VirtusNova Data Processing Addendum

This Data Processing Addendum, including its Appendices (“DPA”), forms part of the VirtusNova Enterprise Terms of Service, the VirtusNova Enterprise Seat Subscription Agreement, or any other written or electronic agreement incorporating this DPA by reference (the “Agreement”) between Wilken UG (haftungsbeschränkt), operating as VirtusNova, Braugasse 14C, 50859 Cologne, Germany (“VirtusNova”), and the entity identified as Customer in the Agreement (“Customer”), for the purpose of providing certain services (the “Services”).

In the course of providing the Services to Customer pursuant to the Agreement, VirtusNova may Process Customer Personal Data (as defined below) on Customer’s behalf. This DPA sets out the terms that apply when Customer Personal Data that is subject to Applicable Data Protection Laws is Processed by VirtusNova on Customer’s behalf under the Agreement.

Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Affiliates that are permitted to use the Services under the Agreement. Unless otherwise defined herein, capitalized terms in this DPA will have the same meaning ascribed to them in the Agreement.

1. PROCESSING OF PERSONAL DATA

1.1 Scope.

This DPA applies to the Processing of Customer Personal Data that is subject to Applicable Data Protection Laws by VirtusNova in its capacity as a processor or service provider for the purpose of providing the Services.

1.2 Roles.

The parties acknowledge and agree that, with regard to the Processing of Customer Personal Data, Customer is the controller or business and VirtusNova is Customer’s processor or service provider under Applicable Data Protection Laws.

1.3 Details of Processing.

The subject matter, duration, nature, and purpose of the Processing, and the types of personal data or personal information, and categories of data subjects or consumers, are described in Appendix 1 of this DPA.

1.4 Customer’s Responsibilities.

Customer shall, in its use of the Services: (a) comply with its obligations as a controller or business and Process Customer Personal Data in accordance with Applicable Data Protection Laws; (b) ensure that its instructions to VirtusNova comply with Applicable Data Protection Laws; (c) have sole responsibility for the accuracy, quality, and legality of Customer Personal Data; and (d) ensure that Customer is entitled to transfer Customer Personal Data to VirtusNova so that VirtusNova and its Subprocessors may lawfully Process Customer Personal Data under Applicable Data Protection Laws.

1.5 Customer’s Instructions.

Customer instructs VirtusNova to collect, analyze, display, store and otherwise Process Customer Personal Data for the purpose of providing and improving the Services to Customer in a manner consistent with the Agreement, this DPA and, where applicable, the privacy policy published at https://virtusnova.marketing/privacy-policy/. VirtusNova will comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) or initiated by Customer’s authorized users of the Services, where such instructions are consistent with the terms of the Agreement. VirtusNova will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.

1.6 VirtusNova’s Responsibilities.

VirtusNova shall comply with its obligations under Applicable Data Protection Laws in its role as a processor or service provider and notify Customer if it cannot or can no longer meet such obligations. VirtusNova will only Process Customer Personal Data in accordance with Customer’s documented instructions as set out in Section 1.5 and agrees that it shall not: (a) “sell” or “share” Customer Personal Data within the meaning of Applicable Data Protection Laws (including the CCPA); (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified under the Agreement and this DPA; (c) use Customer Personal Data received in connection with the Agreement outside of the relationship between Customer and VirtusNova; or (d) combine Customer Personal Data with information that VirtusNova has received from other sources; in each case except as permitted under the Agreement and Applicable Data Protection Laws.

2. SUBPROCESSORS

2.1 Appointment of Subprocessors.

Customer agrees and provides a general written authorization that VirtusNova and its Affiliates may engage Subprocessors, provided that: (a) VirtusNova and each Subprocessor shall enter a written agreement containing data protection obligations that provide an equivalent level of protection for Customer Personal Data as those described in this DPA (in particular, providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Applicable Data Protection Laws); and (b) VirtusNova shall remain responsible for its Subprocessors’ compliance with the obligations under this DPA and for any acts or omissions of its Subprocessors that causes VirtusNova to breach any of its obligations under this DPA.

2.2 Identification and Notification of Authorized Subprocessors.

VirtusNova maintains a list of its authorized Subprocessors at a publicly listed web page, currently found at https://virtusnova.marketing/virtusnova-subprocessor-list/. Customer may subscribe to receive notifications of new or replacement Subprocessors by emailing info@virtusnova.marketing with the subject “Subprocessor Subscribe”. If Customer subscribes to receive notifications, VirtusNova shall provide thirty (30) days’ notification of any intended new or replacement Subprocessor before authorizing such Subprocessor to Process Customer Personal Data in connection with the provision of the applicable Services.

