Data Use and Processing

1. Data Processing Arrangement. The Customer assumes one of two roles: either as the Controller of Customer Personal Data or as a Processor, handling Customer Personal Data on behalf of a third-party Controller (such as an end customer of the Customer). In either scenario, both parties recognize and agree that Vieu has been designated by the Customer to process Customer Personal Data as a Processor (or sub-Processor, when applicable) on the Customer's behalf. If the Customer acts as a Processor on behalf of a third-party Controller, the Customer will ensure that any Processing instructions given to Vieu under this Data Processing Agreement are in alignment with the directives issued by the Controller to the Customer.
   ‍
2. Stipulated Instructions. Vieu shall process Customer Personal Data exclusively for the following purposes: (1) to fulfill its commitments to Customer as outlined in the Agreement, including this Data Processing Agreement (DPA); (2) on behalf of Customer; and (3) in full compliance with Data Protection Laws. Vieu shall process Customer Personal Data strictly for the business purpose(s) mutually agreed upon by the parties, as specified in the Agreement, this DPA, and any written instructions explicitly endorsed by both parties (collectively referred to as the "Business Purpose(s)"). Customer shall not issue instructions to Vieu that contravene applicable laws, including Data Protection Laws. Vieu is not obligated to oversee Customer's use of the services to ensure compliance with applicable laws, including Data Protection Laws, and Vieu will not be held accountable for any harm or damages resulting from Vieu's adherence to unlawful instructions from Customer. Nonetheless, Vieu shall, unless legally prohibited, (i) notify Customer in writing if it reasonably believes there is a conflict between Customer's instructions and applicable laws, including Data Protection Laws, or if it is required to process Customer Personal Data in a manner inconsistent with Customer's instructions, and (ii) in either case, halt all processing of the affected Customer Personal Data (excluding storage and security maintenance) until Customer issues new instructions that Vieu can adhere to. In the event this provision is invoked, Vieu will not be held liable to Customer under the Agreement for failing to perform the services until new instructions are mutually agreed upon. Customer retains the right, upon notification, to take appropriate measures to halt and rectify any unauthorized use of Customer Personal Data, including any use not sanctioned in this DPA.
   ‍
3. ‍Certification by Service Provider. Vieu will not engage in the following activities: (a) "selling" Customer Personal Data (as defined in quotation marks under the CCPA); (b) "sharing" or processing Customer Personal Data for the purposes of "cross-context behavioral advertising" or "targeted advertising" (as defined in quotation marks under the CCPA); (c) retaining, using, or disclosing Customer Personal Data for any purposes other than those related to the Business Purpose(s), which includes refraining from retaining, using, or disclosing Customer Personal Data for any commercial purpose other than performing its services under the Agreement; (d) retaining, using, or disclosing Customer Personal Data beyond the direct business relationship between Customer and Vieu. Vieu (i) will not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data without obtaining Customer's explicit written consent; and (iii) will adhere to any applicable restrictions imposed by Data Protection Laws regarding the combination of Customer Personal Data with personal data obtained from another person or entity on behalf of Vieu. Vieu confirms its understanding of the limitations outlined in this Section 3.3 and pledges to abide by them.
   ‍
4. ‍Authorization to Use Subprocessors. The Customer hereby grants Vieu authorization to enlist its affiliates and other Subprocessors for the purpose of processing Customer Personal Data, in accordance with the stipulations outlined in this Data Processing Agreement (DPA) and in compliance with Data Protection Laws.  Below is the current list of Vieu’s Subprocessors. Refer Appendix (1) for the list of Vieu's subprocessors.‍
   ‍
5. Vieu and Subprocessor Compliance. Vieu commits to (i) establishing a written agreement with Subprocessors pertaining to the processing of Customer Personal Data, imposing data protection obligations on these Subprocessors that are consistent with the provisions of this Data Processing Agreement (DPA); and (ii) retaining accountability towards the Customer for any lapses by Vieu's Subprocessors in fulfilling their responsibilities concerning the processing of Customer Personal Data.
   ‍‍‍
