Revised April 1, 2024
This Data Processing Addendum (“DPA”) forms part of the Terms of Service (as defined herein) between "Vidual" EOOD, UIC 207571092, a limited liability company incorporated under the laws of Republic of Bulgaria (“Vidual”) and the entity entering the Agreement as a subscriber of any of Vidual’s Products (“Subscriber”, “You”).
This DPA is incorporated into, and supplemental to, the Terms of Service and sets out the roles and obligations that apply when Vidual processes Subscriber Personal Data (as defined herein) on behalf of Subscriber in the course of providing of any of Vidual’s Products (“Products”).
All capitalized terms not defined in this DPA shall have the same meanings set forth in the Agreement.
1.1 For the purposes of this DPA:
2.1 Scope. This DPA applies only to Subscriber Personal Data that is subject to Applicable Data Protection Law by Vidual in its capacity as a Processor (or Service Provider) for the purpose of providing the Products. The subject matter, duration, nature and purposes of processing, and the types of Personal Data and categories of data subjects are described in Annex 1 of this DPA.
2.2 Roles of the Parties. With respect to the processing of Subscriber Personal Data (including any Subscriber Personal Data accessed via integrations with Third Party Services) and for the purposes of Applicable Data Protection Laws, Subscriber is the Controller (or Business, as applicable) and Vidual is the Subscriber’s Processor (or Service Provider, if applicable).
2.3 Subscriber’s Obligations. Subscriber shall: (a) comply with its obligations as a Controller (or Business) under all applicable laws relating to privacy and data protection in respect of its use of the Services and any processing instructions it issues to Vidual; (b) have sole responsibility for the accuracy, legality, and quality of Subscriber Personal Data; (c) ensure that Subscriber has the right to transfer, or provide access to, Subscriber Personal Data to Vidual for processing pursuant to the Agreement and this DPA; and (d) use commercially reasonable efforts to not disclose (nor permit any data subject to disclose) any Sensitive Information (as defined in the Agreement), Sensitive Personal Information, or special categories of data to Vidual for processing.
2.4 Vidual’s Obligations. Vidual shall process Subscriber Personal Data only for the purposes described in the Agreement and in accordance with the lawful, documented instructions of Subscriber (including the instructions of any users accessing the Services on Subscriber’s behalf) as set out in the Agreement, this DPA or otherwise in writing. Except where required by Applicable Data Protection Laws, Vidual shall not: (a) sell or share the Subscriber Personal Data except as explicitly instructed by Subscriber; (b) retain, use, or disclose Subscriber Personal Data for any purpose other than for the specific purpose of performing the Services in accordance with the Agreement and this DPA; (c) retain, use, or disclose the Subscriber Personal Data for a commercial purpose other than providing the Services; (d) retain, use, or disclose the Subscriber Personal Data outside ofthe direct business relationship between Vidual and Subscriber; or (e) combine Subscriber Personal Data with Personal Data that it receives from, or on behalf of, another person or persons, or collects from Vidual’s own interaction with the Consumer; provided that Vidual may combine Personal Data to perform any business purpose, as defined in the CPRA. Vidual certifies that it understands these restrictions and will comply with them.
2.5 Remediation. Subscriber may take reasonable and appropriate steps to ensure that Vidual uses the Subscriber Personal Data that it received from, or on behalf of, the Subscriber in a manner consistent with the Subscriber’s obligations under the Applicable Data Protection Laws. Subscriber also has the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Subscriber Personal Data; provided such steps shall not interfere with Vidual’s regular business operations, shall not require Vidual to disclose any trade secrets or confidential information of Vidual, its customers or its service providers, contractors or third parties, and that Subscriber shall bear all related expenses, including any expenses related to business interruptions or other indirect expenses.
3.1 Security Measures. Vidual shall implement and maintain appropriate technical and organizational measures designed to protect Subscriber Personal Data from a Security Incident and to preserve the security, confidentiality, and integrity of Subscriber Personal Data, as further described in Annex II of this DPA. Vidual may update or modify its security measures from time to time, provided that such updates or modifications do not materially decrease the overall security of the Services provided to Subscriber.
3.2 Confidentiality Obligations. Vidual shall ensure that any personnel that it authorizes to process the Subscriber Personal Data shall be subject to a duty of confidentiality.
