Data Processing Agreement
This Data Processing Agreement ("DPA") is entered into between the Data Controller (you, the Customer) and the Data Processor (ViralDashboard). This DPA forms part of and is incorporated into the Terms of Service.
1. Definitions
Key terms: "Applicable Data Protection Law" includes GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPEDA. "Data Breach" means unauthorized access to or disclosure of Personal Data. "Data Subject" means an identified natural person. "Personal Data" means any information relating to a Data Subject processed under this DPA. "Sub-processor" means any third party engaged by the Processor to process Personal Data.
2. Scope and Purpose of Processing
The Processor shall process Personal Data only on behalf of and in accordance with the documented instructions of the Controller, as described in this DPA and the Agreement. The details of processing are described in Annex A below.
3. Controller Obligations
The Controller warrants that it has a lawful basis for processing, has provided all necessary notices and obtained required consents from Data Subjects, and that its processing instructions comply with Applicable Data Protection Law.
4. Processor Obligations
The Processor shall process Personal Data only on documented instructions from the Controller, ensure authorized persons are subject to confidentiality obligations, implement appropriate technical and organizational security measures, assist the Controller in fulfilling Data Subject rights, and delete or return all Personal Data upon termination of the Agreement.
5. Sub-processors
The Controller grants the Processor general written authorization to engage Sub-processors. Current Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | US / EU (Frankfurt) |
| Stripe | Payment processing | United States |
| Postmark (ActiveCampaign) | Transactional email delivery | United States |
| OpenAI | AI content and image generation | United States |
| Cloudflare | CDN, DNS, and security | Global |
| Sentry | Error monitoring | United States |
| Intercom | Customer support | United States |
| PostHog | Product analytics | EU (Frankfurt) |
The Processor shall notify the Controller at least 30 days before adding or replacing a Sub-processor. The Controller may object within 14 days on reasonable data protection grounds.
6. Security Measures
Security measures include encryption at rest (AES-256) and in transit (TLS 1.3), role-based access controls, multi-factor authentication, regular security assessments, automated vulnerability scanning, audit logging, employee training, and incident response procedures. Full details are in Annex B.
7. Data Breach Notification
The Processor shall notify the Controller of a Data Breach without undue delay, and in any event no later than 72 hours after becoming aware of the breach. The notification shall include the nature of the breach, categories and numbers affected, likely consequences, and measures taken to address the breach.
8. Data Subject Rights
The Processor shall promptly assist the Controller in responding to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. The Processor shall not respond to requests directly unless instructed by the Controller or required by law.
9. Audit Rights
The Controller may conduct an audit of the Processor's processing activities with 30 days' written notice, limited to once per 12-month period. As an alternative, the Processor may provide SOC 2 Type II reports, independent security assessment results, or written responses to compliance questionnaires.
10. International Data Transfers
For transfers to countries without an adequacy decision, the Standard Contractual Clauses (Module Two: Controller to Processor) shall apply. For UK transfers, the UK International Data Transfer Addendum applies. The Processor conducts transfer impact assessments and implements supplementary measures as needed.
11. Term and Termination
This DPA remains in effect for the duration of the Agreement. Upon termination, the Processor shall return or delete all Personal Data within 30 days, except where applicable law requires continued retention.
Annex A: Details of Processing
Processing Activities
| Activity | Purpose |
|---|---|
| Account management | User authentication, profile management, team management |
| Social media management | Scheduling, publishing, and managing content |
| Inbox and messaging | Aggregating and responding to messages and comments |
| Analytics and reporting | Collecting and displaying performance data |
| AI content generation | Processing prompts and generating content |
| Billing and payments | Processing subscriptions and payments |
| Customer support | Managing support tickets and live chat |
Categories of Data Subjects
- Controller's employees and team members
- Controller's customers and audience (via connected social media platforms)
- Social media users who interact with Controller's content
Types of Personal Data
Identity data, contact data, account data, social media data, billing data, usage data, content data, and communication data.
Annex B: Technical and Organizational Security Measures
Key security measures include:
- Encryption: AES-256 at rest, TLS 1.3 in transit, AWS KMS key management
- Access Controls: MFA for all staff, RBAC, quarterly access reviews, VPN required
- Network Security: AWS Security Groups, Cloudflare DDoS mitigation, WAF, network segmentation
- Application Security: Security code reviews, dependency scanning, annual penetration testing
- Data Management: Data minimization, defined retention periods, secure deletion
- Incident Response: Documented plan, 1-hour initial assessment, 72-hour notification
- Personnel: Background checks, confidentiality agreements, annual security training
- Physical Security: AWS SOC 2 Type II and ISO 27001 certified data centers
This Data Processing Agreement is effective as of March 28, 2026.