2.3 Right to Object to New Subprocessors.

Customer may reasonably object to VirtusNova’s use of a new or replacement Subprocessor by notifying VirtusNova promptly in writing within ten (10) business days after receipt of VirtusNova’s notice in accordance with Section 2.2. Customer shall explain the reasonable grounds for any such objection, which must relate to compliance with Applicable Data Protection Laws. Upon receipt of an objection, VirtusNova will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid the Processing of Customer Personal Data by the objected-to Subprocessor. If VirtusNova is unable to make such a change or recommendation within a reasonable period of time, Customer may terminate the affected part of the Services in accordance with the terms of the Agreement.

3. CONFIDENTIALITY

3.1 Confidentiality.

VirtusNova shall ensure that any persons that it authorizes to Process Customer Personal Data (including its staff, agents and contractors) shall be subject to a duty of confidentiality that survives the termination of their employment and/or contractual relationship.

3.2 Government requests.

VirtusNova shall not disclose Customer Personal Data to any law enforcement agency or government authority (collectively, “Government Authority”) unless instructed by Customer, or as necessary to comply with applicable laws or a valid and binding order of a Government Authority, such as a subpoena or court order. If a Government Authority requests access to Customer Personal Data, and unless legally prohibited from doing so, VirtusNova shall (a) inform the Government Authority that VirtusNova is a processor or service provider and attempt to redirect the Government Authority to Customer (and may provide Customer’s basic contact information to the Government Authority for these purposes); and (b) take commercially reasonable steps to notify Customer of legally binding requests to allow Customer to seek a protective order or other appropriate remedy. If VirtusNova is legally compelled to respond to the request, VirtusNova shall review the legality of the request and determine whether the request may be challenged. In any event, VirtusNova shall only disclose the minimum information that is required to comply with the request.

4. SECURITY

4.1 Security Measures.

VirtusNova shall maintain an information security program for the Services that aligns with industry best practices and shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data from Security Incidents and preserve the security, confidentiality, and integrity of Customer Personal Data, as further described in Appendix 2 of this DPA and in VirtusNova’s Security Practices document available at https://virtusnova.marketing/virtusnova-security-practices/ (“Security Measures”). VirtusNova leverages cloud infrastructure providers (Google Cloud Platform and Firebase) that maintain internationally recognized certifications and security standards. These Security Measures include: (a) the encryption of Customer Personal Data at rest and in transit; (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of VirtusNova’s systems and services through the use of managed cloud services; (c) the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident through automatic backup and redundancy capabilities provided by Firebase and Google Cloud Platform; and (d) regular review and assessment of the effectiveness of technical and organizational measures for ensuring the security of the Processing. VirtusNova may update or modify the Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services provided to Customer. Any requests by Customer for additional security measures or modifications to existing Security Measures will be evaluated by VirtusNova on a case-by-case basis, taking into account technical feasibility, cost, and other business considerations, and VirtusNova does not automatically commit to implementing such requests.

4.2 Audits and Third-Party Security Certifications.

VirtusNova agrees to make available to Customer, upon written request no more than once per year and subject to the confidentiality obligations set forth in the Agreement (or a separate non-disclosure agreement, if necessary), information necessary to demonstrate VirtusNova’s compliance with its obligations under this DPA, including information regarding VirtusNova’s Security Measures and the certifications and audit reports of its Subprocessors (where available). VirtusNova currently does not maintain its own independent security certifications (such as SOC 2 or ISO 27001), but leverages cloud infrastructure providers (Google Cloud Platform and Firebase) that maintain internationally recognized certifications and accreditations. VirtusNova will allow for and contribute to audits conducted by Customer or Customer’s designated auditor, provided that: (a) such audits are conducted during normal business hours and with reasonable advance notice (at least 30 days); (b) such audits are conducted in a manner that minimizes disruption to VirtusNova’s business operations; (c) Customer bears the costs of such audits; and (d) Customer and its auditors are bound by confidentiality obligations. VirtusNova may satisfy audit requests by providing attestations, certifications, or audit reports from independent third-party auditors or from VirtusNova’s Subprocessors (particularly Google Cloud Platform and Firebase), where such documentation demonstrates compliance with VirtusNova’s obligations under this DPA.

5. INCIDENT MANAGEMENT AND NOTIFICATION

5.1

If VirtusNova becomes aware of a Security Incident for which notification to Customer is required under Applicable Data Protection Laws, VirtusNova will, without undue delay, notify Customer of the Security Incident. VirtusNova will include in the notification such information about the Security Incident as VirtusNova is reasonably able to disclose to Customer, taking into account the nature of the Services, the information available to VirtusNova, and any restrictions on disclosing the information, such as confidentiality. Any notice of a Security Incident provided by VirtusNova is not, and will not be construed as, an acknowledgement by VirtusNova of any fault or liability.

