Data Processing Policy

Data first. Security always.

If you don't agree with all the terms and policies, please do not use the website, product, information and service as part of your own free choice. Usage implies acceptance.

Soulnature implements data processing rules in order to effectively take into account both the operational needs and the individuals’ right to effective data protection.

What constitutes processing of personal data?

Processing of personal data is any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

How does Soulnature process personal data?

The collection and processing of data is part of KYC (know your customer) activities. Any processing of personal data has to be explicitly allowed and made compliant with the in-house tailor-made data protection and cybersecurity regime.

The main objective is to set a data processing environment that allows ViaGuru Business to prevent and combating serious fraud and cybersecurity attacks simultaneously respecting fundamental rights such as the right to data protection.

In practical terms, the the data processing architecture works with a particular emphasis on ‘privacy and security by design.’ High data protection and security standards are achieved by means of procedural safeguards that apply to any specific type of information.

Thus, ViaGuru introduces a technology-neutral approach to data management, cybersecurity (netsecurity.in) and processing that provides for much more operational flexibility.

The emphasis is on the exact purpose(s) for which data can be processed, namely: (i) cross-checking aimed at identifying connections or relevant links between information; (ii) analyses of a strategic or thematic nature; (iii) operational analysis; and, (iv) facilitating the exchange of information. (v) know your customer KYC

Data Processing Agreement

This Data Processing Addendum (“DPA”) supplements and forms part of the written or electronic agreement(s) (individually and collectively the “Agreement”) between ViaGuru Business (“ViaGuru”) and the customer (“Company”) for the purchase, access to, and/or licensing of products, services and/or platforms (collectively the “Services”) from ViaGuru, including, but not limited to, the website service usage, product or digital software, ViaGuru, as specified in the Agreement and the applicable Schedule(s) 1 below. This DPA sets out the terms that apply to the Processing of Personal Data by ViaGuru, on behalf of Company, in the course of providing the Services to the Company under the Agreement. This DPA shall be effective on the effective date of the Agreement. All capitalized terms not defined below will have the meanings set forth in the Agreement.

1. DEFINITIONS

1.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, or is a named client of Company. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2. “Authorized Affiliate”means any of Company’s Affiliate(s) that use the Services pursuant to the Agreement.

1.3. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq. as may be amended from time to time.

1.4. “Controller”means the entity which determines the purposes and means of the Processing of Personal Data.

1.5. “Personal/ Company Data”means the Personal Data Processed by ViaGuru on behalf of Company and/or its clients in connection with the provision of the Services.

1.6. “Data Protection Laws” means privacy and data protection laws and regulations throughout the world, including the DPDP India, CCPA, laws and regulations of the European Union, the European Economic Area, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement, including the GDPR and the UK GDPR.

1.7. “Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, by use of Personal Data alone or in combination with other Personal Data.

1.8. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

1.9. “Personal Data” or “Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with a particular Data Subject, which is included in Personal/ Company Data Processed by ViaGuru pursuant to the Agreement.

1.10. “Personnel”means persons, including employees and contractors, authorized by ViaGuru to Process Personal/ Company Data.

1.11. “Process”, “Processed” or “Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.

1.12. “Processor” means the entity which processes Personal Data on behalf of the Controller.

1.13. “Security Incident” means an actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal/ Company Data transmitted, stored or otherwise Processed by ViaGuru pursuant to the Agreement.

1.14. “Standard Contractual Clauses” refers to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), found on the following official URL: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, and as per the applicable module(s) of the Standard Contractual Clauses as set forth in Schedule 2.

1.15. “Sub-processor” means any other processor engaged by ViaGuru that Processes Personal/ Personal/ Company Data under the supervision of ViaGuru.

1.6 “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of India, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).‍

2. INTERACTION WITH THE AGREEMENT

This DPA supplements the Agreement with respect to any Processing of Personal/ Company Data by ViaGuru. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

3. DATA PROCESSING

3.1. Scope and Roles. This DPA applies when Personal/ Company Data is Processed by ViaGuru on behalf of Company, as part of ViaGuru’s provision of the applicable Services, as specified in the Agreement. Pursuant to the GDPR or similar Data Protection Law, Company is the Controller and ViaGuru is the Processor. The Controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR, applicable data protection provisions and the Standard Contractual Clauses. For the purposes of the CCPA (to the extent applicable), Company is the “Business” (as defined in the CCPA) and ViaGuru is the “Service Provider” (as defined in the CCPA).

