Data Processing Addendum (DPA)

This Data Processing Addendum (DPA) supplements the Virex Terms of Service and Privacy Policy and applies when CivicAI Solutions Pty Ltd (ACN 693 254 965, ABN 92 693 254 965), trading as Virex (Processor), processes personal data on behalf of a Customer (Controller) where that Customer is established in the EU/EEA, the UK, or any other jurisdiction whose law requires a written processor agreement (e.g. GDPR Art. 28, UK GDPR Art. 28).

This DPA forms part of the agreement between the parties. By using the Service for any data subjects established in the EU/EEA or UK, the Customer accepts this DPA. No signature is required; executed copies for procurement purposes are available on request to VIREX@civicai-solutions.com.

1. Definitions

Terms used but not defined here have the meaning given in the GDPR. "Customer Data" means any personal data submitted by the Customer or its end users to the Service. "Sub-processor" means a third party engaged by Virex to process Customer Data.

2. Roles & Subject Matter

The Customer is the Controller and Virex is the Processor of Customer Data. The subject matter and duration of processing is the term of the Service contract. The nature and purpose of processing is to provide the Service. The categories of data subjects are the Customer's authorised users and any individuals identified in prompts or Generated Content. The categories of personal data are those listed in Section 2 of the Privacy Policy.

3. Processor Obligations (GDPR Art. 28)

Virex will:

• Process Customer Data only on documented instructions from the Controller (the Service configuration and the agreement constitute such instructions).
• Ensure that personnel authorised to process Customer Data are bound by appropriate confidentiality obligations.
• Implement the technical and organisational security measures described in Section 10 of the Privacy Policy.
• Engage Sub-processors only with prior general written authorisation (see Section 5 of this DPA).
• Assist the Controller in fulfilling data subject rights requests and in meeting its obligations under GDPR Articles 32-36 (security, breach notification, DPIAs, prior consultation), taking into account the nature of the processing and information available to Virex.
• Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (subject to reasonable confidentiality and scheduling constraints; for SaaS multi-tenant audits we typically rely on third-party security reports).
• At the choice of the Controller, delete or return all Customer Data after the end of the provision of services and delete existing copies, unless retention is required by law (see Section 12 of the Terms for retention windows).

4. Security Measures

Virex implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: encryption in transit (TLS 1.2+), encryption at rest where supported by sub-processors, access controls and authentication, audit logging, regular review of security measures, isolation of customer environments where applicable, and personnel training on data protection. A current summary of measures is available on request.

5. Sub-processors

The Controller authorises Virex to engage the sub-processors listed in Section 5 of the Privacy Policy and to make additions or changes to that list provided that:

• Virex imposes data-protection obligations on each sub-processor at least equivalent to those imposed on Virex by this DPA.
• Virex provides the Controller with at least 30 days' notice of intended changes (by email or in-app banner). The Controller may object to such changes on reasonable data-protection grounds within that period; if the parties cannot resolve the objection in good faith, the Controller may terminate the relevant Service component without penalty.

6. International Transfers

Where Virex transfers Customer Data outside the EU/EEA, the UK, or another jurisdiction with adequate protection, it does so using one of the transfer mechanisms recognised under GDPR Chapter V — most commonly, the EU-U.S. Data Privacy Framework (where the recipient is certified) or the European Commission's Standard Contractual Clauses (SCCs, 2021/914) Module 2 (Controller to Processor) or Module 3 (Processor to Sub-processor) as applicable. By accepting this DPA, the parties agree that the SCCs are deemed entered into by reference and incorporated herein, with Annex I (parties), Annex II (security measures), and Annex III (sub-processors) populated by reference to this DPA and the Privacy Policy.

For transfers from the UK, the parties rely on the UK International Data Transfer Addendum (IDTA) to the SCCs, which is incorporated by reference.

7. Data Subject Rights Assistance

Virex will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligation to respond to data subject requests under GDPR Chapter III. Where Virex receives a data subject request directly, it will not respond substantively but will inform the data subject to direct the request to the Controller (or, where Virex is the Controller for that data, will respond directly).

8. Personal Data Breach

Virex will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Customer Data, providing the information required by GDPR Art. 33(3). Virex will assist the Controller in fulfilling its breach notification obligations under GDPR Articles 33-34.

9. Liability

The liability provisions of the Terms of Service apply to this DPA. Nothing in this DPA limits or excludes either party's liability under GDPR Art. 82.

10. Term & Termination

This DPA takes effect when the Customer first uses the Service to process EU/EEA or UK personal data and continues until the end of the Service contract. Provisions that by their nature should survive termination (e.g. obligations relating to data deletion and audit cooperation) survive.

11. Governing Law

This DPA is governed by the law specified in Section 21 of the Terms of Service, except to the extent that mandatory provisions of EU or Member State data-protection law apply.

12. Order of Precedence

In the event of conflict, the order of precedence is: (1) the SCCs (where they apply by virtue of a transfer requiring them), (2) this DPA, (3) the Privacy Policy, (4) the Terms of Service.

13. Contact

For DPA-related questions, sub-processor objections, or to request an executed copy: VIREX@civicai-solutions.com.

Last updated: 2026-04-26. CivicAI Solutions Pty Ltd (ACN 693 254 965, ABN 92 693 254 965). All rights reserved.