6. PRIVACY RIGHTS REQUESTS

6.1

To the extent required under Applicable Data Protection Laws, and insofar as Customer cannot respond through functionality made available via the Services, VirtusNova shall provide Customer with commercially reasonable assistance to enable Customer to respond to requests from data subjects or consumers seeking to exercise their rights under Applicable Data Protection Laws, taking into account the nature of the Processing.

7. DPIA AND CONSULTATIONS

7.1

Upon Customer’s reasonable written request, and to the extent required under Applicable Data Protection Laws, VirtusNova shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligations to carry out data protection impact assessments and consult with supervisory authorities related to Customer’s use of the Services.

8. INTERNATIONAL DATA TRANSFERS

8.1 International Data Transfers.

Customer acknowledges and agrees that VirtusNova may transfer and Process Customer Personal Data outside of your country as necessary to provide the Services, including within the European Economic Area and other countries where VirtusNova, its Affiliates, and Subprocessors maintain data processing operations. VirtusNova shall take all such measures as are necessary to ensure such transfers are made in compliance with applicable European Data Protection Laws. In particular, Customer acknowledges that VirtusNova may Process Customer Personal Data within the European Economic Area, which provides an adequate level of protection for personal data.

8.2 Standard Contractual Clauses.

To the extent that the transfer of Customer Personal Data from Customer to VirtusNova involves a Restricted Transfer, and the transfer is not covered by adequacy status, then the SCCs shall be incorporated and form an integral part of this DPA, with Customer (and any Customer Affiliates) as the “data exporter” and VirtusNova as the “data importer”, as follows:

(a) In relation to Customer Personal Data that is subject to the GDPR: (i) Module Two (controller to processor) shall apply; (ii) in Clause 7, the optional docking clause shall apply; (iii) in Clause 9, Option 2 shall apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section 2.2 of this DPA; (iv) in Clause 11, the optional language shall not apply; (v) in Clause 17, Option 1 shall apply, and the SCCs shall be governed by German law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Germany; (vii) Annex I of the SCCs shall be deemed completed with the information set out in Appendix 1 to this DPA; and (viii) Annex II of the SCCs shall be deemed completed with the information set out in Appendix 2 to this DPA.

(b) In relation to Customer Personal Data that is subject to the UK GDPR, the SCCs shall apply in accordance with Section 8.2(a), with the following modifications: (i) the SCCs shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA; (ii) any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum; (iii) tables 1 to 3 in Part 1 shall be completed respectively with the information set out in Appendices 1 and 2 of this DPA; and (iv) table 4 in Part 1 shall be deemed completed by selecting “neither party”.

(c) In relation to Customer Personal Data that is subject to the Swiss FADP, the SCCs shall apply in accordance with Section 8.2(a), with the following modifications: (i) references to “Regulation (EU) 2016/679” and specific articles therein shall be replaced with references to the Swiss FADP and the equivalent articles or sections therein; (ii) references to “EU”, “Union” and “Member State” shall be replaced with references to “Switzerland”; (iii) Clause 13(a) and Annex II(C) are not used and the “competent supervisory authority” shall be the Swiss Federal Data Protection Information Commissioner; (iv) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (v) in Clause 17, the SCCs shall be governed by the laws of Switzerland; and (vi) in Clause 18(b), disputes shall be resolved before the applicable courts of Switzerland.

8.3 Clarifications to the Standard Contractual Clauses.

Where the VirtusNova contracting entity under the Agreement is not VirtusNova, such contracting entity (not VirtusNova) will remain fully and solely responsible to Customer for the performance of the SCCs by VirtusNova and Customer shall direct any instructions or claims in relation to the SCCs to such contracting entity. The parties agree that if VirtusNova cannot ensure compliance with the SCCs, it shall promptly inform Customer and Customer shall provide VirtusNova with a reasonable period of time to cure the non-compliance, during which time VirtusNova and Customer shall reasonably cooperate to agree what additional safeguards or measures, if any, may be reasonably required. Customer shall only be entitled to suspend the transfer of Customer Personal Data and/or terminate the affected parts of the Services for non-compliance with the SCCs if VirtusNova has not or cannot cure the non-compliance before the end of the cure period. Additionally, in the event VirtusNova adopts an alternative transfer mechanism, such alternative transfer mechanism shall apply instead of the SCCs described in Section 8.2 of this DPA, but only to the extent such alternative transfer mechanism complies with applicable European Data Protection Laws and extends to the territories to which Customer Personal Data is transferred.

