Data Processing Agreement

• UK GDPR means the Data Protection Act 2018 and the UK GDPR as defined in section 3 of that Act.
• Personal Data, Processing, Data Subject, Controller, Processor and Supervisory Authority have the meanings given in the UK GDPR.
• Sub-processor means any third party engaged by us to process personal data on your behalf.
• Service means the Visualiseo platform, dashboard, and embeddable widget.

For personal data that end users submit through the Visualiseo widget embedded on your website for the purpose of generating a render, you are the Controller and we are the Processor. This DPA applies to all such processing.

Where an end user opts in at the widget Save popup to publish their before/after images to the public gallery (on visualiseo.co.uk and on your own gallery), that processing is joint-controller under Article 26 UK GDPR, not processor. That processing is governed by the Joint Controller Agreement incorporated into our Terms, not by this DPA. A plain-English summary is at /legal/joint-controller-summary.

For data we process as our own controller (our server logs, aggregate usage statistics, security telemetry, and your account information), our Privacy Policy applies, not this DPA.

We will:

• Process personal data only on your documented instructions. Using the Service in accordance with its documentation is a documented instruction.
• Notify you if we believe an instruction infringes the UK GDPR or other data protection law.
• Ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational security measures (see Annex 1).
• Assist you, taking into account the nature of the processing and information available to us, in responding to requests from data subjects and in meeting your obligations under Articles 32 to 36 UK GDPR (security, breach notification, data protection impact assessments, prior consultation).
• On termination of the service, delete or return all personal data to you, at your choice, unless retention is required by law.
• Make available to you the information necessary to demonstrate compliance with this DPA.

The security measures we apply are described in Annex 1 below. You accept those measures as appropriate to the risk of the processing.

You give us general authorisation to engage sub-processors to deliver the Service. The current list of sub-processors is in Annex 2 and is also published at /sub-processors. We will:

• Impose data protection obligations on each sub-processor no less protective than those in this DPA.
• Remain liable to you for the acts and omissions of any sub-processor to the same extent as for our own acts.
• Give you at least 30 days' email notice of any proposed addition or replacement by updating Annex 2 and our public sub-processor list. You may object on reasonable data-protection grounds within that period by emailing privacy@visualiseo.co.uk. If we cannot accommodate the objection, you may terminate the affected part of the Service.
• Account holders are automatically notified of material sub-processor changes by email. You can also subscribe to updates at /sub-processors.

Some of our sub-processors are based outside the UK and EEA. Where this is the case we rely on safeguards recognised by UK data protection law:

• The UK-US Data Bridge (UK extension to the EU-US Data Privacy Framework) for providers that are DPF-certified.
• The UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
• Adequacy decisions issued by the UK government, where available.
• Another lawful transfer mechanism under Article 46 UK GDPR.

We have completed a Transfer Risk Assessment for each international sub-processor. By agreeing to this DPA you also authorise these transfers. You may request copies of the relevant transfer mechanisms and TRAs by emailing legal@visualiseo.co.uk.

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as this is possible, in responding to requests from data subjects to exercise their rights under the UK GDPR. If a data subject contacts us directly about their rights, we will inform them to contact you and forward the request where appropriate.

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting your data. The notification will contain the information we have at the time to the extent required under Article 33(3) UK GDPR and will be updated as further information becomes available.

We will make available all information reasonably necessary to demonstrate compliance with this DPA. Because we are a multi-tenant SaaS provider, on-site audits are not generally available. Instead you may, at your cost and no more than once a year (or more often if required by law or following a breach), submit a written audit questionnaire covering matters relevant to this DPA, which we will answer within 30 days.

On termination of the Service, we will, at your choice, delete or return all personal data we process on your behalf, unless we are required by law to retain it. Deletion from backups may take up to 90 days.

The liability of each party under this DPA is subject to the limitations and exclusions in the Terms. Nothing in this DPA limits either party's statutory liability under UK data protection law.

If there is a conflict between this DPA and the Terms on the subject of data protection, this DPA prevails. This DPA starts when you accept the Terms and ends when your account is terminated and all data has been returned or deleted in accordance with Clause 11.

We may update this DPA from time to time. Changes that materially affect your rights or our obligations will be notified to you by email at least 30 days before they take effect. Changes that narrowly reflect an updated sub-processor list, address or similar operational detail may be made by updating the Annexes and the “Last updated” date.