Data Processing Agreement

In this Data Processing Agreement ("DPA"):

• "Controller" means the Viziqo Assist customer (the legal entity that has agreed to the Terms of Service) who determines the purposes and means of processing personal data through the Service.
• "Processor" means Viziqo, acting on behalf of the Controller to process personal data using the Service.
• "Data Subject" means any identified or identifiable natural person whose personal data is processed through the Service (e.g. end-customers interacting with your AI agents).
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection law.
• "Processing" means any operation performed on personal data, including collection, storage, retrieval, transmission, and deletion.
• "Sub-processor" means any third party engaged by Viziqo to process personal data on behalf of the Controller.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679 and, where applicable, the UK GDPR.
• "Service" means the Viziqo Assist platform as described in the Terms of Service.

This DPA applies where Viziqo processes Personal Data on behalf of the Controller in connection with the Service. It forms part of the agreement between Viziqo and the Controller and supplements the Terms of Service. In the event of conflict, this DPA takes precedence over the Terms of Service with respect to data protection matters.

This DPA applies to Personal Data processed through all channels of the Service, including web chat widgets, voice calls, WhatsApp, SMS, and any documents or knowledge base content uploaded by the Controller that may contain Personal Data.

The Controller is the data controller in respect of Personal Data collected from Data Subjects through the Service. The Controller determines: the categories of Data Subjects and Personal Data processed; the purposes for which Personal Data is processed; and the duration of processing.

Viziqo is the data processor and processes Personal Data solely on documented instructions from the Controller, as set out in this DPA and the Terms of Service. Viziqo does not determine the purpose or means of processing Personal Data on behalf of the Controller.

The Controller warrants and represents that: (a) it has a valid legal basis under applicable data protection law to process and transfer Personal Data to Viziqo for the purposes described in this DPA; (b) it has provided all required notices and obtained all required consents from Data Subjects; (c) its instructions to Viziqo comply with applicable data protection law; (d) it is responsible for the accuracy, quality, and legality of Personal Data submitted to the Service.

Viziqo shall: (a) process Personal Data only on documented instructions from the Controller unless required to do so by applicable law; (b) ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations; (c) implement and maintain appropriate technical and organisational security measures as described in Section 7; (d) assist the Controller in responding to Data Subject rights requests; (e) delete or return Personal Data upon termination of the Service, at the Controller's choice; (f) make available all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 11.

The Controller grants Viziqo general authorisation to engage sub-processors for the provision of the Service. The current list of sub-processors is maintained below and updated when sub-processors are added or replaced.

**Current sub-processors include:**

• OpenAI, L.L.C. (United States) — AI language model inference
• Anthropic, PBC (United States) — AI language model inference
• Google LLC (United States) — AI language model inference and cloud infrastructure
• Twilio Inc. (United States) — Voice calls and SMS messaging
• Plivo Inc. (United States) — Voice calls and SMS messaging (alternative provider)
• Meta Platforms, Inc. (United States) — WhatsApp Business API messaging
• Stripe, Inc. (United States) — Payment processing and billing

Viziqo will notify the Controller of any intended changes to sub-processors by updating this page and notifying affected Customers by email with at least 14 days' notice. The Controller may object to a new sub-processor within this notice period on reasonable data protection grounds. Where the Controller objects and no commercially reasonable alternative is available, the Controller may terminate the relevant part of the Service.

Each sub-processor is subject to data protection obligations equivalent to those in this DPA, including appropriate Standard Contractual Clauses where required.

Viziqo implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• Encryption in transit: All data is transmitted over TLS 1.2 or higher.
• Encryption at rest: Personal Data stored in databases and object storage is encrypted at rest using AES-256.
• Access control: Role-based access control (RBAC) restricts access to Personal Data to authorised personnel only.
• Multi-tenancy isolation: Each Controller's data is logically isolated using tenant identifiers on all data tables and separate vector store collections.
• Audit logging: Access to production systems is logged and monitored.
• Vulnerability management: Regular dependency updates and security scanning.
• Incident response: A documented incident response process is maintained.

Viziqo will review and update these measures periodically to account for evolving threats and technological developments.

Where a Data Subject exercises rights under applicable data protection law (including rights of access, rectification, erasure, restriction, portability, and objection), the Controller is responsible for responding to such requests. Viziqo will assist the Controller in fulfilling these obligations by providing the necessary tools and, where technically feasible, by acting on the Controller's documented instructions.

Controllers can export conversation history, delete individual conversations, and remove uploaded documents directly from the Viziqo Assist dashboard. For requests that cannot be fulfilled via the dashboard, contact support@viziqo.com.

In the event of a Personal Data breach affecting data processed under this DPA, Viziqo will: (a) notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach; (b) provide the Controller with sufficient information to meet its notification obligations to supervisory authorities and Data Subjects; (c) cooperate with the Controller and take reasonable steps to mitigate the breach.

Breach notifications will be sent to the email address associated with the Controller's account. Controllers are responsible for notifying the relevant supervisory authority and affected Data Subjects where required by law.

Viziqo's infrastructure and sub-processors operate primarily in the United States. Personal Data transferred from the European Economic Area (EEA) or the United Kingdom to the United States or other third countries is subject to appropriate transfer mechanisms.

Where required by GDPR, Viziqo relies on Standard Contractual Clauses (SCCs) as the transfer mechanism for Personal Data transferred outside the EEA. UK customers may rely on the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs. By using the Service, the Controller agrees to the applicable transfer mechanism.

Controllers may request a copy of the applicable SCCs or IDTA by contacting support@viziqo.com.

Viziqo will make available all information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable written notice (no less than 30 days), Viziqo will permit the Controller or its appointed auditor to audit Viziqo's data processing activities related to the Service, subject to: (a) audits being conducted during normal business hours; (b) the Controller bearing all audit costs; (c) the auditor executing a confidentiality agreement; (d) no more than one audit per calendar year unless required by a supervisory authority.

Viziqo may satisfy audit obligations by providing third-party security certifications or audit reports in lieu of direct access.

Upon expiry or termination of the Service, Viziqo will, at the Controller's election: (a) return all Personal Data to the Controller in a machine-readable format; or (b) securely delete all Personal Data within 30 days.

During the term of the Service, Controllers can delete Personal Data directly via the dashboard. Conversation logs are retained for 12 months by default unless deleted earlier by the Controller. Uploaded documents are retained until deleted by the Controller. Backups containing Personal Data are purged within 90 days of the deletion of the primary data.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be excluded by law.

This DPA shall be governed by the same governing law as the Terms of Service, except where EU or UK data protection law requires otherwise. The parties agree that the courts specified in the Terms of Service shall have jurisdiction over any disputes arising under this DPA, subject to mandatory jurisdiction of supervisory authorities under the GDPR.

This DPA is incorporated by reference into the Terms of Service and is effective for all Controllers using the Service from the date they accept the Terms of Service.

If your organisation requires a countersigned DPA (e.g. for enterprise procurement or compliance purposes), please contact us at support@viziqo.com with the subject line "DPA Request". We will provide a countersigned copy within 5 business days.

Data Protection contact: support@viziqo.com