9. RETURN AND DELETION OF PERSONAL DATA

9.1

Upon termination of the Services, VirtusNova shall, upon Customer’s written request received by VirtusNova within 30 days of termination of the Services, return or delete all Customer Personal Data and copies of such data in its custody or control, unless it is legally required to retain the Customer Personal Data. Until the Customer Personal Data is deleted or returned, VirtusNova shall continue to protect the Customer Personal Data in accordance with the Agreement, this DPA, and Applicable Data Protection Laws.

10. GENERAL PROVISIONS

10.1 Legal Effect.

This DPA is an addendum to and incorporated as part of the Agreement between Customer and VirtusNova. Except as expressly provided herein, a VirtusNova entity is not a party to this DPA (or the SCCs) unless it is a party to the Agreement. Except for changes made by this DPA, the Agreement remains unchanged and in full force and effect. This DPA supersedes and replaces all prior or contemporaneous representations, understandings, agreements, or communications between Customer and VirtusNova, whether written or verbal, regarding the subject matter of this DPA, including any data processing addenda previously entered into between VirtusNova and Customer.

10.2 Conflict.

If there is a conflict between any provision of this DPA and any provision of the Agreement, the following order of precedence shall apply: (1) the SCCs; (2) this DPA; and (3) any other part of the Agreement.

10.3 Termination.

This DPA shall continue in force until the termination of the Agreement.

10.4 Limitations of Liability.

The liability of each party under this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set out in the Agreement. For the avoidance of doubt, VirtusNova’s and its Affiliates’ total liability for all claims arising out of or related to this DPA shall apply in the aggregate for all claims, including by Customer and Customer’s Affiliates. In no event does this DPA restrict or limit the rights of any data subject or consumer under Applicable Data Protection Laws or the SCCs.

10.5 Disclosure of this DPA.

Customer acknowledges that VirtusNova may disclose this DPA and any relevant privacy provisions in the Agreement to a European supervisory authority, or any other European, Canadian, or US judicial or regulatory body upon request.

10.6 Amendments.

We may change any part of this DPA at any time by posting the revised terms on the VirtusNova website. We will notify you of any changes that, in our sole discretion, materially impact this DPA. The updated DPA will be effective as of the time of posting, or on such later date as may be specified in the updated DPA, and your continued use of the Services after any such changes are effective will constitute your consent to such changes.

11. DEFINITIONS

11.1

In this DPA, the following terms have the meanings given to them below:

(a) The terms “business”, “consumer”, “controller”, “data subject”, “personal data”, “personal information”, “processor”, “service provider”, and “supervisory authority” have the meanings given to them under Applicable Data Protection Laws.

(b) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

(c) “Applicable Data Protection Laws” means European Data Protection Laws, US Privacy Laws, and all other data protection and privacy laws and regulations as applicable to the Processing of Customer Personal Data under the Agreement.

(d) “Customer Personal Data” means any personal data or personal information provided by (or on behalf of) Customer to VirtusNova, or otherwise Processed by VirtusNova on Customer’s behalf under the Agreement, as described in Appendix 1 of this DPA. “Customer Personal Data” does not include any personal data or personal information that Customer Processes via third-party services that are not provided by VirtusNova but which Customer may access or use in connection with the Services.

(e) “Europe” means, for the purposes of this DPA, the European Economic Area and its Member States, Switzerland, and the United Kingdom (“UK”).

(f) “European Data Protection Laws” means all data protection and privacy laws and regulations of Europe that are applicable to the Processing of Customer Personal Data under the Agreement, including: (i) the EU General Data Protection Regulation (“GDPR”); (ii) any applicable national implementations of the GDPR; (iii) the GDPR as it forms part of UK law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (together, the “UK GDPR”); and (iv) the Swiss Federal Act on Data Protection Act of 2020 and its Ordinance (“Swiss FADP”); in each case as may be amended, superseded, or replaced from time to time.

(g) “VirtusNova” means Wilken UG (haftungsbeschränkt), operating as VirtusNova, Braugasse 14C, 50859 Cologne, Germany.

(h) “Process” or “Processing” means any operation or set of operations that are performed on Customer Personal Data, whether or not by automated means, including the collection, use, and disclosure of Customer Personal Data.

(i) “Restricted Transfer” means a transfer of Customer Personal Data originating from Europe to a country that does not provide an adequate level of protection for personal data within the meaning of applicable European Data Protection Laws.

(j) “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data Processed by VirtusNova in connection with the provision of the Services. This does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

(k) “Services” means the services provided by VirtusNova to Customer as set forth in the Agreement or associated Order Form or Authorisation Form (as applicable).