3.2. Subject Matter, Duration, Nature and Purpose of Processing. ViaGuru Processes Personal/ Company Data as part of providing Company with the Services, pursuant to the specifications and for the duration set forth in the Agreement, and as described in the applicable Schedule(s) 1 below.

3.3. Categories of Data Subjects and Personal Data. ViaGuru shall process Personal/ Company Data as set forth in the applicable Schedule(s) 1 below.

3.4. Instructions. ViaGuru will only Process Personal/ Company Data on behalf of and in accordance with Company’s written instructions, including with regard to transfers of personal data to a third country. ViaGuru will promptly inform Company, if in ViaGuru’s opinion an instruction infringes any provision under Data Protection Laws.

3.5. CCPA. ViaGuru shall not sell Personal/ Company Data. ViaGuru shall not retain, use, or disclose Personal/ Company Data for any purpose other than for the specific purpose of performing the Services.

4. ASSISTANCE

4.1. Rights Request. ViaGuru shall promptly notify Company in writing if ViaGuru receives a Data Subject rights request where the Data Subject seeks to exercise any of its rights under the Data Protection Laws (“Rights Request”). Taking into account the nature of the processing, ViaGuru will assist Company by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Company’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR.

4.2. Cooperation. ViaGuru shall assist Company in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, like personal data breach notifications and Data Protection Impact Assessments, taking into account the nature of processing and the information available to ViaGuru.

5. VENDOR PERSONNEL

5.1. Limitation of Access. ViaGuru will ensure that ViaGuru’s access to Personal Data is limited to those Personnel who require such access to perform the Agreement.

5.2. Confidentiality. ViaGuru will impose appropriate contractual obligations upon its Personnel engaged in the Processing of Personal/ Company Data, including relevant obligations regarding confidentiality, data protection, and data security. ViaGuru will ensure that its Personnel engaged in the Processing of Personal/ Company Data are informed of the confidential nature of the Personal/ Company Data and have received appropriate training in their responsibilities.

6. SUB-PROCESSORS

6.1. ViaGuru may engage Sub-processors to Process Personal/ Company Data on behalf of Company. Company hereby provides ViaGuru with a general written authorization to engage all Sub-processors under contract by ViaGuru as of the effective date of this DPA. All Sub-processors have entered into written agreements with ViaGuru that bind them by data protection obligations substantially similar to those under this DPA. ViaGuru will remain fully liable to Company for the performance of that Sub-processor’s obligations.

6.2. ViaGuru may engage with new Sub-processors (“New Sub-processors”) to Process Personal/ Company Data on Company’s behalf. ViaGuru shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal/ Company Data in connection with the provision of the Service. Company may object to the Processing of Personal/ Company Data by the New Sub-processor, by providing a written objection (email sufficient) on reasonable grounds to ViaGuru within fifteen (15) business days following ViaGuru’s written notice to Company of the intended engagement with the New Sub-processor. The parties will make a good-faith effort to resolve Company’s objection. In the absence of a resolution, ViaGuru will make commercially reasonable efforts to provide Company with the same level of Service, without using the New Sub-processor to Process Personal/ Company Data. If Company’s concerns with such New Sub-processor are not resolved by ViaGuru, Company may terminate the Agreement.

7. CROSS-BORDER DATA TRANSFERS

If the Processing of Personal/ Company Data by ViaGuru includes transfers (either directly or via onward transfer) from the European Economic Area, Switzerland (collectively “EEA Transfer”) and/or the UK (“UK Transfer”) to other countries which have not been subject to a relevant adequacy decision by the data protection authorities, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by ViaGuru for the lawful transfer of Personal Data outside the EEA, Switzerland or the UK, as applicable, then (i) the terms set forth in Part 1 of Schedule 2 (EEA Cross Border Transfers) shall apply to any such EEA Transfer; (ii) the terms set forth in Part 2 of Schedule 2 (UK Cross Border Transfers) shall apply to any such UK Transfer; and (iii) the terms set forth in Part 3 of Schedule 2 (Additional Safeguards) shall apply to such an EEA Transfer and UK Transfer.

8. SECURITY

ViaGuru will implement and maintain administrative, physical and technical safeguards to protect the security, confidentiality and integrity of Personal/ Company Data. ViaGuru shall adhere to the data security measures set forth in Schedule 3 (Security Addendum).

9. SECURITY INCIDENT MANAGEMENT AND NOTIFICATION

In the event of any Security Incident the ViaGuru shall:

9.1. Promptly notify Company in writing, and no later than forty-eight (48) hours after discovery of the Security Incident, providing: (i) all information known about the Security Incident; (ii) relevant and knowledgeable points of contact for ongoing communication with Company, and (iii) such additional details of the circumstances as pertinent to legal obligations (including the category and approximate number of records of any Personal Data affected), to the extent known; and

9.2. Provide such information and assistance as Company may require in order for Company to make any notification or announcement as referred to above.