3.3 Security Incidents. Vidual shall: (a) notify Subscriber without undue delay after becoming aware of a Security Incident; (b) take commercially reasonable steps to assist in the investigation, mitigation, and remediation of such Security Incident; and (c) provide reasonable information and cooperation to Subscriber so that Subscriber can fulfill any Security Incident reporting obligations it may have under Applicable Data Protection Laws. Notwithstanding the foregoing, to the extent permitted under applicable law, Vidual will not disclose any information: (i) that it deems a trade secret, (ii) that is confidential or proprietary in nature, or (iii) over which it intends to assert attorney-client privilege or any similar privilege or protection. Vidual shall not identify Subscriber in any public disclosure regarding a Security Incident involving Subscriber Personal Data without Subscriber’s prior written consent; provided that Vidual may publicly acknowledge or disclose the occurrence of a Security Incident in a manner that does not identify Subscriber.
4.1 Sub-processors. Subscriber agrees that Vidual may engage Sub-processors; provided that:
4.2 Objection to Sub-processors. Subscriber may object prior to Vidual’s appointment or replacement of a Sub-processor provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall cooperate in good faith to reach a resolution and if such resolution cannot be reached, then Vidual, at its discretion, will either not appoint or replace the Sub-processor or, will permit Subscriber to suspend or terminate the affected Service and provide Subscriber with a pro-rated refund of any prepaid unused fees under the Agreement.
5.1 Restricted Transfers. The parties agree that when the transfer of Subscriber Personal Data from Subscriber to Vidual is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, such transfers shall be subject to Standard Contractual Clauses, which shall be deemed incorporated by reference and form an integral part of this DPA as described in this Section.
5.2 EU GDPR Transfers. In relation to Restricted Transfers of Subscriber Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
5.3 FADP Transfers. In relation to Restricted Transfers of Subscriber Personal Data that is protected by the FADP, the EU SCCs will apply completed as provided in Section 5.2 above, with the following changes:
5.4 UK GDPR Transfers. In relation to Restricted Transfers of Subscriber Personal Data that is protected by the UK GDPR:
6.1 Data subject and consumer rights. Vidual shall provide reasonable assistance to Subscriber, at Subscriber’s expense, to enable Subscriber to respond to requests from data subjects and/or Consumers seeking to exercise their rights under Applicable Data Protection Law. Vidual shall promptly inform Subscriber in the event such request is made directly to Vidual. Subscriber authorizes Vidual to respond to requests from data subjects or Consumers seeking to exercise their rights under Applicable Data Protection Law to clarify and/or re-direct requests to Subscriber or third-party service providers, including to inform data subjects or Consumers that Vidual is the Processor/Service Provider acting on behalf of a Controller/Business, including naming Subscriber as the Controller/Business.
6.2 Data protection impact assessments. Taking into account the nature of the processing and the information available to Vidual, Vidual shall provide reasonable assistance needed to fulfil Subscriber’s obligation under Applicable Data Protection Law to carry out data protection impact assessments and prior consultations with supervisory authorities; provided that Vidual shall not be liable for any failure of Subscriber to comply with Subscriber’s own obligations under Applicable Data Protection Law. Vidual will make available, at Subscriber’s expense, all information reasonably required by Subscriber to illustrate compliance with the Applicable Data Protection Laws.
7.1 Standards Audits. Vidual will be assessed against industry security frameworks or standards including, but not limited to, SOC 2 standards. Upon request and no more than once per calendar year, Vidual shall provide Subscriber a summary copy of Vidual’s most recent certified audit report to Subscriber; provided that such report shall be subject to the confidentiality terms under the Agreement.
7.2 Compliance Audits. Upon Subscriber’s reasonable request, and no more than once per calendar year, Vidual will make available for Subscriber’s inspection and audit, copies of certifications, records or reports demonstrating Vidual’s compliance with this DPA. In the event that Subscriber reasonably determines that it must inspect Vidual’s premises or equipment for the purposes of this DPA, then no more than once per calendar year, Subscriber may conduct such audit at Subscriber’s expense through an Independent Auditor. Before the commencement of any such on- site inspection, Subscriber and Vidual shall mutually agree on reasonable timing, scope, and security controls applicable to the audit (including without limitation restricting access to Vidual’s trade secrets and data belonging to Vidual’s other customers). Any inspection will be of reasonable duration, will not unreasonably interfere with Vidual’s day-to-day operations, and will be limited in scope to Vidual’s Processing of Subscriber Personal Data.
7.3 Independent Auditors. All Independent Auditors are required to enter into a non-disclosure agreement containing confidentiality provisions reasonably acceptable to Vidual and intended to protect Vidual’s and its customers’ confidential and proprietary information. Subscriber will make (and ensure that any Independent Auditor makes) reasonable endeavors to avoid causing any damage, injury or disruption to Vidual’s premises, equipment, personnel and business in the course of such an audit. Subscriber will be solely responsible for any and all costs arising from or related to any damage, injury, or disruption to Vidual’s premises, equipment, personnel, or business caused by an Independent Auditor in the course of such audit.
