Data Processing Agreement
This Data Processing Agreement ("DPA") is part of the Terms of Service between you ("Controller") and ViralDM ("Processor").
1. Definitions
- Personal Data: Any information relating to an identified/identifiable person
- Controller: You (the user who decides why and how data is processed)
- Processor: ViralDM (we process data on your behalf)
- Data Subject: Your subscribers/customers whose data we process
2. Scope of Processing
We process Personal Data only as needed to:
- Provide the Service to you
- Execute automations you configure
- Store messages and subscriber data
- Generate AI replies (using AWS Bedrock/OpenAI)
- Comply with legal obligations
3. Categories of Data Subjects
- Your subscribers (Instagram/Facebook/YouTube users who interact with your accounts)
- Your team members (if you add multiple users)
4. Categories of Personal Data
- Platform user IDs and usernames
- Message content (text, attachments)
- Custom fields you collect (email, phone, name)
- Behavioral data (mood, lead score, engagement)
5. Sub-processors
We use the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| AWS | Cloud infrastructure, AI (Bedrock) | USA / India |
| Render.com | Application hosting | Singapore |
| Neon Database | PostgreSQL hosting | Singapore |
| Razorpay | Payment processing | India |
| Cloudflare | CDN, DDoS protection | Global |
| Meta | Instagram/Facebook APIs | USA / Ireland |
| YouTube APIs, OAuth | USA |
We'll notify 30 days before adding new sub-processors.
6. Security Measures
- Encryption in transit: TLS 1.3 for all connections
- Encryption at rest: AES-256 for database
- Access controls: Role-based, MFA for admins
- Backups: Daily encrypted, 30-day retention
- Monitoring: 24/7 intrusion detection
- Compliance: SOC 2 standards followed
7. Data Subject Rights
We assist you in fulfilling subject rights requests within 30 days:
- Right to access
- Right to rectification
- Right to erasure (right to be forgotten)
- Right to data portability
- Right to object/restrict processing
8. Data Breach Notification
If we discover a personal data breach, we'll notify you within 72 hours with:
- Nature of breach
- Categories and approximate number of affected subjects
- Likely consequences
- Measures taken/proposed to address breach
9. Data Deletion
Upon account termination, we delete your data within 90 days, except where retention is legally required.
10. International Transfers
Data may be transferred internationally. Transfers are protected by:
- EU Standard Contractual Clauses
- Adequacy decisions where applicable
- Encryption + access controls
11. Audits
Enterprise customers may request annual audits with 30 days' notice. Audit reports available under NDA.
12. Contact
Data Protection Officer: dpo@viraldm.app