1. Introduction

This Data Processing Agreement (“Agreement”) forms part of the Terms of Service or other written or electronic agreement between VIVA USA INC (“Processor”) and the customer using the SaaS services (“Controller”).

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data, whether or not by automated means.
• Controller: The entity that determines the purposes and means of processing personal data.
• Processor: The entity which processes personal data on behalf of the Controller.

3. Subject Matter and Duration

This Agreement governs the Processor’s processing of Personal Data on behalf of the Controller in connection with the SaaS services. It remains in effect for the duration of the service agreement.

4. Nature and Purpose of Processing

The Processor will process Personal Data solely for the purpose of providing, maintaining, and supporting the SaaS services in accordance with the Controller’s documented instructions.

5. Categories of Data Subjects and Data

• Data Subjects: Employees, Suppliers, customers, and other applicable users of the Controller.
• Data: Names, email addresses, contact details, Tax IDs, IP addresses, and other usage-related data necessary for SaaS functionality.

6. Controller Obligations

The Controller shall ensure that it has the necessary legal basis to process Personal Data and to provide such data to the Processor for processing as described in this Agreement.

7. Processor Obligations

The Processor shall:

• Process data only in accordance with documented instructions.
• Implement appropriate technical and organizational security measures.
• Ensure confidentiality of personnel with access to data.
• Assist the Controller in fulfilling data subject rights.
• Notify the Controller of any data breaches without undue delay.
• Return or delete data upon termination of services.

8. Subprocessors

The Controller authorizes the use of Subprocessors. The Processor shall ensure Subprocessors are contractually bound to similar data protection obligations. A list of current Subprocessors is available upon request.

9. International Transfers

The Processor shall not transfer Personal Data outside the jurisdiction unless adequate safeguards are in place, such as Standard Contractual Clauses or other approved mechanisms.

10. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection laws.

11. Security Measures

The Processor shall implement appropriate measures to protect Personal Data, including:

• Data encryption
• Secure access controls
• Regular vulnerability assessments
• Business continuity and disaster recovery procedures

12. Audit Rights

The Controller may conduct audits or inspections to verify the Processor’s compliance with this Agreement, subject to reasonable notice and confidentiality.

13. Liability

Each party’s liability under this Agreement shall be subject to the limitations and exclusions of liability set out in the underlying service agreement.

14. Termination

Upon termination of the services, the Processor shall, at the Controller’s choice, return or securely delete all Personal Data, unless required by law to retain it.

15. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Illinois.

16. Contact Us

For questions about this policy or to exercise your privacy rights, contact us at: