Data Processing Agreement

1. Background and Purpose

This Data Processing Agreement ("DPA") is entered into between Viraloo ("Processor") and the registered business or individual Operator using the Viraloo platform ("Controller"). It forms part of and supplements the Terms of Service.

This DPA governs the processing of personal data by Viraloo on behalf of the Controller in connection with the provision of the Viraloo campaign management services, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable data protection legislation.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

2. Definitions

• "Controller" has the meaning given in Art. 4(7) GDPR — the Operator who determines the purposes and means of processing
• "Processor" has the meaning given in Art. 4(8) GDPR — Viraloo, processing data on behalf of the Controller
• "Personal Data" has the meaning given in Art. 4(1) GDPR — any information relating to an identified or identifiable natural person
• "Data Subject" means the natural person to whom personal data relates (typically a campaign participant)
• "Sub-processor" means any third party engaged by Viraloo to carry out processing activities on behalf of the Controller
• "Supervisory Authority" means the competent data protection authority in the relevant jurisdiction
• "Standard Contractual Clauses (SCCs)" means the clauses approved by the European Commission under Art. 46(2)(c) GDPR for international data transfers

3. Subject Matter, Nature, and Duration

Viraloo processes personal data to provide campaign management, referral tracking, leaderboard functionality, email delivery, and analytics services as described in the Terms of Service. Processing continues for the duration of the Controller's subscription and for any post-termination retention period required by this DPA or applicable law.

4. Types of Personal Data and Categories of Data Subjects

Data Subjects: campaign participants (natural persons who enter campaigns operated by the Controller).

Types of Personal Data processed:

• Identity data: first name, last name
• Contact data: email address
• Referral and participation data: referral codes, referral attribution, entry timestamps, leaderboard positions, points
• Technical data: IP address, browser type, device information, approximate geolocation
• Communication data: email open/click events, transactional email logs

Special categories of data: Viraloo does not intentionally process special category data. Controllers must not configure campaigns to collect special category data (e.g., health data, racial/ethnic origin, political opinions) unless they have a separate legal basis and have disclosed this to Viraloo in advance.

5. Processor Obligations

Viraloo agrees to:

• 5.1 Instructions: process personal data only on documented instructions from the Controller (as set out in this DPA, the Terms, and any agreed configuration). If Viraloo is required by EU or Member State law to process data beyond the Controller's instructions, it will inform the Controller to the extent legally permitted.
• 5.2 Confidentiality: ensure that all persons authorised to process personal data are bound by appropriate confidentiality obligations.
• 5.3 Security: implement the technical and organisational measures set out in Annex I of this DPA, appropriate to the risks of processing.
• 5.4 Sub-processor engagement: comply with the sub-processor provisions in Section 7.
• 5.5 Assistance with data subject rights: taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures to fulfil its obligation to respond to data subject rights requests.
• 5.6 Assistance with security and breach notification: assist the Controller in ensuring compliance with obligations under Arts. 32–36 GDPR, including notification of personal data breaches without undue delay and no later than 48 hours after becoming aware.
• 5.7 Deletion or return: at the Controller's choice, delete or return all personal data to the Controller upon termination of services, and delete existing copies, unless retention is required by applicable law.
• 5.8 Audit: make available all information necessary to demonstrate compliance with this DPA and allow for audits and inspections conducted by the Controller or a mandated auditor, subject to 30 days' prior written notice and reasonable confidentiality agreements.
• 5.9 Notification of unlawful instructions: immediately inform the Controller if, in Viraloo's opinion, an instruction infringes applicable data protection law.

6. Controller Obligations

The Controller warrants and undertakes to:

• Have a valid legal basis under GDPR for all personal data collected through their campaigns
• Provide data subjects with appropriate privacy notices before their data is collected
• Not instruct Viraloo to process personal data in a way that infringes applicable data protection law
• Obtain any consents required for transactional email communications sent through the platform
• Ensure campaign structures do not result in collection of special category data without appropriate safeguards
• Respond to data subject requests relating to participant data (as data controller)

7. Sub-processors

The Controller grants Viraloo general authorisation to engage sub-processors. Viraloo maintains and makes available a current list of sub-processors upon request. Viraloo will provide at least 14 days' prior written notice of any intended addition or replacement of sub-processors, giving the Controller the opportunity to object on reasonable data protection grounds.

Current categories of sub-processors engaged by Viraloo include:

• Cloud infrastructure and hosting: data centre and server services (EU/UK/US regions)
• Email delivery: transactional email delivery service providers
• Payment processing: Stripe, Inc. (PCI-DSS Level 1 certified, Privacy Shield/SCC compliant)
• Error monitoring: application performance and error tracking services
• Analytics: anonymised, aggregated usage analytics platforms

All sub-processors are subject to written data processing agreements that impose obligations no less protective than those in this DPA.

8. International Data Transfers

Where Viraloo transfers personal data to sub-processors or other parties outside the EEA or UK, it will ensure such transfers are made only:

• To countries covered by an EU or UK adequacy decision; or
• Subject to EU Standard Contractual Clauses (Module 2 or 3, as applicable) or the UK IDTA; or
• Under another appropriate safeguard permitted by Art. 46 GDPR

Viraloo will make copies of applicable transfer mechanisms available to the Controller upon request.

9. Security Measures (Annex I)

Viraloo implements and maintains the following technical and organisational measures:

• Encryption in transit: TLS 1.2 or higher for all data transmissions
• Encryption at rest: AES-256 encryption for databases and storage containing personal data
• Access control: role-based access controls; principle of least privilege; MFA enforced for administrative access
• Pseudonymisation: where feasible, data is pseudonymised or tokenised to minimise risk
• Availability and resilience: automated backups, failover mechanisms, and disaster recovery procedures
• Testing: regular penetration testing, vulnerability scanning, and security code reviews
• Incident response: documented data breach response plan with defined escalation paths and 48-hour internal notification SLA
• Physical security: data processed in facilities with physical access controls and 24/7 monitoring
• Staff training: regular data protection training for all personnel with access to personal data
• Vendor management: security assessments of sub-processors prior to engagement and on a periodic basis

10. Liability

Each party is liable to data subjects and to each other for any damage caused by processing that infringes this DPA or applicable data protection law, to the extent attributable to that party's breach. Viraloo's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

11. Term and Termination

This DPA remains in effect for as long as Viraloo processes personal data on behalf of the Controller. It terminates automatically upon termination of the Terms of Service. Obligations of confidentiality and data deletion/return survive termination.

12. Governing Law

This DPA is governed by the same governing law as the Terms of Service, except that provisions implementing GDPR or UK GDPR requirements shall be interpreted in accordance with EU or UK data protection law respectively.

13. Contact and DPO

Data protection enquiries: dpo@viraloo.org. For urgent data breach notifications, use the same address marked URGENT.