Data Processing Agreement (DPA)
Version: 0.1 DRAFT Effective Date: April 15, 2026 Last Updated: April 15, 2026
DRAFT NOTICE: This document is currently under legal review. It will be finalized before public launch. Please contact support@viralhostdigital.com with any questions.
1. Purpose
This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions between Viral Host Digital LLC (“Processor”) and the Customer (“Controller”) for Pro tier subscriptions. It governs the processing of personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679.
2. Scope
This DPA applies when the Customer is subject to GDPR and the Customer’s use of Tendril involves processing personal data for which the Customer is the data controller.
Note on the nature of Tendril: Tendril primarily runs on the Customer’s local device. Most personal data processed through Tendril never leaves the Customer’s device. This DPA covers the limited scenarios where personal data is transmitted to Viral Host Digital LLC’s servers (license activation, optional telemetry).
3. Definitions
Terms used in this DPA shall have the meanings given in GDPR Article 4:
- Personal Data — any information relating to an identified or identifiable natural person
- Processing — any operation performed on personal data
- Data Subject — an identified or identifiable natural person
- Controller — the entity that determines the purposes and means of processing
- Processor — the entity that processes data on behalf of the controller
- Sub-processor — a third-party processor engaged by the Processor
4. Roles and Responsibilities
4.1 Controller
The Customer is the Controller of any personal data processed through Tendril.
4.2 Processor
Viral Host Digital LLC acts as a Processor only for the limited data transmitted to Viral Host Digital LLC’s servers:
- License activation data (license key, machine identifier, activation timestamps)
- Optional telemetry data (if the Customer has opted in)
5. Processor Obligations
Viral Host Digital LLC shall:
5.1 Processing Instructions
Process personal data only in accordance with documented instructions from the Controller, including this DPA and the Terms and Conditions. If required by law to process data beyond these instructions, Viral Host Digital LLC shall notify the Controller unless prohibited by law.
5.2 Confidentiality
Ensure that persons authorized to process personal data are bound by confidentiality obligations.
5.3 Security Measures
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit (TLS 1.2+)
- Access controls and authentication for internal systems
- Regular security reviews
- Incident response procedures
5.4 Sub-processors
Engage sub-processors only with the Controller’s prior consent. Current sub-processors:
- AWS (for licensing server infrastructure) — located in us-east-1 (N. Virginia), United States
- Stripe (for payment processing) — located in the United States
Viral Host Digital LLC shall notify the Controller of any intended changes to sub-processors with at least 30 days’ notice.
5.5 Data Subject Rights
Assist the Controller, to the extent possible, in responding to requests from Data Subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection).
5.6 Breach Notification
Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach.
5.7 Data Protection Impact Assessment
Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities as required under GDPR Articles 35-36.
5.8 Return or Deletion
Upon termination of service, delete or return all personal data to the Controller within 30 days, unless retention is required by law.
5.9 Audits
Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.
6. International Data Transfers
If personal data is transferred outside the European Economic Area (EEA), Viral Host Digital LLC shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.
7. Liability
Each party’s liability under this DPA is subject to the limitations of liability set forth in the Terms and Conditions.
8. Term
This DPA remains in effect for the duration of the Terms and Conditions and until all personal data has been returned or deleted in accordance with Section 5.8.
9. Amendments
This DPA may be amended only in writing, signed by both parties (electronic signatures acceptable).
10. Contact
Data Protection Officer: support@viralhostdigital.com
Customer contact for DPA matters: support@viralhostdigital.com
Annex 1: Description of Processing
Categories of Data Subjects:
- Customer’s authorized users (employees, contractors) who install and use Tendril
Categories of Personal Data:
- License identifiers (license key, machine fingerprint)
- Activation timestamps
- Telemetry (if opted in): aggregate usage counts, error reports without personal content
Processing Purposes:
- License validation and enforcement
- Software improvement (telemetry, if opted in)
- Fraud prevention
Duration of Processing:
- License data: duration of the subscription plus 3 years for audit purposes
- Telemetry data: 12 months, then aggregated and anonymized
Annex 2: Technical and Organizational Security Measures
- Encryption: TLS 1.2+ for all data in transit to licensing servers; local API keys encrypted via OS keychain
- Access controls: Multi-factor authentication for internal systems; least-privilege access
- Monitoring: Server logs retained for security monitoring and incident response
- Backup: Regular encrypted backups of licensing database
- Incident response: Documented procedures for identifying, containing, and reporting breaches
- Training: Regular security awareness training for personnel