Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of and is subject to the provisions of the Terms of Use.

By agreeing to the Terms, You enter into the DPA to the extent required under the applicable Data Protection Laws. This DPA is in place to prove adequate safeguards for the protection of privacy and fundamental rights and freedoms of individuals for the transfer of Personal Data by the Data Controller to the Data Processor.

In the event of a conflict between the DPA and the Terms, this Data Processing Addendum will control.

Definitions

The definitions outlined within our Terms apply to this Data Processing Addendum as well as the following definitions:

Data Processor - means any entity (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller

Data Controller - means any person or company who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed

Data Protection Laws - refers to all laws and regulations, including laws and binding regulations of the UK (including the UK Data Protection Act 2018) and European Union (including the General Data Protection Regulation & the e-Privacy Directive 2002/58/EC)

GDPR - means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council

Sub-Processors - means any entity engaged by us to process Personal Data in connection with the Services

Sub-Contractors - any Data Processors that are used by our Sub-Processors

Governing Body - a public authority which is established by an EU Member State pursuant to the GDPR.

Data Within Your Control - means the Personal Data in your Account that we process on your behalf, and on your instructions as part of the Services, but only to the extent that you are subject to Data Protection Laws in respect of such Personal Data.

‘Account’ - means any area of viva.website that you manage which requires you to log in using your designated login details

‘Third Party Service’ - means any integration available through our Service that the user has actively chosen to use and thus enter into their own Contract with the relevant service

‘Data Breach’ - means a breach of our infrastructure, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed of the Data Within Your Control.

‘Content’ - means your Personal Data and any Personal Data provided to us from Your End user

How This Addendum Applies To You

This Data Processing Addendum applies to you if you or your End users are located in the United Kingdom, European Economic Area (“EEA”) or Switzerland. It only applies in regards to Data Within Your Control.

You agree that we are not responsible for the Data Within Your Control that you have chosen to process through any Third Party Services or services outside of the Services we provide to you.

Description And Detail Of The Processing Activities

Description of Roles
For the purposes of this DPA, unless explicitly stated, Create Internet Ltd (Trading as Viva!)  is the Data Processor and you are the Data Controller of all the Data Within Your Control.

Description of Processing Activities
Depending on how you use the varied functionality and integrations available through our Services, we will be required to process Data Within Your Control, including that of your End users, in order for us to provide our Services.

Ensuring Compliance with the Law as the Data Controller
You will ensure that any actions taken within the Services, and thus the instructions, are in full compliance with any laws, regulations and rules that are applicable to the Data Within Your Control. Furthermore, you will also ensure that the Data Within Your Control is collected and provided to us in line with the aforementioned laws, regulations and rules, where applicable.

You also agree that the processing of any Data Within Your Control as per the actions instructed through the Services, will not result in us or you breaching any laws, regulations or rules. You are responsible for reviewing any information that is made available to us as a result of us actioning this Addendum and whether this Addendum itself, as well as the Services, meet the required legal obligations. Further to this, you are also responsible for your legal obligations that arise when you agree to this Addendum.

We will under no circumstances access or use any Data Within Your Control except as detailed in this Addendum, necessary for us to maintain and provide the Services or if required to do so by the law or an appropriate Governing Body.

Create Internet Ltd as the Data Controller
In certain situations, Create Internet Ltd will be the Data Controller for certain Personal Data that relates to you or your End users. How we use the Personal Data in which we are the Data Controller is down to us and will be used for our own purposes. For more information on how we use this Personal Data as the Data Controller, please see our Privacy Policy.

Please note that if we provide any information to you, in which we are the Data Controller of, that relates to your website (i.e your End users activity on your site) then you receive that information as a separate Data Controller and how you handle that data needs to be in compliance with the Data Protection Laws. When Create Internet Ltd process Personal Data as a Data Controller, you agree to the fact that this Addendum does not create a joint-controller relationship between you and us.

Our Responsibilities As Your Data Processor

How we will Process Data as the Processor
We will process Data Within Your Control in accordance with this Addendum as well as the actions required of us as instructed by you in your Account. You agree that this Addendum, and the actions taken and thus instructions given by you within your Account are your complete and final instructions to us in relation to the Data Within Your Control.

We will immediately inform you if we feel that your instructions infringe on the applicable Data Protection Laws or for any reason, we are unable to carry out your instructions. If your instructions prevent us from complying with the applicable laws, we will notify you. However, we will not notify you when such disclosure is forbidden by applicable law on the important grounds of public interest.

How we will assist you in Complying
When complying with any requests relating to Data Within Your Control received from Your End user as a Data Controller (as detailed in Chapter 3 of the GDPR), we have provided reasonable tools within your Account that enable you to comply and fulfil your obligations as a Data Controller when you have received any request from your End users regarding their Personal Data. In the instances where you are not able to comply using the tools available within your Account and complicated action is required to remove the Personal Data in question, we will provide, where possible, a reasonable quotation (upon request) based on the action that is required to complete this on your behalf.

Any Requests Regarding the Data In Your Control
With respect to any Data Within Your Control that is not accessible and thus removable within your Account, a request can be made to us in order for you to take relevant action that is otherwise not possible. The request must be made in writing and must include details of Your End user and the Personal Data that the request is referring to, along with any relevant action required to be taken. 

