1. Overview

This Data Processing Agreement ("DPA") governs the processing of personal data by Vyrable ("the Processor") on behalf of customers ("the Controller") in connection with the use of the Vyrable Service. It supplements and forms part of the Vyrable Terms of Service and the Vyrable Privacy Policy.

For customers requiring a signed counterpart of this DPA, with the controller's details inserted and a wet or e-signature from both parties, please contact dpo@vyrable.ai and we will return a countersignable copy within 5 working days.

2. Subject matter and duration

Subject matter:processing of personal data submitted by the Controller's authorised users to the Vyrable Service for the purpose of providing the Service, including content generation, brand-visibility scanning, scheduling, publishing, analytics, and incidental support.

Duration:for the term of the Controller's subscription to the Service, plus the post-termination retention period set out in the Privacy Policy.

Nature and purpose:processing is performed by automated means, in support of the Service's standard features. The Processor does not use Controller data for its own marketing purposes, model training, or onward disclosure other than via the sub-processors disclosed below.

Categories of data subjects:the Controller's end-users, employees, and any persons whose personal data the Controller chooses to submit (including competitor public figures named in tracked prompts).

Categories of personal data: account data (name, email, organisation), authored content, content metadata, scan responses, billing identifiers, support correspondence, and technical logs.

3. Processor obligations

The Processor will: (a) process personal data only on documented instructions from the Controller, including with regard to transfers; (b) ensure that persons authorised to process the personal data are bound by appropriate confidentiality obligations; (c) implement the technical and organisational measures set out in §6 to assist the Controller in fulfilling its obligations; (d) make available to the Controller all information necessary to demonstrate compliance and allow for audits as set out in §7; (e) notify the Controller without undue delay after becoming aware of a personal data breach as set out in §8.

4. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed in §7 of the Privacy Policy. The list is updated when sub-processors are added, replaced or removed, and the latest version is always available on request to privacy@vyrable.ai.

The Processor will impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and will remain liable to the Controller for the performance of any sub-processor's obligations.

The Processor will provide at least 14 days' advance notice by email of any intended addition or replacement of a sub-processor that processes personal data. The Controller may object on reasonable data-protection grounds before the change takes effect; in such a case, the parties will work in good faith to resolve the objection or the Controller may terminate the affected services as set out in the Terms. The current sub-processor list is maintained in the Privacy Policy and is the authoritative source.

5. International transfers

Personal data is processed globally — primary compute is located in Germany (EU); sub-processors operate from jurisdictions including the UK, EEA, US, and other regions. Where personal data is transferred to a country outside the UK or EEA without an adequacy decision, the parties rely on the UK Addendum to the EU Standard Contractual Clauses (SCCs) (Module Two: controller-to-processor) as the transfer mechanism, supplemented by the technical and organisational measures in §6.

The Processor will, on request, provide a Transfer Impact Assessment for any specific sub-processor relationship.

6. Security measures

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

Encryption in transit (TLS 1.2+) and at rest for all customer data stores
Role-based access control with least-privilege defaults; production access logged and reviewed
Two-factor authentication required for all production access
Daily encrypted backups, retained for 30 days, with documented restore procedures
Network isolation of production workloads; secrets stored outside the codebase
Regular dependency vulnerability scanning and patching
Incident response plan with defined roles and notification timelines

7. Audit rights

On reasonable written request, the Processor will make available to the Controller information necessary to demonstrate compliance with this DPA. Where third-party audit reports (e.g. SOC 2 reports from sub-processors) are available, those will be provided in lieu of bespoke audits where they meet the Controller's reasonable needs. The Controller bears its own audit costs unless the audit reveals material non-compliance.

8. Personal data breach

The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Controller data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

9. Return or deletion

On termination of the Service, the Processor will, at the Controller's choice, delete or return all personal data processed on behalf of the Controller, and delete existing copies, unless retention is required by law. Standard post-termination retention windows are set out in the Privacy Policy.

10. Contact

Data Protection Officer: dpo@vyrable.ai
Privacy enquiries: privacy@vyrable.ai

This DPA is provided as a standardised online counterpart to support due diligence and procurement processes. Customers that require a wet-signed copy with bespoke terms should contact the DPO above.