Data processing (GDPR)

When your organization uses the Virtala platform to process personal data about customers or counterparties, Virtala typically acts as a processor under the EU/UK GDPR, and your organization is the controller. This page summarizes how we approach that relationship. It does not replace a signed Data Processing Agreement (DPA).

Processor commitments

Under our standard DPA we commit, in substance, to:

• process personal data only on documented instructions from you;
• ensure personnel are bound by confidentiality and access personal data only as needed;
• support your obligations toward data subjects, including access, rectification, erasure, and portability where technically feasible;
• assist with your security obligations and with breach notification timelines, taking into account the nature of processing;
• delete or return data at the end of the Services, subject to legal retention requirements;
• make available information reasonably required to demonstrate compliance and allow for audits you mandate, with appropriate confidentiality safeguards.

Subprocessors

We use infrastructure and service providers as described in our Privacy Policy. We will notify you of new categories or material changes where our DPA requires it.

Obtain a DPA

Enterprise customers can request our latest DPA template for signature at legal@virtala.ai.