

7. Data Subject Rights

When we receive a request from a Data Subject exercising their rights under applicable data protection law (access, rectification, erasure, portability, objection, restriction), we will:

• Promptly notify you of the request.
• Assist you, to the extent possible, in responding to the request within applicable deadlines.
• Not respond directly to the Data Subject unless you have authorized us to do so, or unless required by applicable law.

8. Data Breach Notification

In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of natural persons, Virtuollis will:

• Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach.
• Provide you with sufficient information to enable you to meet your obligations under applicable data protection law.
• Cooperate with your investigation and remediation efforts.

9. Data Retention & Deletion

Upon termination or expiry of your use of the Services, Virtuollis will, at your election, return or securely delete all Personal Data within 30 days, unless applicable law requires a longer retention period. We will provide written confirmation of deletion upon request.

10. International Transfers

If Personal Data is transferred outside the European Economic Area (EEA), Virtuollis will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or another transfer mechanism recognized under applicable law.

11. Audit Rights

You have the right to audit Virtuollis's compliance with this DPA, either directly or through a mutually agreed independent third party. Audit requests must be submitted in writing with at least 30 days' notice and may be conducted no more than once per calendar year, unless required by a Supervisory Authority. You will be responsible for costs associated with third-party audits.

12. Contact & Governing Law

Questions regarding this DPA or our data processing practices should be directed to our Legal team: