ViralSlides
Legal

Data Processing Addendum

The supplemental terms that apply when we process personal data on your behalf.

Last updated: 2026-05-17

This document is provided in good faith for transparency. It has not been reviewed by legal counsel. Before relying on it for any business decision, please consult a qualified attorney in your jurisdiction.

This Data Processing Addendum ("DPA") forms part of the agreement between ViralSlides ("Processor") and the Customer identified in the account ("Controller"). It governs the processing of personal data that the Controller submits to the Service.

1. Definitions

Capitalized terms not defined here have the meaning given in our Terms of Service. "Personal Data", "Data Subject", "Processing", "Controller" and "Processor" have the meanings given in the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the UK GDPR, or comparable applicable law.

2. Scope and roles

The Controller determines the purposes and means of Processing Personal Data uploaded to the Service. ViralSlides acts as Processor and Processes Personal Data only on documented instructions from the Controller, as set out in this DPA, the Terms of Service, and any configuration within the dashboard.

3. Categories of data and data subjects

The Service is designed for marketing assets for the Controller's mobile apps. Personal Data typically includes:

  • Controller staff contact details (name, email, organization information).
  • Optional uploaded artwork or screenshots, which may incidentally contain personal data of the Controller's end users.
  • API access logs and usage data attributable to Controller staff.

4. Controller obligations

The Controller represents and warrants that it has a lawful basis to Process the Personal Data it uploads to the Service, that it has informed Data Subjects in accordance with applicable law, and that any instructions given to ViralSlides comply with applicable law.

5. Processor obligations

  • Process Personal Data only as instructed by the Controller (e.g. through normal use of the Service).
  • Implement appropriate technical and organizational measures consistent with the security commitments in our Privacy Policy.
  • Ensure that personnel with access to Personal Data are bound by confidentiality obligations.
  • Provide reasonable assistance with Data Subject access, deletion, and similar rights requests.
  • Notify the Controller without undue delay (and in any case within 72 hours of confirmation) of any Personal Data Breach affecting the Controller's data.

6. Sub-processors

The Controller authorizes ViralSlides to engage sub-processors to operate the Service. Current sub-processors include:

  • Stripe — payment processing.
  • Cloudflare R2 — slide and ZIP storage.
  • MongoDB Atlas — primary application database.
  • Resend — transactional email delivery.
  • AI model providers — hook, caption, and slide generation.
  • Vercel — frontend hosting.

We will publish material changes to the sub-processor list with at least 30 days' notice. The Controller may object to a new sub-processor on reasonable data-protection grounds; if the objection cannot be resolved, the Controller may terminate the affected portion of the Service.

7. International transfers

Where Personal Data is transferred outside of the European Economic Area, the United Kingdom, or other regions with applicable transfer restrictions, the parties agree to rely on the appropriate Standard Contractual Clauses (or their UK equivalent), which are incorporated into this DPA by reference.

8. Audits

On reasonable written request, and no more than once per calendar year, ViralSlides will make available information necessary to demonstrate compliance with this DPA. Audit information will normally be satisfied by sharing our security and operational documentation; on-site audits require a separate written agreement.

9. Deletion and return

Upon termination of the Agreement and at the Controller's request, ViralSlides will delete or return Personal Data Processed under this DPA within 30 days, except where retention is required by law. Backups containing Personal Data roll off within 90 days.

10. Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

11. Contact

Email legal@viralslides.app with questions or to request a countersigned copy of this DPA.