(l) “SCCs” means the standard contractual clauses as approved by the European Commission pursuant to its decision 2021/914 of 4 June 2021, as may be amended, superseded, or replaced from time to time.

(m) “Subprocessor” means any third-party processor engaged by VirtusNova or its Affiliates to assist in providing the Services to Customer in accordance with the Agreement and this DPA. Subprocessors do not include VirtusNova’s or its Affiliates’ employees, contractors, or consultants.

(n) “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.

(o) “US Privacy Laws” means all United States federal and state data protection and privacy laws that are applicable to the Processing of Customer Personal Data under the Agreement, including without limitation: (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any implementing regulations relating to the same (together, the “CCPA”); (ii) the Virginia Consumer Data Protection Act (“CDPA”); (iii) the Colorado Privacy Act (“CPA”); (iv) the Utah Consumer Privacy Act (“UCPA”); (v) the Connecticut Data Privacy Act (“CTDPA”); the Montana Consumer Data Privacy Act (“MCDPA”); (vii) the Texas Data Privacy and Security Act (“TDPSA”); (viii) the Oregon Consumer Privacy Act (“OCPA”); (ix) the Iowa Consumer Data Protection Act (“ICDPA”); (x) the Delaware Personal Data Privacy Act (“DPDPA”); (xi) the Nebraska Data Privacy Act (“NDPA”); (xii) the New Jersey Data Privacy Act (“NJDPA”); (xiii) the Tennessee Information Protection Act (“TIPA”); (xiv) the Maryland Online Data Privacy Act (“MODPA”); (xv) the New Hampshire Privacy Act (“NHPA”); and (xvi) the Minnesota Consumer Data Privacy Act (“MCDPA”); in each case when effective and as may be amended, superseded, or replaced from time to time.

APPENDIX 1: DESCRIPTION OF THE PROCESSING

This Appendix describes the processing of Customer Personal Data by the parties in connection with the Services and forms an integral part of the Agreement. Unless otherwise defined herein, capitalized terms in this Appendix will have the same meaning ascribed to them in the Agreement.

(A) List of parties

Data Exporter:

Name: The data exporter is the entity identified as “Customer” in the Agreement.

Address: The address is set out in the Agreement.

Contact person’s name, position and contact details: The contact information is as set out in the Agreement.

Activities relevant to data transferred under these Clauses: Processing activities in receiving the Services as set forth in the Agreement

Role (controller / processor): Controller

Data Importer:

Name: Wilken UG (haftungsbeschränkt), operating as VirtusNova

Address: Braugasse 14C, 50859 Cologne, Germany

Contact person’s name, position and contact details: Data Protection Officer, info@virtusnova.marketing

Activities relevant to data transferred under these Clauses: Processing activities in providing the Services as set forth in the Agreement

Role (controller / processor): Processor

(B) Description of the processing & transfer

Services

Categories of data subjects or consumers:

• Customer’s employees, consultants, or contractors authorized to use the Services.
• Individuals whose personal data or personal information is included in (i) social media platforms and services (e.g., Facebook, Instagram, LinkedIn, X/Twitter, TikTok); (ii) social media content, including posts, communications, messages, pages or feeds; (iii) cloud storage services integrated with the Services (e.g., Google Drive, Dropbox); and (iv) other data sources processed on behalf of Customer in connection with the Services.
• Individuals whose personal data is included in product or service information imported or managed through the Services.

Categories of personal data or personal information:

The information that is processed through the Services is determined and controlled by Customers in their sole discretion and may include the following categories:

All Services

• Identification data (e.g., name, social media identifier, username, user ID, profile information, geolocation data)
• Contact details (e.g., name, email address, telephone number)
• Social media content and other internet/platform user generated content (e.g., status updates, posts, comments, pages, profiles, likes, feeds, items on blog or forum containing keywords and characteristics)
• Account and authentication data (e.g., email addresses, user credentials for accessing the Services)
• Brand and organization information (e.g., brand names, organization details, team member information)

VirtusNova Social Media Management Services

• Social media account credentials and access tokens (stored securely and encrypted)
• Social media post content, including text, images, videos, and metadata
• Scheduling and publishing data (e.g., scheduled post times, publishing history, engagement metrics)
• Social media analytics and performance data
• Audience and follower information
• Customer inputs and outputs for artificial intelligence enabled Services (e.g., AI-generated content, captions, hashtags, post ideas)
• Content library data (e.g., uploaded media files, stock images, templates)

Product and Service Management

• Product and service information (e.g., product names, descriptions, prices, variants)
• Product catalog data and metadata
• Media files associated with products or services

Cloud Storage Integration

• File metadata and access information from integrated cloud storage services (e.g., Google Drive, Dropbox)
• Media files retrieved from cloud storage for use in social media content

Sensitive data (if applicable) and applied restrictions or safeguards:

The information that is processed through the Services is determined and controlled by Customers and may include the following sensitive data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life, or data relating to offenses, criminal convictions or security measures. See Appendix 2 for applied restrictions and safeguards for sensitive data.

Frequency of the transfer: Continuous

Nature of the Processing: Collection, storage, organization, modification, retrieval, disclosure, communication, and other uses in performance of the Services as set out in the Agreement.

Purpose(s) and subject matter of the transfer and further Processing:

Processing activities in performance of the Services as set out in the Agreement, including:

• Providing access to the VirtusNova social media management platform and Services;
• Delivering, maintaining, and updating functionalities as licensed, configured, and used by Customer and authorized users;
• Managing social media accounts and content across multiple platforms;
• Enabling content creation, scheduling, and publishing of social media posts;
• Providing AI-powered content generation and optimization features;
• Facilitating integrations with social media platforms and third-party services (e.g., Google Drive, Dropbox, Stripe);
• Managing product and service catalogs for use in content creation;
• Monitoring system performance, security, and availability in real-time;
• Identifying, diagnosing, and resolving technical issues, bugs, and errors, including performing testing and quality assurance;
• Processing payment and subscription information;
• Other processing activities necessary for the performance of the Services in accordance with Customer’s documented instructions.

Period and duration for which the personal data or personal information will be Processed and retained: In accordance with Section 9 of the DPA.

(C) Competent supervisory authority

For the purposes of the SCCs, the competent supervisory authority shall be determined in accordance with the GDPR. For VirtusNova, as a German entity, the competent supervisory authority is the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen).

APPENDIX 2: SECURITY MEASURES

This Appendix describes the technical and organizational measures to be implemented by VirtusNova and forms an integral part of the Agreement. Unless otherwise defined herein, capitalized terms in this Appendix will have the same meaning ascribed to them in the Agreement.

The technical and organizational measures (“TOMs”) to be implemented (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are described below. The following table provides examples of the TOMs implemented by VirtusNova.

Type of TOMs	Description of TOMs
Measures of pseudonymisation and encryption of personal data	Pseudonymisation Processing of personal data is limited within the Services. Where feasible, unique identifiers are used rather than full personal data fields such as account user’s first and last name and their business email address. Encryption Data provided by customers to VirtusNova is encrypted during transit using TLS 1.2 or above, and at rest using industry-standard encryption methods (AES-256) to mitigate against security threats at industry standard levels. All data stored in Firebase services (Firestore, Cloud Storage) is encrypted at rest by default. Firebase automatically encrypts all data at rest without requiring additional configuration. All API communications use HTTPS with TLS encryption, which is enforced by Firebase and Google Cloud Platform services.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	Access controls VirtusNova implements access control policies and procedures that address onboarding, off-boarding, transition between roles, and limitations on administrator privileges. Identification and segregation of conflicting duties and areas of responsibility, such as separation of duties, is implemented where applicable. VirtusNova maintains an inventory of user accounts and access rights. The principles of ‘need-to-know’ and ‘least privilege’ are enforced through Firebase Security Rules and role-based access controls. User access rights are reviewed on a regular basis. Firebase Authentication enforces limits on invalid login attempts. Remote access to production systems and other sensitive network segments require connection through secure VPN with multi-factor authentication. Authentication Passwords require a defined minimum complexity. Initial passwords must be changed after the first login. Access to the systems used by VirtusNova employees and contract personnel is controlled by multi-factor authentication (MFA). Firebase Authentication is used for customer authentication, providing secure authentication mechanisms including email/password and OAuth providers (such as Google Sign-In). While Firebase Authentication supports multi-factor authentication capabilities, VirtusNova’s current implementation focuses on providing secure password-based and OAuth-based authentication for customers. Personnel practices All employees are bound by confidentiality agreements and VirtusNova’s security and privacy policies. Upon onboarding and at least annually thereafter, all employees receive security and privacy training. Pre-employment screening (which may include criminal background screening), commensurate with the sensitivity of the role, and where permissible by law, is conducted. Intrusion Detection and Monitoring Intrusion detection mechanisms are used to monitor the Services for unauthorized intrusions. Firebase and Google Cloud Platform provide built-in security monitoring and alerting capabilities that VirtusNova utilizes. Firewalls are configured according to industry best practices, and ports not utilized for delivery of the VirtusNova Services are blocked. Vulnerability scans are performed on production systems and commercially reasonable efforts are taken to remediate any findings that present a material risk to the VirtusNova environment. Screen lockouts are enforced and full disk encryption is implemented for company laptops and devices.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Disaster Recovery Customer data is stored redundantly at multiple locations in Google Cloud Platform data centers to ensure availability. Firebase services provide automatic redundancy and failover capabilities across multiple geographic regions. Google Cloud Platform’s infrastructure is designed for high availability and automatic failover. Backups Customer Information stored in Firebase Firestore benefits from Firebase’s automatic backup and point-in-time recovery capabilities. Firebase maintains automatic backups of Firestore data, and VirtusNova can restore data to a previous point in time if needed. VirtusNova’s source code is maintained in version control systems with redundancy. VirtusNova monitors backup systems and is alerted in the event of any failures.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing	Security team VirtusNova maintains security oversight and monitoring of the technical and organizational measures implemented for the Services. Security responsibilities are assigned to qualified personnel who oversee, monitor and test security measures on an ongoing basis. Audits and Certifications VirtusNova implements security measures aligned with industry standards including the NIST Cybersecurity Framework and ISO/IEC 27000 series standards. VirtusNova leverages cloud infrastructure providers that maintain internationally recognized certifications and accreditations. Specifically, Firebase and Google Cloud Platform, which VirtusNova uses for its production infrastructure, maintain certifications including ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3, and PCI DSS Level 1 compliance. Information regarding Google Cloud Platform’s certifications and compliance may be accessed from the Google Cloud Security and Compliance website. VirtusNova commits to regularly reviewing and assessing the effectiveness of its technical and organizational measures.
Measures for user identification and authorization	Logs Logs that record details of transmissions of data from IT systems that store or process personal data and user access to the Services are monitored and reviewed to verify authorized access. Firebase and Google Cloud Platform provide comprehensive logging capabilities for authentication events, database access, API calls, and system operations. VirtusNova utilizes Firebase and Google Cloud Platform’s centralized logging and monitoring capabilities. Firebase Authentication logs capture authentication events, and Firestore logs record database access patterns. VirtusNova reviews logs on a regular basis to identify and respond to security events. Google Cloud Platform provides built-in security monitoring and alerting capabilities, including Cloud Security Command Center and Cloud Logging, which VirtusNova utilizes to monitor for suspicious activity and potential security threats. Encryption and Firewalls All public facing interfaces are secured via industry standard encryption and firewalls. Production systems are only accessible after MFA. VirtusNova leverages Google Cloud Platform’s network security infrastructure, which includes advanced firewall rules, DDoS protection, and network segmentation. Google Cloud Platform’s firewall rules are configured to restrict access to only necessary ports and protocols. Google Cloud Armor provides DDoS protection and web application firewall capabilities. Remote access to production systems and other sensitive network segments require connection through secure VPN with multi-factor authentication. Access Control Role-based access control is enforced in accordance with ‘need-to-know’ and ‘least privilege’ principles. Firebase Security Rules and Firestore security rules are implemented to restrict access to data based on user roles and permissions.
Measures for the protection of data during transmission	The Services support the latest industry-standard secure cipher suites and protocols to encrypt all traffic in transit. VirtusNova currently supports TLS 1.2 or above on its web traffic and all pages that accept payment information. All API communications use HTTPS with TLS encryption. Firebase and Google Cloud Platform services use encrypted connections by default. All data transmitted to and from VirtusNova’s Services is encrypted in transit using TLS encryption, which is enforced by Firebase and Google Cloud Platform services. Remote access to production systems and some other sensitive network segments is only accessible via a VPN tunnel, which requires MFA and is end-to-end encrypted.
