Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any third party engaged by us to process Personal Data.
• "Data Protection Laws" means GDPR, DPDPA, and other applicable privacy laws.

2. Scope and Roles

When you use VivaTrainer for your organization (gym, team, etc.), you act as the Data Controller for your members' personal data, and we act as the Data Processor processing such data on your behalf.

This DPA applies to the processing of personal data of your organization members including:

• Member account information (names, emails)
• Training session data and AI coaching feedback
• Performance metrics and analytics
• Organization membership and role data

3. Processing Instructions

We will only process Personal Data:

• In accordance with your documented instructions
• As necessary to provide the Services
• As required by applicable law

If we believe an instruction violates Data Protection Laws, we will notify you promptly.

4. Security Measures

We implement appropriate technical and organizational measures including:

• Encryption: TLS 1.3 in transit, AES-256 at rest
• Access Control: Role-based access, multi-factor authentication
• Network Security: Firewalls, intrusion detection
• Data Segregation: Logical separation of organization data
• Monitoring: Continuous security monitoring and logging
• Backup: Regular encrypted backups with tested recovery
• Incident Response: Documented breach response procedures
• Employee Training: Regular security awareness training

5. Sub-processors

We use the following sub-processors. You authorize these sub-processors as of the date you agree to this DPA:

We will notify you of any intended changes to sub-processors, giving you the opportunity to object within 30 days.

6. International Transfers

For transfers of Personal Data outside the EEA, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Additional safeguards as required by Schrems II

For transfers outside India, we comply with DPDPA requirements for cross-border data transfers to countries notified by the government.

7. Data Subject Rights

We will assist you in responding to Data Subject requests including:

• Access requests
• Rectification requests
• Erasure requests
• Portability requests
• Objection and restriction requests

We will notify you of any requests received directly from Data Subjects within 5 business days.

8. Data Breach Notification

In the event of a Personal Data breach, we will:

• Notify you without undue delay, and within 48 hours of becoming aware
• Provide details of the breach, affected data, and likely consequences
• Describe measures taken or proposed to address the breach
• Cooperate with your investigation and remediation efforts
• Maintain records of all breaches

9. Audits

We will make available information necessary to demonstrate compliance with this DPA and allow for audits, including inspections by you or an auditor mandated by you, subject to:

• Reasonable advance notice (minimum 30 days)
• Confidentiality obligations
• Non-interference with other customers
• Reasonable costs borne by you

We also maintain SOC 2 Type II certification and will provide reports upon request.

10. Data Retention and Deletion

Upon termination of Services or your request:

• We will delete or return all Personal Data within 30 days
• We will provide certification of deletion upon request
• We may retain data as required by law (with notification)

11. Confidentiality

We ensure that persons authorized to process Personal Data:

• Have committed to confidentiality or are under statutory obligation
• Process data only as instructed
• Receive appropriate training on data protection

12. Your Obligations

As Data Controller, you are responsible for:

• Ensuring lawful basis for processing (e.g., member consent)
• Providing appropriate privacy notices to your members
• Responding to Data Subject requests (with our assistance)
• Ensuring your use of our Services complies with applicable laws
• Obtaining necessary consents for video processing

13. Liability

Each party's liability under this DPA is subject to the limitations in the main Terms of Service. We are only liable for damages caused by processing that does not comply with Data Protection Laws or this DPA.

14. Term and Termination

This DPA remains in effect for the duration of your use of our B2B Services. Upon termination, we will process Personal Data only as necessary to wind down Services and comply with legal obligations.

15. Amendments

We may update this DPA to reflect changes in law or our practices. Material changes will be notified 30 days in advance. Continued use of Services after changes constitutes acceptance.

16. Contact

For questions about this DPA or to exercise any rights:

Email: dpa@vivatrainer.app
Data Protection Officer: dpo@vivatrainer.app

Annex A: Processing Details