Back to Home
Legal

Data Processing Agreement

Last updated: March 1, 2026

Definitions

"Personal Data", "Processing", "Data Controller", "Data Processor", and "Data Subject" have the meanings given in the GDPR (EU 2016/679). "Services" refers to the Viwago platform and associated services.

Scope of Processing

We process personal data solely to provide the Services as described in our service agreement. Processing includes storage, analysis, and transmission of data as necessary for platform functionality.

Data Controller Obligations

You are responsible for ensuring a lawful basis for processing, providing notice to data subjects, and responding to data subject requests. You warrant that all data shared with us is collected lawfully.

Data Processor Obligations

We process data only on your documented instructions, ensure personnel are bound by confidentiality, implement appropriate security measures, and assist with data subject requests.

Sub-processors

We maintain a list of approved sub-processors. We will notify you of any changes to sub-processors with 30 days notice, allowing you to object before the change takes effect.

Data Subject Rights

We will assist you in responding to data subject requests including access, rectification, erasure, restriction, portability, and objection to processing.

Security Measures

We implement technical and organizational measures including encryption (AES-256 at rest, TLS 1.3 in transit), access controls, monitoring, and regular security assessments.

Data Breach Notification

We will notify you of any personal data breach without undue delay and no later than 72 hours after becoming aware, providing all information necessary for your notification obligations.

Data Transfers

International data transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical measures where necessary.

Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, we will delete or return all personal data within 30 days, unless retention is required by law.

Request a Signed DPA

Enterprise customers can request a countersigned copy.