Data Processing Addendum

1. Definitions

Unless otherwise defined in this DPA, terms used here have the meanings given in the GDPR or UK GDPR.

• Data Protection Laws means all laws and regulations applicable to the processing of personal data under this DPA, including the GDPR, UK GDPR, and any local implementing laws.
• Customer Personal Data means any personal data that Viralix processes on behalf of the Customer as a processor in connection with the provision of the Platform.
• Controller (or "data controller") means the entity which determines the purposes and means of the processing of personal data.
• Processor (or "data processor") means the entity which processes personal data on behalf of the controller.
• Sub-processor means any third party engaged by Viralix to process Customer Personal Data on Viralix's behalf in connection with the Platform.

2. Roles of the parties and processing instructions

For the purposes of this DPA, the Customer is the controller (or "data exporter" where relevant) and Viralix is the processor (or "data importer" where relevant) in relation to Customer Personal Data.

Viralix will process Customer Personal Data only:

• on documented instructions from the Customer, including as set out in this DPA and the main agreement;
• where necessary to provide, maintain, and secure the Platform and related support services requested by the Customer; and
• as required to comply with applicable law, in which case Viralix will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Customer is responsible for ensuring it has all necessary notices and legal bases to allow Viralix to process Customer Personal Data as described in this DPA.

3. Nature, purpose, and duration of processing

Nature of processing. Viralix processes Customer Personal Data through the operation of the Platform, which may include storage, hosting, transmission, and limited analysis of such data as needed to provide features (for example, accounts, project management, messaging, and file handling).

Purpose of processing. The primary purpose is to provide the Platform services to the Customer, including enabling collaboration between the Customer's users and Creators, handling briefs and deliverables, and providing support and security.

Types of data and data subjects. Customer Personal Data may include personal data relating to the Customer's representatives, Creators, employees, contractors, and other individuals whose data the Customer uploads or otherwise makes available via the Platform (for example, contact details, business profile information, and limited project-related information). Special categories of data are not intended to be processed, and the Customer should not submit such data to the Platform.

Duration. Viralix will process Customer Personal Data for as long as necessary to provide the Platform under the main agreement, and will delete or return Customer Personal Data in accordance with Section 8 of this DPA after termination, subject to any legal obligations to retain certain data.

4. Confidentiality

Viralix will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations, whether by contract or by statutory duty, and that access to Customer Personal Data is limited to those who need such access to perform the services under the main agreement.

5. Security of processing

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, Viralix will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Such measures may include, as appropriate, measures relating to:

• pseudonymization and encryption (where appropriate);
• ensuring ongoing confidentiality, integrity, availability, and resilience of systems and services;
• the ability to restore availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and
• regular testing and evaluation of the effectiveness of security measures.

6. Sub-processors

The Customer authorizes Viralix to engage Sub-processors to support the provision of the Platform (for example, hosting providers, payment processors, analytics tools, and support tooling), provided that:

• Viralix enters into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set out in this DPA; and
• Viralix remains responsible for the Sub-processor's compliance with those obligations and for any acts or omissions of such Sub-processor that cause Viralix to breach this DPA.

Information about key Sub-processors may be provided in our Privacy Policy or other documentation. Where required by Data Protection Laws, we will notify the Customer of any intended addition or replacement of Sub-processors and give the Customer the opportunity to object on reasonable grounds. If a Customer reasonably objects and no mutually acceptable solution can be found, the Customer may be entitled to terminate the affected services in accordance with the main agreement.

7. Assistance with data subject requests and compliance

Taking into account the nature of processing, Viralix will provide reasonable assistance to the Customer, at the Customer's request and expense, to help the Customer respond to requests from data subjects exercising their rights under Data Protection Laws (for example, rights of access, rectification, erasure, restriction, portability, and objection), to the extent that such requests relate to Customer Personal Data stored in the Platform and cannot be fulfilled by the Customer directly through available tools.

Viralix will also provide reasonable assistance, upon request and where relevant, with the Customer's obligations relating to security of processing, data protection impact assessments, and consultations with supervisory authorities, taking into account the information available to Viralix and the nature of the processing.

8. Personal data breaches

In the event of a personal data breach affecting Customer Personal Data, Viralix will notify the Customer without undue delay after becoming aware of the breach and will provide information reasonably available to it to enable the Customer to comply with its obligations under Data Protection Laws (for example, to notify supervisory authorities or data subjects where required).

Viralix's notification of or response to a personal data breach will not be construed as an acknowledgment of fault or liability. The Customer is responsible for assessing whether to notify the relevant supervisory authority and/or affected data subjects, and for making such notifications where required by law.

9. Deletion or return of Customer Personal Data

Upon termination or expiry of the main agreement, or upon the Customer's written request, Viralix will, at the Customer's choice and subject to any legal retention obligations:

• delete Customer Personal Data from systems under Viralix's control; or
• return Customer Personal Data to the Customer in a commonly used electronic format.

Viralix may retain copies of Customer Personal Data solely to the extent required by applicable law and only for the period specified by that law, and will continue to protect such data in accordance with this DPA for as long as it is retained.

10. Audits and information

Viralix will make available to the Customer, upon reasonable request, information necessary to demonstrate compliance with the obligations set out in this DPA and, where required by Data Protection Laws, will allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, provided that:

• any audit is subject to reasonable prior notice and takes place during normal business hours;
• audits are limited in frequency and scope so as not to unreasonably interfere with Viralix's normal business operations; and
• the Customer (and any auditor) agrees to appropriate confidentiality obligations regarding the information obtained in the course of the audit.

Where possible, the Customer agrees to first rely on existing attestations, certifications, or audit reports made available by Viralix before requesting additional audits or inspections.

11. International transfers

Viralix may process and store Customer Personal Data in countries outside the EEA, UK, or Switzerland, as described in our Privacy Policy. Where such transfers involve Customer Personal Data and the destination country does not provide an adequate level of protection as determined by the relevant authority, Viralix will implement appropriate safeguards, such as standard contractual clauses or other transfer mechanisms recognized under Data Protection Laws.

12. Limitation of liability and precedence

Any limitations of liability agreed between the parties in the main agreement apply also to claims arising under or in connection with this DPA, to the maximum extent permitted by applicable law.

In the event of any conflict between this DPA and the main agreement, this DPA will control to the extent of the conflict with respect to the subject matter of data protection. In all other respects, the terms of the main agreement remain in full force and effect.

13. Changes to this DPA and contact

We may update this DPA from time to time to reflect changes in our processing activities, Sub-processors, or applicable law. When we make material changes, we will take reasonable steps to notify Customers (for example, by updating the "Last updated" date or providing a notice through the Platform or by email).

If you have questions about this DPA or our role as a processor, you can contact us at support@viralix.video.