Data Processing Addendum

Last updated: July 15, 2026

This Data Processing Addendum (the "DPA") forms part of the Viclaro Terms of Service between you ("Customer" or "Controller") and Viclaro ("we", "us", "Processor") and governs our processing of Customer Personal Data on your behalf. Capitalized terms not defined here take their meaning from our Terms of Service and Privacy Policy.

"Personal Data", "Controller", "Processor", "Data Subject", "Processing", and "Sub-processor" have the meanings given in the EU General Data Protection Regulation 2016/679 ("GDPR") and, where applicable, the UK GDPR, the California Consumer Privacy Act ("CCPA"), and equivalent laws in other jurisdictions.

1. Roles and Scope

Customer is the Controller (or, where applicable, Processor acting on behalf of a third-party controller) of the Personal Data it submits to the Service. Viclaro is a Processor acting on Customer's documented instructions, which are set by (a) the Terms of Service, (b) Customer's configuration of the Service, and (c) any additional written instructions Customer sends us.

Viclaro will only Process Customer Personal Data for the purpose of providing the Service, complying with applicable law, or as further instructed by Customer in writing.

2. Categories of Data and Data Subjects

Categories of Personal Data: account identifiers (name, work email), authentication data, IP addresses, usage logs, and any Personal Data contained in URLs, pages, or documents Customer submits for AI-readiness analysis.

Categories of Data Subjects: Customer's authorized users; individuals whose Personal Data appears in content submitted by Customer for analysis.

3. Confidentiality

Viclaro ensures that personnel authorized to Process Customer Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

4. Security Measures (Art. 32 GDPR)

Viclaro maintains technical and organizational measures appropriate to the risk, including:

  • TLS 1.2+ encryption for data in transit
  • At-rest encryption for databases and backups (managed by our infrastructure providers)
  • Access controls with role-based permissions and least-privilege defaults
  • Audit logging of privileged actions
  • Regular backup and disaster recovery testing
  • Vendor security review before onboarding new Sub-processors

5. Sub-processors

Customer authorizes Viclaro to engage the Sub-processors listed below to Process Customer Personal Data on the terms of this DPA. Each Sub-processor is bound by data-protection obligations no less protective than those in this DPA.

Sub-processor Purpose Location
DigitalOcean Application hosting, managed database, object storage United States
Stripe Payment processing, subscription management United States (EU DPF certified)
Google (Gmail SMTP) Transactional and outreach email delivery United States (EU DPF certified)
OpenAI, Anthropic, Google (Gemini), Perplexity, OpenRouter AI recommendation-visibility probes; prompts do not include Personal Data unless Customer submits it in scan content United States
Cloudflare Bot mitigation on public forms (Turnstile) United States

Viclaro will notify Customer of any intended addition or replacement of Sub-processors by updating this page at least fifteen (15) days before onboarding the new Sub-processor. Customer may object on reasonable data-protection grounds by writing to [email protected] within that window.

6. International Data Transfers

Where Viclaro transfers Personal Data from the European Economic Area, United Kingdom, or Switzerland to a country not recognized as offering an adequate level of protection, we rely on (a) the EU–US Data Privacy Framework where the recipient is certified, (b) the UK–US Data Bridge, or (c) the European Commission's Standard Contractual Clauses (Module 2 or Module 3 as appropriate), which are hereby incorporated by reference into this DPA.

7. Data Subject Rights

Viclaro will, insofar as reasonably possible and taking into account the nature of the Processing, assist Customer through appropriate technical and organizational measures to fulfill Customer's obligation to respond to Data Subject rights requests under applicable law (access, rectification, erasure, restriction, portability, objection). Data Subjects should direct requests to the Controller (Customer); if we receive a request directly, we will forward it to Customer without undue delay.

8. Personal Data Breach Notification

Viclaro will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed.

9. Data Protection Impact Assessments

Where required under Articles 35 and 36 GDPR, Viclaro will provide Customer with reasonable cooperation and assistance for data protection impact assessments and prior consultation with supervisory authorities.

10. Return or Deletion of Data

On termination or expiration of the Service, Viclaro will, at Customer's choice, delete or return all Customer Personal Data and delete existing copies within thirty (30) days, except to the extent applicable law requires continued retention. Backups are cycled out on our standard rotation, at most ninety (90) days.

11. Audits

Viclaro will make available to Customer, on written request, all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. Where a Customer reasonably requires additional information, Viclaro may charge a reasonable fee for on-site audits, which must be scheduled at least thirty (30) days in advance and conducted during normal business hours in a manner that does not interfere with Viclaro's operations.

12. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service or Privacy Policy with respect to the Processing of Customer Personal Data, this DPA prevails.

13. Contact

Privacy questions and DPA-related notices should be sent to [email protected].