Data Processing Addendum
Last revised: April 3, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between the Customer (the "Company") and Vistaly, Inc. (the "Processor") (together the "Parties"), whether that agreement is the Master Subscription Agreement (vistaly.com/msa) or the Terms of Service (vistaly.com/terms-of-service) (in either case, the "Principal Agreement").
For enterprise customers, this DPA may be executed as a standalone addendum to an existing Principal Agreement or is automatically incorporated when Customer signs an Order Form. For self-serve customers, this DPA is incorporated by reference into the Terms of Service and accepted by using the Services.
WHEREAS
(A) The Company acts as a Data Controller with respect to Company Personal Data.
(B) The Company wishes to engage the Processor to process Company Personal Data in connection with the Services.
(C) The Parties seek to implement a data processing addendum that complies with the requirements of applicable Data Protection Laws, including the GDPR and UK GDPR.
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
1.1.1 "DPA" means this Data Processing Addendum and all Annexes;
1.1.2 "Company Personal Data" means any Personal Data processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement;
1.1.3 "Contracted Processor" means the Processor or a Subprocessor;
1.1.4 "Data Protection Laws" means: (a) the GDPR; (b) the UK GDPR and the UK Data Protection Act 2018; (c) the Swiss Federal Act on Data Protection ("FADP"); and (d) to the extent applicable, the data protection or privacy laws of any other country, in each case as amended, replaced, or superseded from time to time;
1.1.5 "EEA" means the European Economic Area;
1.1.6 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation);
1.1.7 "UK GDPR" means the GDPR as retained in United Kingdom domestic law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019;
1.1.8 "Data Transfer" means a transfer of Company Personal Data to a country outside of the EEA (or, in respect of the UK GDPR, outside of the United Kingdom) which does not benefit from an adequacy decision by the relevant authority;
1.1.9 "Services" has the meaning given in the Principal Agreement;
1.1.10 "Subprocessor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with this DPA;
1.1.11 "Standard Contractual Clauses" or "SCCs" means (a) for transfers subject to the GDPR, the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914, Module Two (Controller to Processor), available at vistaly.com/sccs; (b) for transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office ("UK Addendum"); and (c) for transfers subject to the Swiss FADP, the SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner, in each case as amended or replaced from time to time;
1.2 The terms "Controller," "Data Subject," "Member State," "Personal Data," "Personal Data Breach," "Processing," and "Supervisory Authority" shall have the same meaning as in the GDPR (or, where applicable, the UK GDPR), and their cognate terms shall be construed accordingly.
2. Processing of Company Personal Data
2.1 Processor shall: (a) comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and (b) not Process Company Personal Data other than on the Company's documented instructions, unless required by applicable law, in which case the Processor shall (to the extent permitted by law) inform the Company of that legal requirement before Processing.
2.2 The Company instructs Processor to process Company Personal Data as described in Annex I (Description of Processing).
3. Processor Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Company Personal Data, ensuring that access is strictly limited to those individuals who need access as strictly necessary for the purposes of the Principal Agreement, and that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
4.1 Processor shall implement and maintain technical and organizational security measures as described in Annex II (Technical and Organizational Measures) to protect Company Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures shall be appropriate to the risk and shall include, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, Processor shall take into account the risks presented by Processing, in particular from a Personal Data Breach.
5. Subprocessing
5.1 Processor is authorized to use the sub-processors listed at vistaly.com/sub-processors (the "Sub-Processor List").
5.2 Processor shall provide the Company with at least fourteen (14) calendar days' prior written notice before engaging any new sub-processor not on the Sub-Processor List, including the name, location, and nature of processing. If the Company objects on legitimate data protection grounds within that period, the Parties shall negotiate in good faith for seven (7) working days. If no resolution is reached, the Company may terminate the affected Order Form upon written notice, and Vistaly shall refund a pro-rata portion of prepaid Fees for the unused remainder of the Term.