6. ‍Notification and Right to Object Regarding New Subprocessors. Vieu will maintain an updated list of its Subprocessors, which can be found in the Section 1.d above in this agreement. The Customer is encouraged to regularly consult the Vieu Subprocessor List. Additionally, the Customer has the option to subscribe to notifications about new Subprocessors by sending an email to info@vieu.com with the subject "Subscribe to New Subprocessors." Once the Customer has subscribed to receive notifications about new Subprocessors, Vieu will provide advance notice of any new Subprocessor before permitting such Subprocessor to process Customer Personal Data. The Customer will have a period of ten (10) days from the receipt of Vieu's notice to submit a valid, good-faith objection to the involvement of such new Subprocessor(s). The Customer's objection should include a clear explanation of the reasonable grounds for the objection. If an objection is raised, both parties will engage in good-faith efforts to address the concerns raised in the objection. In the event that the objection cannot be resolved within a reasonable timeframe, not exceeding thirty (30) days, either party may terminate the Agreement by providing written notice to the other party. Vieu reserves the right to replace a Subprocessor in cases of urgent necessity to ensure the provision of Services. In such circumstances, Vieu will notify the Customer of the substitution as promptly as possible, and the Customer will retain the right to raise objections to the replacement Subprocessor.
   ‍
7. ‍Confidentiality. Vieu will ensure that any individual authorized by Vieu to handle Customer Personal Data on its behalf is bound by confidentiality obligations concerning such Customer Personal Data.
   ‍‍
8. Handling Customer Personal Data Inquiries and Requests. In situations where the Customer, while using the Services, lacks the capability to address a request from a data subject exercising their rights under relevant Data Protection Laws (such as requests for access or deletion), Vieu will, upon the Customer's request, make commercially reasonable efforts to aid the Customer in responding to such data subject requests. If a request concerning Customer Personal Data is directly sent to Vieu, Vieu will use commercially reasonable efforts to promptly inform the Customer within five (5) business days of receiving such request. Vieu will not respond to the request unless explicitly authorized to do so by the Customer. To the extent permitted by law, the Customer will be responsible for covering any reasonable costs incurred by Vieu in providing assistance as outlined in this section. The Customer acknowledges that Vieu relies on the Customer for guidance regarding the extent to which Vieu is allowed to process Customer Personal Data on the Customer's behalf when delivering the Services. Consequently, Vieu will not be held liable under the Agreement for any claims brought by a data subject as a result of any actions or omissions by Vieu, to the extent that such actions or omissions stem from the Customer's instructions or the Customer's failure to fulfill its obligations under applicable law.
   ‍‍
9. Data Protection Impact Assessment and Consultation. To the extent mandated by Data Protection Laws, Vieu commits to offer the Customer reasonable assistance and cooperation for the Customer's execution of a data protection impact assessment related to the processing or proposed processing of Personal Data, as required by relevant Data Protection Laws. This assistance will be provided at the Customer's reasonable expense.
   ‍
10. ‍Limitation on Customer Personal Data Disclosure. To the extent legally permissible in each instance, Vieu shall: (i) promptly inform the Customer in writing upon receiving an order, demand, subpoena, warrant, legal request, or any similar document seeking to compel the release of Customer Personal Data to any non-data-subject third party, including, but not limited to, regulatory authorities and the United States government for surveillance or other purposes; and (ii) refrain from disclosing Customer Personal Data to the third party until the Customer has been given at least forty-eight (48) hours' notice, allowing the Customer to take action, at its own expense, to exercise any rights it may have under applicable laws to prevent, contest, or restrict such disclosure to the extent permitted by applicable laws. If Vieu is legally prohibited by applicable Data Protection Laws from divulging the specifics of a government request to the Customer, Vieu will notify the Customer that it cannot continue to follow the Customer's instructions under this Data Processing Agreement (DPA) without furnishing further details and will await additional instructions from the Customer. Vieu will employ all reasonable and legally available means to challenge any requests for data access under national security processes, including any accompanying non-disclosure provisions.
    
