Data Processing Addendum

The DPA applies whenever Vireon Labs processes personal data on behalf of a customer in connection with the services described in an executed Statement of Work. The customer determines the purposes and means of processing; Vireon Labs processes data only on documented customer instructions.

• Nature of processing: design, development, deployment, support, and maintenance of customer software and data platforms.
• Purpose: delivering the services agreed in the applicable SOW.
• Categories of data subjects: as defined by the customer (typically employees, end-users, suppliers, or patients in regulated engagements).
• Categories of personal data: identifiers, contact details, professional information, and any other data the customer provides or permits us to access.
• Special categories: processed only when explicitly contracted (e.g., healthcare) and under additional safeguards.

We engage sub-processors under written agreements imposing obligations equivalent to those in the DPA. Current sub-processor categories include:

• Cloud infrastructure (AWS, Microsoft Azure, Google Cloud).
• Source control and CI/CD (e.g., GitHub).
• Project management, ticketing, and communication tooling.
• Error monitoring, logging, and analytics providers.

Customers receive prior notice of new sub-processors and may object on reasonable data-protection grounds. A current list is available on request at hello@vireonlabs.com.

Where personal data is transferred outside the EEA, the UK, or Switzerland, transfers rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and, where required, supplementary technical and organizational measures based on a documented transfer impact assessment.

Vireon Labs implements appropriate technical and organizational measures to protect personal data, including encryption, least-privilege access, logging, secure SDLC practices, vendor risk management, and incident response. See our Security Practices for details.

We assist customers in responding to data subject access, rectification, deletion, restriction, portability, and objection requests, taking into account the nature of the processing and the information available.

Vireon Labs will notify the customer without undue delay — and in any event within 72 hours — after becoming aware of a personal data breach affecting customer data, and will provide all information reasonably required for the customer to meet its regulatory obligations.

Vireon Labs makes available information necessary to demonstrate compliance with Article 28 GDPR and allows for, and contributes to, audits conducted by the customer or its mandated auditor on reasonable notice and at reasonable intervals, subject to confidentiality obligations.

Upon termination or expiry of the services, Vireon Labs will, at the customer's choice, return or delete all personal data processed on the customer's behalf, except where storage is required by applicable law.

To request an executable DPA, sub-processor list, or security documentation, email hello@vireonlabs.com.