5.3 Processor shall ensure that each sub-processor is bound by data protection obligations at least as protective as those in this DPA. Processor shall remain liable for the acts and omissions of its sub-processors.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organizational measures for the fulfillment of the Company's obligations to respond to Data Subject requests under applicable Data Protection Laws.
6.2 Processor shall: (a) promptly notify the Company if it receives a request from a Data Subject; and (b) not respond to that request except on the Company's documented instructions or as required by applicable law (in which case Processor shall inform the Company before responding, to the extent permitted by law).
7. Personal Data Breach
7.1 Processor shall notify the Company without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing sufficient information for the Company to meet its obligations under Data Protection Laws.
7.2 Processor shall cooperate with the Company and take reasonable steps as directed by the Company to assist in the investigation, mitigation, and remediation of each Personal Data Breach.
8. Data Protection Impact Assessment
Processor shall provide reasonable assistance to the Company with data protection impact assessments and prior consultations with Supervisory Authorities required under Articles 35 or 36 of the GDPR (or equivalent provisions of other Data Protection Laws), solely in relation to Processing of Company Personal Data.
9. Deletion or Return of Company Personal Data
9.1 Upon termination or expiration of the Principal Agreement, Processor shall, at the Company's election, return or delete all Company Personal Data within sixty (60) days, unless retention is required by applicable law. The Company may export its data during the 60-day period described in the data export provisions of the Principal Agreement.
10. Audit Rights
10.1 Upon request and no more than once per year, Processor shall provide the Company with a copy of its most recent SOC 2 Type II report (or equivalent third-party audit report) covering the Services. If such report does not reasonably address the Company's data protection concerns, or in the event of a Personal Data Breach or reasonable evidence of non-compliance, the Company (or its designated independent auditor, subject to reasonable confidentiality obligations) may conduct an audit of Processor's processing activities with at least thirty (30) days' prior written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Processor's operations. The Company shall bear the costs of any such audit unless the audit reveals material non-compliance by Processor.
11. International Data Transfers
11.1 The Company acknowledges that Vistaly, Inc. is certified under the EU-U.S. Data Privacy Framework ("DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework, as administered by the U.S. Department of Commerce. Vistaly's current DPF certification can be verified at dataprivacyframework.gov. Transfers of Company Personal Data from the EEA, United Kingdom, or Switzerland to the United States shall be made in reliance on the DPF and the applicable adequacy decisions of the European Commission, UK Secretary of State, or Swiss Federal Council, as applicable.
11.2 In the event that the DPF (or any relevant adequacy decision) is invalidated, suspended, or otherwise ceases to provide a lawful basis for transfers of Company Personal Data, the Standard Contractual Clauses shall automatically apply to such transfers as follows:
(a) For transfers subject to the GDPR: Module Two (Controller to Processor) of the SCCs shall apply, with the Company as data exporter and Processor as data importer. For Clause 7, the optional docking clause shall apply. For Clause 9, Option 2 (general written authorization with 14-day notice) shall apply. For Clause 11, the optional language shall not apply. For Clause 17, the SCCs shall be governed by the laws of the EU Member State in which the Company is established. For Clause 18, disputes shall be resolved before the courts of the EU Member State in which the Company is established.
(b) For transfers subject to the UK GDPR: the UK Addendum to the EU SCCs shall apply, with the mandatory information tables completed as set forth in Annex I.
(c) For transfers subject to the Swiss FADP: the SCCs shall apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner.
11.3 Processor shall maintain its DPF certification for the duration of this DPA. In the event Processor's DPF certification lapses or is withdrawn, Processor shall promptly notify the Company, and the SCCs shall apply as set forth in Section 11.2 above.
11.4 Processor shall conduct and document a transfer impact assessment where required by the SCCs (Clause 14) and shall implement supplementary measures as necessary to ensure an essentially equivalent level of protection for Company Personal Data.
12. General Terms
12.1 Confidentiality. Each Party must keep this DPA and information it receives about the other Party confidential. Where the Principal Agreement includes confidentiality obligations, those obligations shall apply to this DPA. Where the Principal Agreement does not include specific confidentiality obligations, each Party shall treat the other Party's Confidential Information with at least the same degree of care it uses to protect its own confidential information, but in no event less than reasonable care.