10. AUDIT AND DEMONSTRATION OF COMPLIANCE

ViaGuru will make available to Company all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by a third party auditor agreed to by the parties. Audits by Company are subject to the following terms: (i) the audit will be pre-scheduled in writing with ViaGuru, at least thirty (30) days in advance and will be performed not more than once a year; and (ii) the auditor will execute a non-disclosure agreement with ViaGuru. Company shall bear the cost of any such audit. ViaGuru shall promptly remediate any deficiencies discovered in the course of such audit.

11. RETURN OR DELETION OF PERSONAL DATA

On termination or expiration of the Agreement, unless otherwise required by applicable law, ViaGuru shall (at Company’s election) promptly, and in any event within thirty (30) days, of Company’s request, return or delete all Personal/ Company Data.‍

12. AUTHORIZED AFFILIATES

The parties acknowledge and agree that, by executing the DPA, the Company enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, in which case each Authorized Affiliate agrees to be bound by the Company’s obligations under this DPA.

‍

Schedule 1a – Data Processing for Demio

Subject-matter of the Processing

Demio is a no download webinar software/platform (SaaS) most commonly used for one-to-many online meetings/workshops, but can also be used for one-to-one meetings. Users can set up one-off or recurring, live or automated events, enable chat functionality, share audio, video, presentations, images, links, survey attendees (polls) and more. Users get insights into their webinars, like who and how many attended, session duration, average time attended, average time focused - all over time (to see trends).

Categories of Data Subjects

Company potential and existing customers (webinar attendees) and Company employees/personnel.

Categories of Personal Data Transferred

Categories of personal data transferred may differ depending on the data exporter's use of the Demio software. For webinar attendees, personal data typically includes name, email address and any other personal data submitted through the registration form, IP address, geographical location, device information, browser type and version, operating system, as well as timing, frequency and pattern of their use of our Services.

Sensitive Data Transferred

Not applicable.

Frequency of Transfer

Continuous while Services are being used, until the Agreement is terminated.

Nature of the Processing

To facilitate online webinars, including host/store webinar attendee lists, webinar content (including recordings, chat transcript etc.), and webinar analytics.

Purpose of the Processing

To provide the Services as described in the Agreement.

Period Personal Data Will Be Retained

For the Term of the Agreement. We process personal data on behalf of the data exporter for as long as they are a Customer. If the data exporter terminates the Agreement (their use of Demio), we will delete Customer Data within 30 days of account termination (unless they opt for pausing their account, which effectively means they continue to be a Customer).

Subject-matter, nature and duration of processing for transfers to (sub-)processors

The subject matter pertains mainly to infrastructure cloud hosting and services. The nature of the processing relates to facilitating online webinars, including recording, hosting webinar material (recordings, presentation, images etc.), in-webinar chat functionality, and webinar analytics. We also use Sub-processors for content distribution, logging and similar operations that are strictly necessary for delivering our services. The duration of processing is for as long as the data exporter remains a Customer.

Schedule 1b – Data Processing for Reach and similar ViaGuru Services

Subject-matter of the Processing

Depends on the Services as specified in the Agreement, but could include: Event marketing automation and lead generation services for virtual, in-person and hybrid events. Multi-channel outreach where Customer can upload their own contact lists, target, contact, and register potential event attendees etc. All-in-one virtual event/meeting platform for Customer to plan and execute virtual, in-person, and hybrid events.

Categories of Data Subjects

Company potential and existing customers (e.g., Customer event attendees), and Company employees/personnel.

Categories of Personal Data Transferred

Categories of personal data transferred may differ depending on the data exporter's use of the Services. For event attendees, personal data typically includes name, contact information (e.g., email address, address, phone number), any personal data related to the event(s) they attend and, if applicable, any event recordings they have access to, as well as IP address, geographical location, device information, browser type and version, and operating system.

Sensitive Data Transferred

Not applicable.

Frequency of Transfer

Continuous while Services are being used, until the Agreement is terminated.

Nature of the Processing

To facilitate in-person, hybrid or/and virtual events, which could, depending on the Services covered by the Agreement, include research and store potential attendees lists, verify email addresses, send emails, conduct calls, facilitate online event registration, and, if applicable, record webinars, host webinar content (including recordings, chat transcript etc.), and webinar analytics.

Purpose of the Processing

To provide the Services as described in the Agreement.

Period Personal Data Will Be Retained

For the Term of the Agreement. We process personal data on behalf of the data exporter for as long as they are a Customer. If the data exporter terminates the Agreement, we will delete Customer Data within 30 days of account termination (unless they also use our webinar Services (Demio) and opt for pausing their account, which effectively means they continue to be a Customer).

Subject-matter, nature and duration of processing for transfers to (Sub-)processors

The subject matter pertains mainly to infrastructure cloud hosting and services, email validation services, email services, call center services, event marketing automation and lead generation. The nature of the processing relates to facilitating event invitations and registrations, including communication and registration and, if applicable, or online webinars: recording, hosting webinar material (presentation, images etc.), in-webinar chat functionality, and webinar analytics. We also use Sub-processors for content distribution, logging and similar operations that are strictly necessary for delivering our services. The duration of processing is for as long as the data exporter remains a Customer.

SCHEDULE 2– CROSS BORDER TRANSFERS

Module 2: Controller-to-Processor

PART 1 – EEA Transfers

The parties agree that the terms of the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), as per the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, found on the following official URL: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en, are hereby incorporated by reference and shall apply to any EEA Transfer.
Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Company as the Controller of the Personal/ Company Data and ViaGuru as the Processor of the Personal/ Company Data.
Clause 7 of the Standard Contractual Clauses (Docking Clause) shall not apply.
The General Written Authorization in Clause 9 of the Standard Contractual Clauses shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section 6 of the DPA.
In Clause 11 of the Standard Contractual Clauses, the optional language will not apply.
In Clause 13 of the Standard Contractual Clauses, the second paragraph shall apply.
In Clause 17 of the Standard Contractual Clauses, Option 1 shall apply, and the Parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland.
In Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts located in Dublin, Ireland.
Annex I.A of the Standard Contractual Clauses shall be completed as follows:

Data Exporter: The Person/ Customer, as specified in the Agreement.

Contact details: As detailed in the Agreement.

Data Exporter Role: Module Two: Controller

Signature and Date: By entering into the Agreement and DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the effective date of the Agreement.

Data Importer: ViaGuru Business

Contact details: As detailed in the Agreement.

Data Importer Role: Module Two: Processor.

Signature and Date: By entering into the Agreement and DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the effective date of the Agreement.

Annex I.B of the Standard Contractual Clauses, including in relation to transfers to Sub-processors, shall be completed as set forth in the applicable Schedule(s) 1 of the DPA.
Annex I.C of the Standard Contractual Clauses shall be completed as follows:

The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section ‎7 above.

The Security Addendum referred to in Schedule 3 serves as Annex II of the Standard Contractual Clauses.

PART 2 – UK Transfers

1. With respect to any transfers of Personal/ Company Data falling within the scope of the UK GDPR from the Company (as data exporter) to ViaGuru (as data importer):

a.) neither the Standard Contractual Clauses nor the DPA shall be interpreted in a way that conflicts with rights and obligations provided for in any laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR;

b.) the Standard Contractual Clauses are deemed to be amended to the extent necessary so they operate:

for transfers made by the Company to ViaGuru, to the extent that DPDP/ GDPR applies to the Company’s processing when making that transfer;
to provide appropriate safeguards for the transfers in accordance with Articles DPDP/ GDPR.

c.) the amendments referred to in Section 1(b) include (without limitation) the following:

references to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “DPDP/ GDPR” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article of the DPDP/ GDPR;
references to Regulation (EU) 2018/1725 are removed;
references to the “Union”, “EU” and “EU Member State” are all replaced with “India”;
the “competent supervisory authority” shall be the UK Information Commissioner;
clause 17 of the Standard Contractual Clauses is replaced with the following: “These Clauses are governed by the laws of India”;
clause 18 of the Standard Contractual Clauses is replaced with the following: “Any dispute arising from these Clauses shall be resolved by the courts of Delhi India. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in India. The Parties agree to submit themselves to the jurisdiction of such sole jurisdiction of courts in Delhi, India.”;
any footnotes to the Standard Contractual Clauses are deleted in their entirety.

PART 3 – Additional Safeguards

1. In the event of an EEA Transfer or a India Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate:

a.) ViaGuru will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Company Personal Data protected under DPDP, GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”).

b.) If ViaGuru becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal/ Company Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:

ViaGuru shall inform the relevant government authority that the ViaGuru is a processor of the Personal Data and that the Person/ Company has not authorized ViaGuru to disclose the Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon the Person/ Company in writing with a court subpeona order to provide such data with purpose/ reasons thereoff;
ViaGuru will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal/ Company Data which is under the ViaGuru’s control. Notwithstanding the above, (a) the Company acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal/ Company Data, ViaGuru has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection shall not apply. In such event, ViaGuru shall notify the Company, as soon as possible, following the access by the government authority, and provide the Company with relevant details of the same, unless and to the extent legally prohibited to do so. The subject person/ company will be provided with the copy of the court order/ subpeona and be informed of the request made by an agency, as per their constitutional rights.

