VYRALVYRAL
Log inSign up for early launch

Data Processing Agreement

Last updated: December 2025

1. Scope

This Data Processing Agreement ("DPA") applies when VYRAL processes personal data on behalf of a customer ("Controller") in connection with the provision of the VYRAL service.

This DPA is incorporated into and forms part of the Terms of Service between VYRAL and the Customer.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data
  • "Sub-processor" means any processor engaged by VYRAL to process Personal Data
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679

3. Roles and Responsibilities

The Customer is the Data Controller and determines the purposes and means of processing Personal Data.

VYRAL is the Data Processor and processes Personal Data only on behalf of and under the instructions of the Customer.

4. Subject Matter and Duration

Processing includes: post analytics, drafts, Blueprint data, performance scoring, AI-powered content suggestions, content workflow tools, and user-initiated content publishing to LinkedIn.

Processing will continue for the duration of the service agreement between VYRAL and the Customer.

5. Types of Personal Data

  • Account information (name, email)
  • LinkedIn profile data (public posts, metrics)
  • Content created within VYRAL (drafts, ideas, blueprints)
  • Content published to LinkedIn via VYRAL (user-initiated)
  • Usage data and analytics
  • OAuth tokens for LinkedIn API access (encrypted)

6. Processor Obligations

VYRAL shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Not engage another processor without prior authorization
  • Assist the Controller in responding to data subject requests
  • Assist the Controller in ensuring compliance with GDPR obligations
  • Delete or return all Personal Data upon termination
  • Make available all information necessary to demonstrate compliance
  • Allow for and contribute to audits conducted by the Controller
  • Only publish content to LinkedIn when explicitly requested by the Controller/User

7. Sub-Processors

The Customer authorizes VYRAL to engage the following sub-processors:

  • Supabase – Database hosting and authentication (EU/US)
  • Stripe – Payment processing (US, SCCs in place)
  • AI Model Providers – Content generation (data anonymized)
  • LinkedIn – Content publishing (when user-initiated)
  • Support and monitoring tools – Error tracking and customer support

VYRAL will notify the Customer of any intended changes to sub-processors, giving the Customer an opportunity to object.

8. Security Measures

VYRAL implements:

  • Encryption of Personal Data in transit and at rest
  • AES-256 encryption for OAuth tokens
  • Access controls and authentication
  • Regular security assessments
  • Incident response procedures
  • Employee training on data protection
  • Audit logging for all LinkedIn publish actions

9. Data Subject Rights

VYRAL will assist the Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under GDPR, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

10. Data Breach Notification

VYRAL will notify the Controller without undue delay upon becoming aware of a Personal Data breach. The notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

11. International Transfers

Where Personal Data is transferred outside the EEA, VYRAL ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

12. Data Deletion

Upon termination of the service or upon request, VYRAL will delete all Personal Data within 30 days, unless retention is required by applicable law.

Backups are automatically purged according to our retention schedule. We retain nothing beyond legal billing requirements.

13. Audit Rights

VYRAL will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

14. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.

15. Contact

For questions about this DPA, contact: johan@getvyral.io