12.2 Notices. All notices under this DPA shall be given in accordance with the notice provisions of the Principal Agreement.
12.3 Limitation of Liability. The liability of the Processor under this DPA is subject to, and not in addition to, the limitations set forth in the Principal Agreement. Where the Principal Agreement provides for an Enhanced Cap applicable to data protection obligations, such Enhanced Cap shall apply to this DPA.
13. Governing Law and Jurisdiction
13.1 This DPA is governed by the laws of the Commonwealth of Virginia, USA; provided that, to the extent required by mandatory provisions of applicable Data Protection Laws, the relevant Data Protection Law shall apply.
13.2 Disputes under this DPA shall be resolved in accordance with the governing law and jurisdiction provisions of the Principal Agreement.
14. Amendments
14.1 This DPA may only be amended by written agreement of both Parties. Such amendments will comply with applicable Data Protection Laws. Vistaly may update this DPA to reflect changes required by applicable Data Protection Laws upon thirty (30) days' written notice to the Company.
Annex I — Description of Processing
| Element | Description |
|---|---|
| Subject Matter | Processing of Personal Data in connection with the provision of the Vistaly platform for organizing product strategy and customer feedback. |
| Duration | For the Term of the Principal Agreement plus the 60-day data export period. |
| Nature and Purpose | Storage, organization, retrieval, and display of Company Personal Data as necessary to provide the Services; authentication and access management; analytics (on Usage Data only, in anonymized/aggregated form); backup and disaster recovery. |
| Types of Personal Data | Name, email address, job title, profile photo, IP address, browser/device information, authentication credentials (hashed), and any Personal Data that Customer or Authorized Users input into the Services. |
| Categories of Data Subjects | Customer's employees, contractors, and agents who are Authorized Users; individuals whose Personal Data is included in Customer's Service Data (e.g., customer feedback participants, interviewees). |
| Data Exporter | The Company (Customer), acting as Controller. |
| Data Importer | Vistaly, Inc., acting as Processor. |
Annex II — Technical and Organizational Security Measures
| Measure | Description |
|---|---|
| Encryption | Data encrypted in transit (TLS 1.2+) and at rest (AES-256). Database encryption at rest using AWS-managed keys. |
| Access Controls | Role-based access controls with principle of least privilege. Multi-factor authentication required for all employees with access to production systems. Access reviews conducted quarterly. |
| Network Security | Web application firewall (WAF), intrusion detection/prevention systems, network segmentation between production and non-production environments. Regular vulnerability scanning. |
| Data Backup & Recovery | Automated daily backups with 30-day retention. Backups encrypted and stored in geographically separate AWS regions. Recovery Point Objective (RPO): 24 hours. Recovery Time Objective (RTO): 12 hours. |
| Incident Management | Documented incident response plan with defined roles, escalation procedures, and post-incident review. Breach notification procedures aligned with 72-hour requirement. |
| Personnel Security | Background checks on employees with access to Personal Data. Mandatory security awareness training upon hire and annually thereafter. Confidentiality agreements for all personnel. |
| Physical Security | Cloud infrastructure hosted by Amazon Web Services (AWS) data centers that maintain ISO 27001, SOC 2 Type II, and SOC 3 certifications, among others. Vistaly does not maintain physical data center infrastructure; physical security controls — including facility access, surveillance, and environmental protections — are managed entirely by AWS in accordance with its compliance programs. |
| Business Continuity | Documented business continuity and disaster recovery plans. Redundant infrastructure to minimize single points of failure. |
| Vendor Management | Third-party risk assessments conducted before engaging sub-processors. Sub-processors required to maintain security standards at least as protective as those described herein. |
Acceptance
Self-serve customers: This DPA is accepted by using the Services. By creating an account or continuing to use the Services, Customer agrees to be bound by the terms of this DPA. No separate signature is required.
Enterprise customers: To execute this DPA as a standalone addendum, please contact legal@vistaly.com to request a countersigned copy.