This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer” or “Controller”) and ViralHits (“Processor”). It governs our processing of Personal Data on your behalf and reflects the parties’ obligations under the GDPR, UK GDPR, and similar privacy laws.
1. Roles
Customer is the Controller of Personal Data submitted to ViralHits. ViralHits is the Processor and processes Personal Data only on documented instructions from the Customer.
2. Scope + duration
Processing continues for as long as Customer maintains an active ViralHits account. The subject matter of processing is Customer’s use of the ViralHits service. The nature and purpose of processing is viral short-form video analysis, brand management, and AI-assisted remixing.
3. Types of data + data subjects
- Data subjects:Customer’s end users, employees, contractors, and any individuals whose Personal Data Customer submits.
- Personal Data: names, emails, account identifiers, connected social handles, free-text notes, uploaded content.
4. Sub-processors
Customer authorizes ViralHits to engage the sub-processors listed on our Security page (Supabase, Vercel, Stripe, Google, Apify). We’ll give at least 30 days’ notice before adding new sub-processors, allowing Customer to object on reasonable grounds.
5. Security
We implement and maintain appropriate technical and organizational measures to protect Personal Data, including encryption in transit and at rest, RLS-scoped database access, secure secret storage, and monitored production access. Full details live on the Security page.
6. Data subject requests
We’ll assist Customer in responding to requests from data subjects to exercise their rights under GDPR (access, rectification, erasure, portability, restriction, and objection). Requests routed to us directly will be forwarded to the Customer Controller.
7. Breach notification
If we become aware of a Personal Data breach involving Customer data, we’ll notify Customer without undue delay, and in any event within 72 hours of discovery, with all information reasonably available to help the Controller meet its own notification obligations.
8. International transfers
Where Personal Data originating in the EEA or UK is transferred to a country without an adequacy decision, transfers are safeguarded by the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum.
9. Audit
Customer may, once per year and with 30 days’ notice, request a summary of our security controls and most recent third-party audit reports (e.g., Vercel / Supabase SOC 2). Onsite audits are available on reasonable notice and at Customer’s expense.
10. Deletion + return
On termination of the underlying agreement, ViralHits will delete or return all Personal Data within 30 days, subject to legal retention obligations.
11. Signing
This DPA is accepted when Customer agrees to the Terms of Service and processes Personal Data of EU / UK data subjects. A countersigned copy is available on request: privacy@viralhits.app.