This Data Processing Addendum (“DPA”) is incorporated into the agreement between Customer and Vilulia LLC (“Vilulia”) governing the Services. This DPA applies to Personal Data processed by Vilulia on behalf of Customer in connection with the Services. If there is a conflict between this DPA and the Terms of Service or an Order Form, this DPA governs with respect to data protection matters.

1. Definitions

“Personal Data” means information relating to an identified or identifiable natural person. “Processing” means any operation performed on Personal Data. “Controller” and “Processor” have the meanings given under applicable data protection law (e.g., GDPR).

2. Roles

Customer is the Controller of Personal Data and Vilulia is the Processor, to the extent Vilulia processes Personal Data on behalf of Customer. Vilulia may act as a Controller for account administration, billing, security, and marketing communications to Customer contacts.

3. Scope of Processing

3.1 Subject Matter and Duration

The subject matter is the provision of the Services. Processing continues for the term of the Services and as necessary to meet legal and operational requirements.

3.2 Nature and Purpose

Processing includes hosting, storing, transmitting, analyzing, and otherwise processing Personal Data as necessary to provide, secure, and support the Services, including AI-enabled functionality requested by Customer.

3.3 Categories of Data and Data Subjects

Data Subjects: Customer’s authorized users; parties to disputes; claimants; witnesses; and other individuals whose data Customer submits.
Personal Data: identifiers, contact information, communications, documents, case data, and related metadata as submitted by Customer.
Sensitive Data: Customer controls whether to submit sensitive data; where submitted, it is processed solely to provide Services.

4. Customer Instructions

Vilulia will process Personal Data only on documented instructions from Customer, including as necessary to provide the Services. Customer instructs Vilulia to process Personal Data as required to provide the Services, maintain security, and comply with law. Customer is responsible for ensuring it has a lawful basis for processing and sharing Personal Data with Vilulia.

5. Confidentiality

Vilulia will ensure that persons authorized to process Personal Data are subject to confidentiality obligations.

6. Security Measures

Vilulia will implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

6.1 Minimum Measures (Illustrative)

Encryption in transit and at rest (where supported and configured).
Access controls, role-based authorization, and multi-factor authentication options.
Logging and monitoring (including audit logging for sensitive workflows).
Secure software development practices and vulnerability management.
Backup and disaster recovery practices.

7. Subprocessors

Customer authorizes Vilulia to use subprocessors to process Personal Data for the Services. Vilulia will impose data protection obligations on subprocessors that are at least as protective as this DPA.

Vilulia will maintain a list of subprocessors and a mechanism to notify Customer of material changes (for example, by updating a webpage or through in-product notice), where required by law or contract. Where required by applicable law, Customer may object to a new subprocessor on reasonable grounds related to data protection by providing written notice within thirty (30) days of the update; the parties will work in good faith to resolve the objection.

8. Assistance to Customer

Taking into account the nature of processing, Vilulia will provide reasonable assistance to Customer to respond to requests from data subjects and to meet obligations under applicable data protection laws (including GDPR), to the extent required and reasonably feasible.

9. Personal Data Breach

Vilulia will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. Vilulia will provide information reasonably requested by Customer to support compliance with breach notification obligations.

10. Data Return and Deletion

Upon termination of the Services, Vilulia will delete or return Personal Data in accordance with the Services’ capabilities and Customer’s contractual terms, unless retention is required by law. Backup deletion follows normal cycles.

11. International Transfers; SCCs

If Personal Data is transferred from the EEA/UK/Switzerland to a country not recognized as providing adequate protection, the parties will rely on appropriate transfer mechanisms. Where applicable, the parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as follows: Module Two (Controller to Processor), with Customer as “data exporter” and Vilulia as “data importer.” For UK transfers, the parties will use the UK Addendum to the EU SCCs or another valid UK transfer mechanism as applicable.

If the SCCs apply, the parties will complete the relevant details (for example: Annex I/II information and the competent supervisory authority) in an Order Form or other written addendum as needed.

12. Audit

Vilulia will make available information reasonably necessary to demonstrate compliance with this DPA and will allow audits as required by law and subject to reasonable confidentiality, security, and scheduling limitations. Vilulia may satisfy audit requests via third-party reports (e.g., SOC 2) where appropriate.

13. AI Training Exclusions

Vilulia does not use Customer Content to train public or general-purpose AI models. Vilulia processes Customer Content only to deliver the Services to Customer. Aggregated and de-identified metrics may be used for performance and security.

14. Governing Law

This DPA is governed by the laws of the Commonwealth of Virginia, to the extent not superseded by applicable data protection law.

Data Processing Addendum (DPA)