Data Processing Agreement

This DPA ensures compliance with the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and, where applicable, the UK GDPR. It establishes the roles, responsibilities, and safeguards applicable to the processing of Personal Data by Viraly on behalf of its customers.

• Controller: The customer who determines the purposes and means of processing personal data within their Viraly workspace.
• Processor: TradingPlus Inc. (Viraly), which processes Personal Data solely on the documented instructions of the Controller.

The Processor does not sell, reuse, or exploit Personal Data for its own commercial purposes. Your data is never used to train AI models.

Depending on how you use the Service, we may process the following categories of data:

Workspace & Brand Data

• Company name, brand name, website URL
• Brand identity data (logo, colors, fonts, tagline, tone of voice)
• AI conversation history with the Viraly Agent
• Content items, captions, images, and scheduled posts

User Account Data

• Name, email address, profile picture
• Account identity and login credentials (hashed)
• Usage logs and audit trails

Connected Social Account Data

• OAuth tokens for connected social media accounts (X, LinkedIn, Instagram)
• Publishing history and status logs

Processing activities include:

• Storage and organization of workspace, brand, and content data
• AI-assisted content generation (text and images) on behalf of the Controller
• Automated publishing to social media platforms via official APIs
• Secure access by authorized users of the workspace
• Export, deletion, or restriction upon request
• Security monitoring, fraud detection, and incident response

All processing occurs only on documented instructions from the Controller, except where required by applicable EU law.

All infrastructure — including compute, storage, database, and content delivery — is hosted on Amazon Web Services in the eu-west-1 region. For a full list of sub-processors, see Section 8 below.

Viraly implements appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including:

• Encryption in transit using TLS 1.3
• Encryption at rest using AES-256
• Role-based access control (RBAC) with least-privilege principles
• Multi-factor authentication (MFA) for platform access
• Regular security audits and automated vulnerability scanning
• Logging, monitoring, and incident detection systems
• Regular backups with encrypted storage and disaster recovery procedures
• Infrastructure hosted with GDPR-compliant cloud providers in EU regions

All primary data storage is within the EU. Where we engage sub-processors outside the EU/EEA (such as OpenAI for AI processing), we ensure lawful transfer mechanisms are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• EU–US Data Privacy Framework certification (where applicable)
• Data Processing Agreements with all sub-processors

Viraly engages the following trusted sub-processors. All are bound by GDPR-compliant data protection obligations and standard contractual clauses:

We will notify the Controller of any intended changes to sub-processors and provide a reasonable opportunity to object.

The Processor will assist the Controller in responding to Data Subject requests under GDPR Articles 15–22, including:

• Access (Art. 15)— provide a copy of the Data Subject's Personal Data
• Rectification (Art. 16) — correct inaccurate or incomplete data
• Erasure (Art. 17)— delete Personal Data upon request ("right to be forgotten")
• Portability (Art. 20) — export data in a machine-readable format
• Restriction (Art. 18) — restrict processing in certain circumstances
• Objection (Art. 21) — object to processing based on legitimate interests

To submit a request, contact us at support@viraly.im. We will respond within 30 days.

In the event of a Personal Data breach, Viraly will:

• Notify the Controller without undue delay — target: within 72 hours of becoming aware
• Provide full details of the breach, including nature, categories affected, and estimated impact
• Support the Controller in fulfilling its notification obligations to supervisory authorities
• Cooperate fully in investigating and mitigating the breach

• Active workspace data retained for the duration of the subscription
• Upon account deletion or termination: Personal Data deleted within 30 days
• Billing records retained for 7 years as required by applicable financial regulations
• Backups are deleted according to secure retention schedules (maximum 90 days)
• Data deletion is permanent and irreversible; export prior to deletion is recommended

The Controller may request reasonable documentation demonstrating GDPR compliance. Formal audits are subject to confidentiality obligations and reasonable notice. Audits are limited to once per year and must not unreasonably disrupt Viraly operations.

Viraly ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Each party's liability under this DPA is governed by the Viraly Terms of Service, except where GDPR mandates otherwise. Where GDPR imposes direct liability on a party, that liability is borne by that party.

This DPA is governed by the laws of the State of Delaware, USA, without regard to conflict of law principles. The parties submit to the exclusive jurisdiction of the state and federal courts located in Delaware, USA for any disputes arising under this DPA.

Customers requiring a signed DPA for their own compliance needs may request one by contacting us. We will provide a countersigned DPA within 10 business days.