Measures for the protection of data during storage	Customer Content is encrypted at rest (using AES-256 encryption), where appropriate and having regard to the nature of the content and associated risks. Firebase Firestore and Cloud Storage provide automatic encryption at rest. Access controls (as further described above) are implemented to restrict access only to authorized personnel on a ‘need-to-know’ and ‘least privilege’ basis for the purpose of maintaining the Services. Firebase Security Rules ensure that only authorized users can access their respective data.
Measures for ensuring physical security of locations at which personal data are processed	Cloud service provider security VirtusNova uses Google Cloud Platform (GCP) and Firebase for its production data centers to provide the Services. All Customer Personal Data is processed and stored exclusively in Google Cloud Platform’s data centers. Google Cloud Platform has internationally recognised certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27001, ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1. Google Cloud Platform’s certification and compliance information may be accessed from the Google Cloud Security and Compliance website. VirtusNova remote work environment VirtusNova operates as a fully remote organization. All team members work from their home offices or other remote locations. VirtusNova implements security measures for remote work environments, including: Secure remote access protocols and VPN requirements for accessing production systems Multi-factor authentication for all team members accessing VirtusNova systems Security policies and training for remote work environments Device security requirements including full disk encryption and screen lockouts Confidentiality agreements and security policies applicable to all team members No Customer Personal Data is processed or stored on team members’ local devices or in their home offices. All data processing occurs exclusively within Google Cloud Platform’s secure data centers.
Measures for ensuring events logging	All systems used in the provision of the VirtusNova Services log information to secure log servers to enable security reviews and analysis. Firebase and Google Cloud Platform provide comprehensive logging capabilities for authentication events, database access, API calls, and system operations. VirtusNova utilizes Firebase and Google Cloud Platform’s centralized logging and monitoring capabilities, which contain information pertaining to security, monitoring, availability, access, and other metrics about the Services. Firebase and Google Cloud Platform provide comprehensive logging and audit trail capabilities. See also: Intrusion Detection and Monitoring above for more details.
Measures for ensuring system configuration, including default configuration	VirtusNova utilizes Google Cloud Platform’s managed services (Firebase, Cloud Functions) which are maintained and secured by Google. For any self-managed infrastructure, VirtusNova performs security assessments and vulnerability scans and uses commercially reasonable efforts to remediate any findings that present a material risk to the Services environment. The configuration and builds of systems are managed in code via Configuration Management Systems. Changes to configuration sets require peer review and approval. New instances are created from pre-configured and hardened configurations. Firebase and Google Cloud Platform services are configured according to security best practices and industry standards.
Measures for internal IT and IT security governance and management and Measures for certification/assurance of processes and products	VirtusNova implements and maintains industry-standard security policies and procedures that align with the National Institute of Standards and Technology (NIST) cybersecurity framework. Security policies and standards are implemented and overseen by qualified personnel. VirtusNova leverages the security certifications and compliance of Google Cloud Platform and Firebase, which maintain comprehensive security certifications including ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3, and PCI DSS Level 1 compliance. Information regarding these certifications is publicly available from Google Cloud Platform.
Measures for ensuring data minimisation	Access to personal data is restricted on a ‘need-to-know’ and ‘least privilege’ basis. Data exporters (customers) are data controllers of the data they choose to upload onto the Services and may decide to limit the amount of data being processed. Access to production servers is controlled through role-based access controls.
Measures for ensuring data quality	Data is retrieved from social media networks in real-time using APIs and the data accuracy and quality will be dependent on the source data from the social networks. Data exporters (customers) are data controllers of the data they choose to upload onto the Services and may update or amend the data to ensure data quality.
Measures for ensuring limited data retention	To maintain data accuracy and minimize data retention, and where applicable to the Services, data retrieved from social networks may be temporarily stored for display and processing purposes. A Records Retention and Destruction Policy is in place and data is retained as long as required to provide the Services, for record keeping purposes, to comply with legal obligations, resolve disputes, and enforce the terms for the Services. Data deletion processes are in place for data subject deletion requests.
Measures for ensuring accountability	Security and data protection responsibilities are assigned to qualified personnel who ensure appropriate security and data protection policies and procedures are implemented and adhered to. VirtusNova has designated a Data Protection Officer who oversees the privacy program and ensures compliance with applicable data protection laws. At the Executive level, leaders are regularly updated on data protection matters and may be involved in providing strategic input into VirtusNova’s data protection practices. Employees undergo annual privacy and security training. A process has been implemented to promptly respond to and manage data subject requests, such as requests for access and deletion of their information. VirtusNova observes privacy by design principles, including conducting privacy impact assessments and reviews when implementing new product functionality, and new processes.
Measures for allowing data portability and ensuring erasure	Customers may request the return or deletion of all personal data and copies of such data in its custody or control. Processes are in place for data subject deletion requests. For data portability, there are “Data Exporting” options within the Services where Customer content may be exported into CSV formats or other standard formats. Firebase provides tools and APIs to facilitate data export and deletion in accordance with data protection requirements.

Subprocessor Information

VirtusNova uses the following categories of Subprocessors to provide the Services:

• Cloud Infrastructure and Hosting: Google Cloud Platform (Firebase, Cloud Functions, Cloud Storage, Firestore, Vertex AI)
• Payment Processing: Stripe, Inc.
• Cloud Storage Integration: Google Drive (via Google APIs), Dropbox, Inc.
• Social Media Platform APIs: Facebook/Meta Platforms, Instagram (Meta Platforms), LinkedIn Corporation, X/Twitter, TikTok
• Email Services: Resend, Inc. (for transactional emails)
• AI Services: Google Cloud Vertex AI, Google Generative AI

For the most current list of Subprocessors, please visit: https://virtusnova.marketing/virtusnova-subprocessor-list/

If you require a written and signed agreement, please contact info@virtusnova.marketing to complete your customer details and electronically sign the addendum.