8.1 Data Retention. Unless otherwise instructed by Subscriber, Vidual may retain Subscriber Personal Data for up to thirteen (13) months after termination of the Agreement for the purposes of future account reactivation. Any confidentiality obligations and use restrictions in the Agreement and this DPA will continue to apply to such Subscriber Personal Data for the duration of retention.
8.2 Data Deletion and Return. Subject to Section 8.1, Vidual shall (at Subscriber’s election) delete or return to Subscriber the Subscriber Personal Data in Vidual’s possession upon Subscriber’s written request at the termination or expiry of the Agreement. The parties agree that the certification of deletion of Personal Data that is described in Clause 16(d) of the EU SCCs shall be provided by Vidual to Subscriber only upon Subscriber’s request. Notwithstanding the foregoing, Vidual may retain copies of such Subscriber Personal Data as necessary to comply with applicable law or Vidual’s data retention policy.
9.1 Incorporation. This DPA is incorporated into and forms part of the Terms of Service. Except as amended by this DPA, the Terms of Service will remain in full force and effect. For matters not addressed under this DPA, the terms of the Agreement apply.
9.2 Conflicts. If there is a conflict between this DPA and the Terms of Service, the DPA will control to the extent necessary to resolve the conflict. In the event of a conflict between the terms of the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will control to the extent necessary to resolve the conflict.
9.3 Governing Law. This DPA shall be governed by, and construed in accordance with, the laws of the jurisdiction stipulated in the Terms of Service and the courts the jurisdiction stipulated in the Terms of Service shall have exclusive jurisdiction to hear any dispute or other issue arising out of, or in connection with, this DPA, except where otherwise required by Applicable Data Protection law or by the jurisdictional provisions set forth in the applicable Standard Contractual Clauses.
9.4 Modifications. Subscriber agrees that Vidual may modify this DPA at any time provided Vidual may only modify the Standard Contractual Clauses (a) to incorporate any new version of the Standard Contractual Clauses (or similar model clauses) that may be adopted under European Data Protection Law or (b) to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency. If Vidual makes any material modifications to this DPA, Vidual shall provide Subscriber with at least ten (10) days’ notice (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the email address of the designated account owner in Subscriber’s Services account; or (b) alerting Subscriber via the user interface. If Subscriber reasonably objects to any such change, Subscriber may terminate the Agreement by giving written notice to Vidual within ten (10) days of notice from Vidual of the change.
10.1 By clicking the "I Agree" checkbox when registering an account in the Vidual app or on the Vidual website, you acknowledge that you have read, understood, and agree to be bound by the terms and conditions of this agreement. You further agree that your electronic acceptance of these terms constitutes a legally binding contract between you and Vidual, and that you have the authority to enter into this agreement. If you do not agree to these terms, please refrain from clicking "I Agree" and exit this page.
This Annex I form part of the DPA and describes the processing that the Vidual will perform on behalf of the Subscriber. Capitalized terms in Annex I shall have the meaning assigned to them in the Agreement and DPA.
Name:
Each of the Subscriber entities identified in the Agreement.
Address:
The addresses of each of the Subscriber entities identified in the Agreement.
Activities relevant to the data transferred under the SCCs:
Receipt of the Services
Signature and date:
This Annex I shall be deemed executed upon execution of the DPA.
Role (controller/processor):
Controller
Name:
Vidual EOOD
Address:
239b Aleksandar Stamboliyski Blvd., floor 2, 1309 Sofia, Bulgaria
Contact person’s name, position and contact details:
Data protection enquiries can be addressed to: privacy@vidual.io
Activities relevant to the data transferred under the SCCs:
Receipt of the Services
Signature and date:
This Annex I shall be deemed executed upon execution of the DPA.
Role (controller/processor):
Controller
Categories of data subjects whose personal data is transferred:
The Personal Data processed concerns users of the Products (typically, employees or contractors of Subscriber authorized to use the Products) and individual users who interact with the manuals and materials, which are operated by Subscriber in their account in the Products.
Categories of personal data transferred:
Account user data (email, password, display name), Profile Picture Optional – only if user elects to upload one, logs data (user ID, device ID, IP address), user generated content, other data (personally identifiable information shared by users when using the Product).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transferor additional security measures:
Vidual does not intentionally collect or transfer any sensitive data in relation to these data subjects and does not require this data to operate the Products.
The frequency of the transfer (e.g. whether the data is transferred on a one- off or continuous basis):
Continuous for the duration of the Terms of Service (subscription).
