March 20, 2026
This Data Processing Addendum ("DPA") is incorporated into the agreement between Customer and Vilulia LLC ("Vilulia") governing the Services. This DPA applies to Personal Data processed by Vilulia on behalf of Customer in connection with the Services. If there is a conflict between this DPA and the Terms of Service or an Order Form, this DPA governs with respect to data protection matters.
"Personal Data" means information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data. "Controller" and "Processor" have the meanings given under applicable data protection law (e.g., GDPR).
Customer is the Controller of Personal Data and Vilulia is the Processor, to the extent Vilulia processes Personal Data on behalf of Customer. Vilulia may act as a Controller for account administration, billing, security, and marketing communications to Customer contacts.
The subject matter is the provision of the Services. Processing continues for the term of the Services and as necessary to meet legal and operational requirements.
Processing includes hosting, storing, transmitting, analyzing, and otherwise processing Personal Data as necessary to provide, secure, and support the Services, including AI-enabled functionality requested by Customer.
Vilulia will process Personal Data only on documented instructions from Customer, including as necessary to provide the Services. Customer instructs Vilulia to process Personal Data as required to provide the Services, maintain security, and comply with law. Customer is responsible for ensuring it has a lawful basis for processing and sharing Personal Data with Vilulia.
Vilulia will ensure that persons authorized to process Personal Data are subject to confidentiality obligations. Vilulia employees and contractors with access to Personal Data are bound by confidentiality obligations and receive training on data protection requirements.
Vilulia will implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Customer authorizes Vilulia to use the subprocessors listed below to process Personal Data for the Services. Vilulia will impose data protection obligations on subprocessors that are at least as protective as this DPA.
Vilulia will provide Customer with reasonable advance notice of any material change to this subprocessor list (such as the addition of a new subprocessor that will access Personal Data), through in-product notice or email. Where required by applicable law, Customer may object to a new subprocessor on reasonable grounds related to data protection by providing written notice within thirty (30) days of the update; the parties will work in good faith to resolve the objection.
Last updated: March 20, 2026
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, hosting, storage, database, compute, and security services (including RDS, ECS, S3, ElastiCache, Cognito, Bedrock, CloudFront, KMS, GuardDuty) | United States (us-east-1) |
| Stripe | Payment processing, subscription billing, and Stripe Connect for settlement payments | United States |
| Postmark (ActiveCampaign) | Transactional email delivery (notifications, account communications) | United States |
| Twilio | SMS notifications (optional add-on) | United States |
| Daily.co | Video conferencing integration (optional add-on) | United States |
| DocuSign | Electronic signature services for agreements and awards | United States |
| Sentry | Error monitoring and diagnostics | United States |
| AWS Bedrock / OpenAI / Google / xAI | AI model inference for AI-enabled features (used only to process requests initiated by authorized users; Customer Content is not used for model training) | United States |
Integrations listed as optional add-ons (Twilio, Daily.co, DocuSign) are only engaged when the relevant feature is enabled by Customer. Third-party integrations configured directly by Customer (such as Google Calendar, Outlook, Salesforce, Slack, or QuickBooks) are not Vilulia subprocessors; Customer's agreement with those providers governs their data handling.
Taking into account the nature of processing, Vilulia will provide reasonable assistance to Customer to respond to requests from data subjects and to meet obligations under applicable data protection laws (including GDPR), to the extent required and reasonably feasible. Vilulia will respond to reasonable assistance requests within thirty (30) days of receipt.
Vilulia will notify Customer without undue delay — and in no event later than 72 hours — after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. Notification will include, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach. Vilulia will provide additional information reasonably requested by Customer to support compliance with breach notification obligations.
Upon termination of the Services, Vilulia will delete or return Personal Data in accordance with the Services' capabilities and Customer's contractual terms, unless retention is required by law. Backup deletion follows normal retention cycles. Upon request, Vilulia will confirm in writing that deletion has been completed.
If Personal Data is transferred from the EEA/UK/Switzerland to a country not recognized as providing adequate protection, the parties will rely on appropriate transfer mechanisms. Where applicable, the parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as follows: Module Two (Controller to Processor), with Customer as "data exporter" and Vilulia as "data importer." For UK transfers, the parties will use the UK Addendum to the EU SCCs or another valid UK transfer mechanism as applicable.
If the SCCs apply, the parties will complete the relevant details (for example: Annex I/II information and the competent supervisory authority) in an Order Form or other written addendum as needed.
Vilulia will make available information reasonably necessary to demonstrate compliance with this DPA and will allow audits as required by law and subject to reasonable confidentiality, security, and scheduling limitations. Vilulia may satisfy audit requests via third-party reports (e.g., SOC 2) where appropriate. Audit requests must be submitted in writing with reasonable advance notice, and any audit will be conducted at Customer's expense unless a material breach by Vilulia is confirmed.
Aggregated and de-identified metrics (such as latency, error rates, and feature usage statistics that cannot be linked to a specific customer or case) may be used for platform performance and security improvement.
This DPA is governed by the laws of the Commonwealth of Virginia, to the extent not superseded by applicable data protection law.
Our legal team is here to help with any questions.