Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between Vile Analyziz (“Processor”) and the organization subscribing to our services (“Controller”), as required under applicable data protection legislation including the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent laws.

This DPA applies automatically to all customers. No separate signature is required. By using our services, you agree to the terms of this DPA.

1. Definitions

• Personal Data means any information relating to an identified or identifiable natural person processed through the services.
• Processing means any operation performed on Personal Data, including collection, storage, analysis, and deletion.
• Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• Services means the file intelligence and analysis platform provided by Vile Analyziz.

2. Scope and Role of the Parties

The Controller determines the purposes and means of processing Personal Data by choosing to upload files and configure analysis settings. The Processor processes Personal Data solely to provide the Services as instructed by the Controller.

Categories of data subjects: employees, contractors, and end users of the Controller who upload files or access analysis results.

Types of Personal Data: email addresses, display names, IP addresses (for rate limiting), and any personal data contained within files uploaded for analysis.

Purpose of processing: file analysis, trust scoring, vendor intelligence, policy enforcement, and reporting as configured by the Controller.

3. Processor Obligations

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption at rest and in transit, access controls, and audit logging.
• Assist the Controller in responding to data subject access requests, including requests for access, rectification, erasure, and portability.
• Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach.
• Delete or return all Personal Data at the end of the service relationship, at the Controller's choice. Deactivated accounts are permanently deleted within 30 days.
• Make available all information necessary to demonstrate compliance and allow for audits. The Controller may request a summary of our most recent security assessment.

4. Data Location and Transfers

All data is processed and stored within the United States (US East region). We do not transfer Personal Data outside the United States unless required to provide the Services and with appropriate safeguards in place.

For transfers from the European Economic Area or the United Kingdom to the United States, we rely on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or other lawful transfer mechanisms as applicable.

5. Sub-processors

We use a limited number of sub-processors to provide the Services. A current list is maintained at our Sub-processor List page.

We will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object to a new sub-processor by contacting us within 15 days of notification. If we cannot reasonably accommodate the objection, the Controller may terminate the affected services.

We impose data protection obligations on each sub-processor that are no less protective than those in this DPA.

6. Security Measures

We implement and maintain the following technical and organizational measures:

• Encryption: All data encrypted at rest and in transit using industry-standard protocols.
• Access control: Role-based access with multi-tenant isolation. Each organization's data is logically separated at the database level.
• Audit logging: All access to files and account changes are logged with timestamps and actor identification.
• Incident response: Documented procedures for detecting, responding to, and recovering from security incidents.
• Business continuity: Automated backups with point-in-time recovery capability. Infrastructure spans multiple availability zones.
• Personnel: Background checks and security training for all personnel with access to production systems.

For more details, see our Security Practices page.

7. Data Retention and Deletion

We retain Personal Data only as long as necessary to provide the Services. When a Controller deactivates their account, all associated data is permanently deleted within 30 days. Controllers may request data export before account closure via the portal settings.

Uploaded file binaries with high-sensitivity content are automatically purged within 24 hours, while analysis metadata and reports are retained for the duration of the service relationship.

8. Data Subject Rights

We assist the Controller in fulfilling data subject requests including: right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, and right to object. Controllers can manage most requests directly through the portal (team management, data export, account deletion).

9. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, we will delete all Personal Data within 30 days unless retention is required by applicable law.

10. Contact

For questions about this DPA or to exercise rights under it, contact us at our contact page.