Legal
Data Processing Agreement
Effective date: March 2026
GDPR Compliant
Full compliance with EU General Data Protection Regulation (2016/679) and UK GDPR.
EU Data Hosting
All data stored and processed in AWS eu-west-1 (Ireland), within the European Union.
Data Subject Rights
Full support for access, rectification, erasure, portability, restriction, and objection.
Breach Notification
Prompt notification within 72 hours with full details and regulatory support.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between TradingPlus Inc., incorporated in the State of Delaware, USA, operating the Viraly platform ("Processor" or "Viraly"), and the customer entity using Viraly services ("Controller").
This DPA governs the processing of Personal Data by Viraly on behalf of the Controller in connection with the Viraly AI-powered social media marketing platform.
1. Purpose of This DPA
This DPA ensures compliance with the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and, where applicable, the UK GDPR. It establishes the roles, responsibilities, and safeguards applicable to the processing of Personal Data by Viraly on behalf of its customers.
2. Roles of the Parties
- Controller: The customer who determines the purposes and means of processing personal data within their Viraly workspace.
- Processor: TradingPlus Inc. (Viraly), which processes Personal Data solely on the documented instructions of the Controller.
The Processor does not sell, reuse, or exploit Personal Data for its own commercial purposes. Your data is never used to train AI models.
3. Categories of Data Processed
Depending on how you use the Service, we may process the following categories of data:
Workspace & Brand Data
- Company name, brand name, website URL
- Brand identity data (logo, colors, fonts, tagline, tone of voice)
- AI conversation history with the Viraly Agent
- Content items, captions, images, and scheduled posts
User Account Data
- Name, email address, profile picture
- Account identity and login credentials (hashed)
- Usage logs and audit trails
Connected Social Account Data
- OAuth tokens for connected social media accounts (X, LinkedIn, Instagram)
- Publishing history and status logs
4. Nature & Purpose of Processing
Processing activities include:
- Storage and organization of workspace, brand, and content data
- AI-assisted content generation (text and images) on behalf of the Controller
- Automated publishing to social media platforms via official APIs
- Secure access by authorized users of the workspace
- Export, deletion, or restriction upon request
- Security monitoring, fraud detection, and incident response
All processing occurs only on documented instructions from the Controller, except where required by applicable EU law.
5. Data Location & Infrastructure
EU Data Hosting
All Personal Data is stored and processed exclusively on Amazon Web Services infrastructure in the eu-west-1 region (Dublin, Ireland), within the European Union. No Personal Data is transferred to non-EU servers without appropriate safeguards as described in Section 7.
All infrastructure — including compute, storage, database, and content delivery — is hosted on Amazon Web Services in the eu-west-1 region. For a full list of sub-processors, see Section 8 below.
6. Security Measures (GDPR Art. 32)
Viraly implements appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including:
- Encryption in transit using TLS 1.3
- Encryption at rest using AES-256
- Role-based access control (RBAC) with least-privilege principles
- Multi-factor authentication (MFA) for platform access
- Regular security audits and automated vulnerability scanning
- Logging, monitoring, and incident detection systems
- Regular backups with encrypted storage and disaster recovery procedures
- Infrastructure hosted with GDPR-compliant cloud providers in EU regions
7. International Data Transfers
All primary data storage is within the EU. Where we engage sub-processors outside the EU/EEA (such as OpenAI for AI processing), we ensure lawful transfer mechanisms are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU–US Data Privacy Framework certification (where applicable)
- Data Processing Agreements with all sub-processors
8. Sub-processors
Viraly engages the following trusted sub-processors. All are bound by GDPR-compliant data protection obligations and standard contractual clauses:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure (compute, storage, database, CDN) | EU (Ireland) |
| Supabase | Database and authentication | EU (AWS eu-west-1) |
| OpenAI | AI content and image generation | USA (SCCs in place) |
| Stripe | Payment processing | USA / EU (SCCs in place) |
We will notify the Controller of any intended changes to sub-processors and provide a reasonable opportunity to object.
9. Assistance with Data Subject Rights
The Processor will assist the Controller in responding to Data Subject requests under GDPR Articles 15–22, including:
- Access (Art. 15) — provide a copy of the Data Subject's Personal Data
- Rectification (Art. 16) — correct inaccurate or incomplete data
- Erasure (Art. 17) — delete Personal Data upon request ("right to be forgotten")
- Portability (Art. 20) — export data in a machine-readable format
- Restriction (Art. 18) — restrict processing in certain circumstances
- Objection (Art. 21) — object to processing based on legitimate interests
To submit a request, contact us at support@viraly.im. We will respond within 30 days.
10. Personal Data Breach Notification
In the event of a Personal Data breach, Viraly will:
- Notify the Controller without undue delay — target: within 72 hours of becoming aware
- Provide full details of the breach, including nature, categories affected, and estimated impact
- Support the Controller in fulfilling its notification obligations to supervisory authorities
- Cooperate fully in investigating and mitigating the breach
11. Data Retention & Deletion
- Active workspace data retained for the duration of the subscription
- Upon account deletion or termination: Personal Data deleted within 30 days
- Billing records retained for 7 years as required by applicable financial regulations
- Backups are deleted according to secure retention schedules (maximum 90 days)
- Data deletion is permanent and irreversible; export prior to deletion is recommended
12. Audit Rights
The Controller may request reasonable documentation demonstrating GDPR compliance. Formal audits are subject to confidentiality obligations and reasonable notice. Audits are limited to once per year and must not unreasonably disrupt Viraly operations.
13. Confidentiality
Viraly ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
14. Liability
Each party's liability under this DPA is governed by the Viraly Terms of Service, except where GDPR mandates otherwise. Where GDPR imposes direct liability on a party, that liability is borne by that party.
15. Governing Law & Jurisdiction
This DPA is governed by the laws of the State of Delaware, USA, without regard to conflict of law principles. The parties submit to the exclusive jurisdiction of the state and federal courts located in Delaware, USA for any disputes arising under this DPA.
16. Contact & DPA Requests
Customers requiring a signed DPA for their own compliance needs may request one by contacting us. We will provide a countersigned DPA within 10 business days.
Company: TradingPlus Inc.
Address: 9450 SW Gemini Dr, PMB 49313, Beaverton, OR 97008-7105, United States
Email: support@viraly.im
Data hosting: Amazon Web Services, eu-west-1 (Ireland, EU)
Governing law: Laws of the State of Delaware, USA