Nature of the processing:
Collection, storage, organization, modification, retrieval, disclosure, communication, and other uses in the performance of the Services as set out in the Agreement.
Purpose(s) of the data transfer and further processing:
Processing to provide the products as set out in the Agreement, including as described below:
- Authentication purposes and ensuring only subscribed clients with valid licenses are using our Products.
- Sale, support, development, and analytics of our Products.
- Usage of aggregated data about your use of our Products and Services for the purpose of making all our products and services better.
- Marketing and advertising activities, including sending you marketing by email and phone, if the legal requirements for digital marketing are met.
The period for which the personal data willbe retained, or, if that is not possible, the criteriaused to determine that period:
Personal Data will be retained in accordance with Section 8 of the DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Processing activities in performance of the Services, as set out in the Agreement, including providing access to the Services. Personal Data will be retained in accordance with Section 8 of DPA.
Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 EU SCCs)
Where the EU GDPR applies, the competent supervisory authority shall be the Bulgarian Commission for Personal Data Protection. Where the UK GDPR applies, the competent supervisory authority shall be the UK Information Commissioner’s Office (ICO).Where the FADP applies, the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.
This Annex II forms part of the DPA and describes the security standards and practices utilized by Vidual in providing the Products to Subscriber. Capitalized terms in Annex II shall have the same meaning assigned to them in the Agreement and DPA.
1.1 Information Security Policies. Vidual maintains information security policies that are reviewed at least annually and revised whenever material changes are made to the systems or procedures that access or utilize Subscriber Personal Data. All employees must affirm their responsibilities in protecting Subscriber Personal Data set forth in such policies as a condition of employment.
1.2 Identity and Access Management. Access to Subscriber Personal Data is granted under the principle of least privilege. Only authorized Personnel have access to Subscriber Personal Data. Vidual restricts access to the production environments to designated Vidual employees based on documented permissions as defined in a role-based user access matrix.
1.3 Authentication. Access to Vidual systems, tools, services, and endpoints are subject to password standards in conjunction with multi-factor authentication or integration into our central identity provider, which also enforces multi-factor authentication.
1.4 Encryption At Rest and In Transit. All Subscriber Personal Data, including backups, are encrypted at rest using the AES-256 specification. All communications over public networks with Vidual’s application and API utilize TLS 1.2 or greater.
1.5 Vulnerability Management. Vidual regularly scans systems and applications that contain Subscriber Personal Data for common vulnerabilities. Vidual conducts application security code analysis to ensure that the Services are not vulnerable to known attacks and remediates high-severity issues in a reasonable timeframe.
1.6 Penetration Testing. Vidual contracts with reputable penetration testing vendors to conduct penetration testing no less than once per year.
1.7 Intrusion Detection System (IDS). Vidual utilizes an intrusion detection system to detect, evaluate, and respond to security threats and unusual system activity. Alerts are sent to security Personnel who are available to respond on a 24/7 basis.
1.8 Data Center and Physical Security. The Services are hosted by AWS in world-class hosting facilities that are secure, highly available, and redundant. More information regarding AWSs data center and physical security standards can be found at: https://aws.amazon.com/compliance/data-center/controls
1.9 Disaster Recovery and Backups. Vidual maintains a disaster recovery and business continuity plan which is reviewed and updated at least annually. Backups are taken frequently, encrypted in transit and at rest, and are tested regularly.
2.1 Personnel Security. Vidual ensures that all Personnel take appropriate security measures to maintain the confidentiality, integrity, and availability of personal data. Vidual maintains protocols designed to ensure that Personnel follow established security policies. Vidual employs appropriate technical and organizational measures to ensure Personnel conduct themselves in accordance with established company guidelines and policies. Disciplinary procedures are applied if Personnel fail to adhere to relevant policies.
2.2 Sub-processor Security. Before engagement, all Sub-processors must go through an internal vendor review and approval process which includes review by Vidual’s security, legal, privacy, and finance teams. The Vidual security team performs due diligence of our Sub-processors on an annual basis to ensure continued compliance with information security controls.
3.1 Multi-factor Authentication. The Services support multi-factor authentication (MFA) apps that implement the Time-based One-time Password (TOTP) algorithm for generating passcodes.
3.2 Single Sign On. The Services support single sign-on (SSO) with identity providers that support the SAML 2.0 standard.
3.3 Secure Credentials. Vidual account passwords are salted and hashed using industry-standard algorithms.
4.1 Security Incident Policies. Vidual maintains an incident response plan, an incident handling and notification policy, and other supporting procedures based on NIST standards. These policies ensure consistent classification, documentation, response, and notification for Security Incidents in accordance with Vidual’s commitment to data privacy and security.