Skip to main content

Security

Data Processing Agreement - DPA

This Data Processing Agreement ("DPA") is entered into by Viggo Software GmbH ("Viggotech") and the Viggotech customer identified in the applicable agreement ("Customer") (each a “Party”; collectively the “Parties”). This DPA supplements and forms part of the agreement governing the use of Viggotech’s products and services (the “Agreement”). This DPA takes precedence over conflicting terms in the Agreement solely concerning data protection. Any prior data protection agreement between the Parties is hereby superseded.

  1. Definitions
    Refer to the definitions of GDPR, FADP, CCPA, and other Data Protection Laws, as well as standard terminology such as "Data Subject,” “Personal Data,” “Processing,” "Subprocessor,” “Security Incident,” “Controller,” “Processor,” and “Platform.”
  2. Roles and Scope
    • Viggotech acts as Processor (or Subprocessor) on behalf of Customer.
    • The DPA applies to all Personal Data processed by Viggotech in delivering its services.
    • Viggotech will process data only on documented instructions and as necessary to provide the Platform in compliance with applicable law.
    • Customer remains responsible for compliance with its own legal obligations, providing lawful instructions, and ensuring lawful data transfers to Viggotech.
  3. Data Processing Commitments
    • Viggotech shall not use, sell, share, or retain Personal Data beyond the permitted scope.
    • Confidentiality: All personnel authorized to process Personal Data are bound by confidentiality obligations.
    • Viggotech will assist with Data Subject requests and Data Protection Impact Assessments as legally required.
    • If Viggotech determines it can no longer comply with Data Protection Laws or believes Customer instructions are unlawful, it will notify Customer without delay.
  4. Security Measures
    • Viggotech will implement and maintain administrative, technical, and organizational measures appropriate to the risk of processing, in line with Data Protection Laws and as detailed in Exhibit B (Security Controls).
  5. Security Incidents
    • Viggotech will notify Customer without undue delay upon discovery of a Security Incident affecting Customer’s Personal Data. The notice will include relevant details and proposed mitigation steps.
    • Viggotech will support Customer in fulfilling regulatory reporting and notification obligations arising from such incidents.
  6. Use of Subprocessors
    • Viggotech may engage Subprocessors.
    • Subprocessors are bound by obligations no less protective than those in this DPA.
    • Customer will be notified in advance of any new Subprocessor appointments and may raise objections within 14 days. If no resolution is possible, either Party may terminate the affected services.
  7. International Data Transfers
    • Viggotech and its Subprocessors may process data globally. Transfer mechanisms include the Data Privacy Frameworks, EU SCCs, UK Addendum, and other legally recognized frameworks.
    • The EU SCCs and UK Addendum are incorporated into this DPA, completed as required by law (Modules 2 and 3, Ireland law, Irish courts, etc.).
    • Swiss-specific terms modify the SCCs where applicable to the FADP.
  8. Audit Rights
    • Customer may request documentation once per year to verify compliance.
    • If insufficient, an on-site inspection may be requested with 21 days’ notice, subject to written agreement on scope and cost.
    • Audits must not disrupt business operations and are at the Customer’s expense.
  9. Return or Deletion of Data
    • Upon written request and contract termination, Viggotech will return or delete all Customer Personal Data unless retention is required by law.
  10. Survival and Amendments
    • This DPA survives termination for as long as Viggotech or its Subprocessors process Customer data.
    • Viggotech may update this DPA to comply with legal obligations and will notify Customer. Continued use of services indicates acceptance of updated terms.

For questions regarding this DPA, please contact legal@viggotech.io.

Exhibit A – Annex I to the EU SCCs

A. List of parties

Data exporter(s):

  • Name: Customer, as identified in the Agreement.
  • Address: As provided in the Agreement.
  • Contact details: As provided in the Agreement.
  • Role: Controller or Processor, as relevant.

Data importer(s):

  • Name: Viggotech Software Solutions AG
  • Address: As provided in the Agreement.
  • Contact details: As provided in the Agreement.
  • Role: Processor or Subprocessor, as applicable.

B. Description of transfer:

  • Data subjects: Determined by Customer; may include personnel, customers, business contacts, or end users.
  • Personal data types: Determined by Customer; includes any data submitted through Viggotech’s services.
  • Sensitive data: Permitted at Customer’s discretion. Customer is responsible for applying safeguards.
  • Frequency: Continuous throughout the term of the Agreement.
  • Purpose: To provide Viggotech’s services under the Agreement.
    Retention: As needed to deliver services or comply with legal requirements.
  • Subprocessors: Same processing context and purposes as defined above.

C. Competent Supervisory Authority: Irish Data Protection Commission.

Exhibit B – Data Security Measures

  • Information Security Program: Viggotech maintains up-to-date internal security policies, regularly reviewed.
  • Physical Security: All facilities hosting systems that store or process data are secured with controlled access and intrusion detection.
  • Organizational Policies: Guidelines on data handling, classification, and incident response are in place.
  • Network Security: Firewalls, encryption, and intrusion prevention systems are in use.
  • Access Controls: Role-based, least privilege access to Personal Data. Authorization changes are tightly managed.
  • Malware Protection: Anti-virus and anti-malware software are deployed on all relevant systems.
  • Personnel Training: Employees receive ongoing training and follow security procedures. Subprocessors must uphold the same standards.
  • Business Continuity: Disaster recovery and business continuity plans are implemented and periodically tested.

For questions regarding this DPA, contact legal@viggotech.io.