Definitions

Controller, Processor, Data Subject, Personal Data, Processing, and Personal Data Breach have the meanings given in the GDPR and CCPA.

GDPR means Regulation (EU) 2016/679.

SCCs means the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914 – Module 2: Controller to Processor).

Roles and Scope

Viribuz Media acts as Processor (or Service Provider under CCPA) when processing Personal Data on behalf of Controller for the purpose of delivering digital advertising and performance-marketing campaigns.

Details of Processing

Sub-processors

Controller authorises the sub-processors listed at https://www.viribuzmedia.com/subprocessors (updated in real time).

Processor will provide 30 days’ notice of any new sub-processor.

Obligations of Processor

• Process Personal Data only on Controller’s documented instructions
• Ensure confidentiality of all persons authorised to process the data
• Implement appropriate technical and organisational measures
• Assist with data-subject requests, DPIAs, and breach notification
• Delete or return all Personal Data at termination of services
• Make available information necessary to demonstrate compliance

Security Measures

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication enforced on all accounts
• Continuous external vulnerability scanning (Intruder.io, CREST-accredited)
• Immutable backups (AWS S3 Object Lock)
• Incident response plan tested annually
• Employee background checks and annual security training

International Data Transfers

Transfers outside the EEA are governed by the EU Standard Contractual Clauses (Module 2), incorporated by reference:

CCPA/CPRA

Processor is a Service Provider. Processor does not sell or share Personal Information and does not use it outside the business purpose.

Governing Law

This DPA is governed by the laws of the State of Florida.

Execution

This DPA is effective upon acceptance of the Agreement and remains in force for the duration of the services.