Once the request has been received and validated, we will, where applicable:

  • Remove any Personal Data of Your End user in question or provide copies of the Personal Data of Your End user in an easily accessible format 
  • Contact the applicable Sub-Processor or Sub-Processors to request the removal of any Personal Data relating to Your End user in question.


The request will be acted in accordance with the above except if the request is subject to the limitations as set out in this Data Processing Addendum or restricted by law and/or a Governing Body, where applicable.

What we do when we Receive an Inquiry or Complaint
If we are permitted to do so by the relevant applicable law, we will provide you notice upon receiving an inquiry or complaint from any of your End users, or if required to do so by the law or any lawfully binding order from a Governing Body that relates to the Data Within Your Control that we have processed on your instructions and thus, on your behalf.

Security Incidents and Security
We will at all times ensure that Data Within Your Control is adequately protected in accordance with the requirements of the GDPR. To do so, we agree that we will implement an appropriate level of technical, organisational and procedural measures to protect the Data Within Your Control from security incidents. If we become aware of and confirm any security incident, for which notification to you is required under applicable Data Protection Laws which consists of the unpermitted, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to any Data Within Your Control we will inform you without any undue delay, and in no event longer than 48 hours after we discover the security incident.

If we become aware of and confirm any security incident, for which notification to you is required under applicable Data Protection Laws which consists of the unpermitted, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to any Data Within Your Control we will inform you without any undue delay, and in no event longer than 48 hours after we discover the security incident.

We will always cooperate reasonably with you and provide you with the information you need in order to fulfil your Data Breach obligations under the GDPR. we will also take further measures and actions that are necessary to fix or mitigate the effects of the security incident and we will keep you informed of any material development related to the security incident. Unless required by law we will not take action to notify your End users of any security breach. We may also use external or internal auditors to verify that the security measures that we have in place are adequate in protecting the Data Within Your Control that we store.

Notifying you of a Data Breach
When we are made aware of and confirm the occurrence of a Data Breach, we will immediately notify you in line with the requirements set out in the applicable Data Protection Laws. In order for us to assist you in complying with your notification obligations as set out in articles 33 and 34 of the GDPR, we will provide you with information of the Data Breach that we are reasonably able to disclose with you. The information disclosed will be based upon the type of data involved with the Data Breach, the sensitivity of the data, and if it is subject to any restrictions that prevent us from disclosing information. Our duty to report and respond to a Data Breach as detailed in ‘Notifying you of a Data Breach’ is not and must not be misinterpreted as us acknowledging any fault or liability in regards to the Data Breach. However, our obligations as detailed above do not apply to incidents that are caused by you, any actions taken through your Account and/or any Third Party Services.

Sub-Processors
In the course of providing our Services, we may be required to contract with a Sub-Processor to perform a portion of the Services. You agree that we can share Data Within Your Control with Sub-Processors in order to provide the Services to you. A list of our current Sub-Processors is available upon request by sending an email through our contact form.

You acknowledge and agree that we will use Sub-Processors to process Personal Data and any Data Within Your Control in order for us to provide the Services. Our use of any specific Sub-Processor used must be in compliance with the Data Protection Laws and must be governed by a contract between us and the Sub-Processor.

You may object to any of the Sub-Processors used on the grounds that the request is related to data protection concerns, to do so email [email protected]. If your objection is validated, we will work with you to find a viable alternative for providing the Services without using the Sub-Processor or Sub-Processors in question. If there is no reasonable action found that we can take and you still object to the Sub-Processor being used after notification, you will have the option to terminate your Account with us or, where possible, relinquish use of the part of the Services that require the Sub-Processor in question. If you object to the Sub-Processors that we use and there is no workaround for you to use the Services in any sense without using Sub-Processors in question, then please do not use the Services.

Regardless of any Sub-Processors that we use, we will remain responsible for maintaining it’s compliance with the Data Protection Laws, including any Data Breaches that involve our Sub-Processors and their Sub-contractors in relation to the Data Within Your Control.

Questions in Regards to our Compliance
We will, to a reasonable extent, provide information to you upon request regarding our compliance with this Data Processing Addendum, where such information is not otherwise accessible by you. Only the required information will be made available to you in order for you to fulfil your duties under the GDPR. (Please note that a non-disclosure agreement may be necessary before any information is shared with you as a result of your request).

Data Transfers Of The Data Within Your Control

You agree for us, where required, to transfer any Data Within Your Control to a different country from which it was originally collected. We will ensure that any transfer away from the country in which the Data From Your Control was first collected, especially outside of the EEA, complies with the EU-U.S. and Swiss-U.S. Privacy-Shield Framework, Data Protection Laws and any other legal framework where applicable, to ensure an adequate level of security for the data transfer.

Liability Of The Mentioned Parties

In line with the existing indemnity as outlined in the Terms and Conditions, you indemnify us from any penalties, loss or claims that arise from your End Users, or from Data Within Your Control as a result of, or in conjunction with, your failure to comply with Data Protection Laws and this Data Processing Addendum when using our Service. You agree that when you terminate your Account with us, you agree to remove any Personal Data of your End users in a timely manner in which you are able to do so through your Account. However, you will have responsibility for ensuring these measures comply with the applicable Data Protection Laws and the Personal Data of your End users is still categorised as Data Within Your Control.

Miscellaneous

We will charge you for any request, and thus action, which is outside of the reasonable extent necessary for us to comply with any requests made in relation to this Data Processing Addendum.