Data Processing Agreement
1. Parties and application
Effective July 12, 2026. This Data Processing Agreement (“DPA”) is between the customer identified by the Vivd account, order, or offer (“Controller”) and Vivd Solutions, Dweerblöcken 4, 22393 Hamburg, Germany (“Processor”). It forms part of the hosted Vivd contract whenever Vivd processes personal data on the Controller's behalf. Using the processor features constitutes acceptance of this DPA; an individually signed DPA takes precedence.
2. Subject, duration, nature, and purpose
Processing covers hosting, editing, generation, publishing, form and plugin operation, support, security, backups, and deletion of customer website and project data for the duration of the hosted service and any documented return, deletion, backup, or legal-retention period.
3. Data and data subjects
Data may include account identifiers, contact details, prompts, website copy, project files and assets, visitor submissions, newsletter or booking data, technical identifiers, logs, support communications, and any personal data uploaded or configured by the Controller. Data subjects may include the Controller's users, staff, customers, prospects, website visitors, subscribers, booking guests, and other persons represented in customer content.
4. Controller instructions and duties
The Processor will process personal data only on documented instructions, including the contract, product configuration, support instructions, and this DPA, unless Union or Member State law requires otherwise. The Controller is responsible for lawful instructions, legal bases, transparency, data accuracy, access control, retention choices, and ensuring that special-category or high-risk data is not submitted unless expressly supported and lawfully configured.
5. Confidentiality and security
Persons authorized to process data are bound by confidentiality. Vivd applies measures appropriate to risk, including tenant and access controls, encryption in transit, credential and secret controls, backups, logging, vulnerability and dependency management, incident monitoring, restricted infrastructure access, and restoration procedures. Security measures evolve with risk and technology without materially reducing protection.
6. Subprocessors and transfers
The Controller gives general authorization for the subprocessors listed on the Subprocessors page. Vivd imposes equivalent data-protection obligations and remains responsible for their processor activities. Material changes are published there; the Controller may object on documented data-protection grounds. Transfers outside the EEA use an adequacy decision, EU Standard Contractual Clauses, or another lawful mechanism as required.
7. Assistance, incidents, and rights
Taking account of the processing, Vivd will reasonably assist with data-subject requests, security, breach assessment and notification, data-protection impact assessments, prior consultation, and compliance information. Vivd will notify the Controller without undue delay after becoming aware of a personal-data breach affecting Controller data and provide available information needed for the Controller's obligations.
8. Return, deletion, and audit
At the end of service, Vivd will delete or return personal data at the Controller's choice where technically available, except where law requires retention. Residual backups are isolated and expire through normal rotation. Vivd will provide information reasonably necessary to demonstrate compliance and permit proportionate audits by the Controller or an independent auditor, subject to confidentiality, security, reasonable notice, and avoidance of disruption or exposure of other customers.
9. Priority and contact
If this DPA conflicts with the Terms on processing of Controller personal data, this DPA controls. The EU Standard Contractual Clauses, where executed or incorporated, control over conflicting transfer terms. Data-protection instructions and requests may be sent to hello@vivd.studio.
Deutsche Kurzfassung
Dieser Vertrag ist Bestandteil des Vertrags über das gehostete Vivd, soweit Vivd personenbezogene Daten im Auftrag verarbeitet. Er enthält insbesondere Weisungsbindung, Vertraulichkeit, technische und organisatorische Maßnahmen, Unterauftragsverarbeitung, Unterstützungspflichten, Meldung von Datenschutzverletzungen, Löschung und Nachweismöglichkeiten gemäß Art. 28 DSGVO. Bei Auslegungsfragen ist die englische Vollfassung maßgeblich, soweit zwingendes Recht nichts anderes verlangt.