    ‍

2. Information Security Program

• Security Measures. Vieu will establish and maintain commercially reasonable administrative, technical, and physical safeguards as outlined in the Vieu Security Standards to safeguard Customer Personal Data. These measures are subject to regular monitoring for compliance. Vieu will not significantly reduce the overall security of the Service during any Subscription Term.
  
  ‍

3. Security Incidents

• Notice. In the event of a Security Incident coming to its attention, Vieu commits to promptly notify the Customer in writing. Such notification is not an admission of fault or liability. Whenever possible, this notice will encompass all necessary details known to Vieu and mandated by Data Protection Laws, enabling the Customer to fulfill its own notification obligations to regulatory authorities or affected individuals impacted by the Security Incident. This information may include, when applicable and known, the cause of the Security Incident, the types and approximate number of data subjects affected, the categories and approximate number of Customer Personal Data records involved, the potential consequences of the Security Incident, and actions taken or proposed by Vieu to address it, including any measures designed to mitigate its potential adverse effects. Vieu will exert commercially reasonable efforts to: (i) investigate and pinpoint the cause of the Security Incident; (ii) rectify or alleviate the potential adverse effects resulting from the Security Incident, and (iii) minimize the likelihood of a recurrence of such an incident. Vieu will not analyze the contents of Customer Personal Data to determine compliance with specific legal requirements or assess the applicability of particular privacy, data protection, or cybersecurity regulations pertaining to such data. The Customer bears sole responsibility for complying with Security Incident notification obligations applicable to them and for meeting any third-party notification requirements associated with any Security Incident. However, upon written request and upon the Customer covering Vieu's reasonable fees (at prevailing rates) and expenses, Vieu will provide the Customer with reasonable assistance to facilitate the notification of relevant security breaches to competent data protection authorities and/or affected data subjects, should such notification be mandated by Data Protection Laws.
  
  ‍

4. Audits

• Third-Party Audit Reports. Upon the Customer's request, subject to the confidentiality terms stipulated in the Agreement and the execution of specific non-disclosure agreements, Vieu will provide the Customer (or the Customer's independent, reputable, third-party auditor) with information concerning Vieu's compliance with the obligations outlined in this Data Processing Agreement (DPA). This information will include summaries of the most recent third-party audit reports referenced in the Vieu Security Standards. All such summaries, unless generally available to the public on Vieu's website, constitute Vieu's Confidential Information.

• Audit of Vieu. In situations where Data Protection Laws grant the Customer an audit privilege, the Customer (or the Customer's independent, reputable, third-party auditor) may contact Vieu, following the procedures outlined in the "Notices" section of the Agreement, to request an audit of Vieu's policies, procedures, and records relevant to the processing of Customer Personal Data. This audit is to confirm Vieu's adherence to this DPA, provided that the items subject to audit are within Vieu's control and Vieu is not prohibited from disclosure by applicable law, a duty of confidentiality, or any other obligation owed to a third party. The Customer will reimburse Vieu for its costs and expenses associated with this audit, including any time spent, at Vieu's prevailing rates, which will be disclosed to the Customer upon request. Prior to commencing the audit, the Customer and Vieu will mutually agree on the audit's scope, timing, duration, and reimbursement terms, all of which will be reasonable, taking into account Vieu's resources. Under no circumstances is Vieu obligated to disclose information that it is legally prohibited from revealing, pursuant to applicable law, a confidentiality duty, or any other obligation to a third party. Any audit must adhere to the following conditions: (i) conducted during Vieu's regular business hours; (ii) conducted with reasonable prior notice to Vieu; (iii) carried out in a manner that does not unduly disrupt Vieu's operations; and (iv) subject to reasonable confidentiality procedures. Furthermore, such audits are limited to once per year, except when conducted at the direction of a government authority with proper jurisdiction. If the Customer discovers any non-compliance with this DPA during the audit, the Customer will promptly notify Vieu, and Vieu will make commercially reasonable efforts to address any confirmed non-compliance.
  
  ‍

5. Data Deletion

• In the event of the termination or expiration of the Agreement, Vieu will, upon the Customer's request, and subject to the constraints specified in the Agreement and the Vieu Security Standards, either return to the Customer (or make available for export as per the Agreement) all Customer Personal Data within Vieu's possession or securely destroy such Customer Personal Data. This excludes any backup or archival copies, which will be deleted in accordance with Vieu's data retention schedule. However, if Vieu is obligated to retain copies under applicable laws, Vieu will restrict its processing of such Customer Personal Data to the extent mandated by applicable laws.

‍Appendix‍1. Vieu's subprocessors
The Customer acknowledges and concurs that Vieu's utilization of these Subprocessors aligns with the prerequisites of this DPA.