📋 For Enterprise Customers
This Data Processing Agreement (DPA) is available for enterprise customers who process personal data through Virvell's platform. Our DPA outlines our commitments under GDPR, PIPEDA, CCPA, and other global data protection regulations.
What is a DPA?
A Data Processing Agreement is a legally binding contract between a data controller (you, the customer) and a data processor (Virvell) that governs how personal data is processed. It ensures compliance with global privacy regulations including:
- GDPR (European Union & EEA)
- PIPEDA (Canada)
- UK GDPR (United Kingdom)
- CCPA (California, USA)
- Swiss FADP (Switzerland)
Key Provisions
Our comprehensive DPA includes:
- Data Processing Scope: Clear definitions of processing activities, data types, and data subjects
- Security Measures: Enterprise-grade technical and organizational safeguards (TLS 1.2+, AES-256 encryption)
- Sub-Processor Management: Full transparency and notification requirements for third-party processors
- Data Subject Rights: Assistance with access, deletion, rectification, and portability requests
- Cross-Border Transfers: Standard Contractual Clauses (SCCs) for international data transfers
- Breach Notification: Immediate notification procedures for security incidents
- Audit Rights: Customer audit and inspection capabilities with reasonable notice
- Data Retention: Clear retention periods aligned with our Privacy Policy
Standard Contractual Clauses
Our DPA incorporates the Standard Contractual Clauses (SCCs) approved by:
- European Commission (EU 2021/914) for EEA data transfers
- UK ICO (Addendum B.1.0) for UK data transfers
- Swiss FDPIC requirements for Swiss data transfers
These SCCs provide legally compliant mechanisms for transferring personal data from the EU, UK, and Switzerland to Canada and other jurisdictions.
📥 Download DPA
Current Version: 1.0 (November 2025)
Download DPA (PDF)
18-page comprehensive agreement including all annexes and Standard Contractual Clauses
Execution Process
For enterprise customers requiring a Data Processing Agreement:
- Review: Download and review the complete DPA document
- Questions: Contact our legal team with any questions or required amendments at legal@virvell.ai
- Execute: The DPA is executed alongside your Master Service Agreement or Order Form
- Countersign: Receive countersigned copy for your compliance records
Our Data Processing Activities
Under the DPA, Virvell processes the following types of personal data on behalf of our customers:
Types of Personal Data
- Contact information (names, phone numbers, email addresses)
- Employment information (job titles, employment dates, work history)
- Voice recordings and conversation transcripts
- Performance assessments and professional feedback
- Reference recommendations and evaluations
Categories of Data Subjects
- Job candidates undergoing reference checks
- Professional references (current and former colleagues, supervisors)
- Customer employees (hiring managers, HR personnel)
Data Retention Periods
- Voice recordings: 3 years from date of collection
- Reference reports: 4 years from date of generation
- Account data: Duration of Agreement plus 24 months
Sub-Processors
We maintain full transparency about our sub-processors who may process customer data:
- View our complete list of sub-processors: Sub-Processors Page
- Subscribe to notifications of new sub-processors
- 5-day objection period for new sub-processor additions
Security Measures
Our DPA requires the following enterprise-grade security controls:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and multi-factor authentication
- Regular security assessments and vulnerability testing
- Incident response procedures and breach notification protocols
- Employee confidentiality agreements and security training
- Secure development practices and code review processes