Data Processing Agreement
Effective Date: July 14, 2026 · Last Updated: July 14, 2026
Draft template — not legal advice. DPAs carry real compliance weight (especially if any clients are subject to GDPR). Have a licensed attorney review, particularly the subprocessor list and cross-border transfer sections, before using this with clients.
This Data Processing Agreement ("DPA") forms part of the service agreement ("Agreement") between Viralize Brand ("Processor," "we," "us") and the client entering into services with us ("Controller," "Client," "you"), and applies to the extent we process personal data on your behalf in connection with the services described in your Statement of Work.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf under the Agreement.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Subprocessor" means any third party engaged by us to process Personal Data on your behalf.
"Data Subject" means the individual to whom Personal Data relates (e.g., your leads, customers, or website visitors).
2. Roles of the Parties
You are the Controller (or "Business" under CCPA) with respect to Personal Data collected through your website, ads, forms, CRM, and AI voice agents. We are the Processor (or "Service Provider" under CCPA), processing Personal Data solely on your documented instructions and for the purposes described in the Agreement.
3. Scope of Processing
We process Personal Data as necessary to deliver the contracted services, which may include:
- Managing contact/lead forms and CRM records
- Operating paid advertising campaigns and conversion tracking (e.g., Meta CAPI)
- Operating AI voice agents and call handling (e.g., appointment booking, call transcripts)
- Sending SMS/email communications on your behalf
- Website hosting and functionality (e.g., form submissions via Supabase/Resend)
Categories of Personal Data typically processed include: name, phone number, email address, IP address, appointment details, and call transcripts/recordings, depending on the services engaged.
4. Our Obligations
We agree to:
- Process Personal Data only on your documented instructions, unless required otherwise by law;
- Ensure personnel authorized to process Personal Data are bound by confidentiality obligations;
- Implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, or disclosure;
- Assist you, where reasonably requested, in responding to Data Subject requests (access, deletion, correction) relating to data we process on your behalf;
- Notify you without undue delay after becoming aware of a Personal Data breach affecting your data;
- Delete or return Personal Data upon termination of the Agreement, except where retention is required by law.
5. Subprocessors
You authorize us to engage the following categories of Subprocessors to deliver services:
- GoHighLevel (GHL) — CRM, automation, SMS/email
- Supabase — Database / backend infrastructure
- Resend — Transactional email delivery
- Retell AI / VAPI — AI voice agent operation
- n8n — Workflow automation
- Cal.com — Appointment scheduling
- Meta, Google — Advertising & conversion tracking
- Payment Processor — Payment processing
- Hosting Provider — Website hosting
We will impose data protection obligations on Subprocessors materially equivalent to those in this DPA and remain responsible for their performance. We will notify you of any intended changes to Subprocessors where reasonably practicable.
6. Cross-Border Data Transfers
Given that we operate from Bangladesh and use service providers based in the United States and other jurisdictions, Personal Data may be transferred and processed outside your country of residence. We will take reasonable steps to ensure such transfers are conducted in compliance with applicable data protection laws.
7. Data Subject Requests
If a Data Subject contacts us directly to exercise a privacy right regarding data we process on your behalf, we will promptly notify you and will not respond directly unless instructed by you or required by law.
8. Security Measures
We maintain reasonable security measures appropriate to the risk, including access controls, encrypted data transmission (where supported by our platforms), and limiting data access to personnel who need it to perform the services.
9. Audits
Upon reasonable written request, and no more than once per year, we will provide information reasonably necessary to demonstrate compliance with this DPA.
10. Liability
Liability under this DPA is subject to the limitation of liability provisions in the underlying Agreement/Terms & Conditions.
11. Term
This DPA remains in effect for as long as we process Personal Data on your behalf under the Agreement.
12. Governing Law
This DPA is governed by the laws of the State of Texas, consistent with the governing law provision in our Terms & Conditions.
13. Contact
For data protection inquiries related to this DPA:
Viralize Brand
Amberkhana, Zalalabad, Sylhet
info@viralizebrand.com
+1 623 279 4404