2. Once in every 12-month period, ViaGuru will inform the Person/ Company at their written request, to the extent permitted by applicable law, of the types of binding legal demands for Company Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued.

SCHEDULE 3

SECURITY ADDENDUM

ViaGuru leverages which facilitates zero-touch cybersecurity assessments via NetSecurity.in which contains security information capabilities to monitor and protect for more than 3.5 billion cyberattack vectors. We regularly update for websites defense system we support.

Details for ViaGuru and its securty products/ services can be accessed on netsecurity.in

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Measures of pseudonymisation and encryption of personal data

ViaGuru’s content databases that store data are encrypted using the Advanced Encryption Standard (AES). Customer data is encrypted in transit between the Customer’s software application and ViaGuru hosts using TLS

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

ViaGuru uses a variety of owned tools and mechanisms to achieve high availability and resiliency. ViaGuru’s infrastructure spans multiple fault-independent availability zones in geographic regions physically separated from one another. We employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup. We don't use any 3rd party capabilities for data cybersecurity.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

ViaGuru leverages specialized tools that monitor server performance, data, security and traffic load capacity within each data center and all subsequent development and production environments. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, these tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. ViaGuru is also immediately notified in the event of any suboptimal server performance or overloaded capacity. We can restore any system and service within a short window using our incremental backup systems.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

ViaGuru has developed and implemented a owned security control environment designed to protect the confidentiality, integrity, and availability of customers systems. Our Privacy Policy and Acceptable Use Policy governs the requirements for use of customer data in accordance with several industry standards.

ViaGuru conducts a variety of regular internal and external audits that are inclusive of security operations.

Measures for user identification and authorisation

We leverage a Zero Trust policy for all access controls that give zero-access to ViaGuru’s computing assets be granted based on business justification. These policies are based on limits based on "need to-know" and "least-privilege" principles. In addition, the policy also addresses requirements for access management lifecycle including access provisioning, authentication, access authorization, removal of access rights and periodic access reviews.

Measures for the protection of data during transmission
Measures for the protection of data during storage

ViaGuru's databases that store Data are encrypted using the Advanced Encryption Standard (AES). Customer data stored by ViaGuru's is encrypted in transit between the Customer’s software application and ViaGuru using TLS

Measures for ensuring physical security of locations at which personal data are processed

Amazon provides physical data center access only to approved employees and ViaGuru has no access to these locations. Amazon employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.

Measures for ensuring events logging

ViaGuru measures and logs all access to services, traffic and applications for all it’s development and production systems. Logging of services, user and security events (application access, web server logs, monitoring, FTP server logs, etc.) is enabled and retained centrally. ViaGuru restricts access to audit logs to authorized personnel based on job responsibilities.

Audit logging procedures are reviewed as part of external audits for security standards.

Measures for ensuring system configuration, including default configuration

Measures for internal IT and IT security governance and management

ViaGuru has developed and implemented an owned Human + AI + ML security control environment designed to protect the confidentiality, integrity, and availability of cloud platforms. ViaGuru performs an ongoing internal review of all security management policies and procedures and we perform audits before and after employee changes. These regular internal audits that are inclusive of security operations and are managed by the IT Team.

Measures for certification/assurance of processes and products

Measures for ensuring data minimisation

Measures for ensuring data quality

Measures for ensuring limited data retention

Measures for ensuring accountability

Measures for allowing data portability and ensuring erasure

Information about how ViaGuru processes personal data is set forth in the Privacy Policy available at https://www.banzai.io/legal/privacy-policy.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

When ViaGuru engages a Sub-processor, ViaGuru and the Sub-processor enter into an agreement that bind them by data protection obligations substantially similar to those under this DPA. Each Sub-processor agreement must ensure that ViaGuru is able to meet its obligations to our customers. In addition to implementing technical and organizational measures to protect personal data, Sub-processors must (a) notify ViaGuru in the event of a Security Incident so ViaGuru may notify it's customers; and (b) delete personal data when instructed by ViaGuru in accordance with Customer’s instructions to ViaGuru.

‍

ANNEX III – SUB-PROCESSORS

ViaGuru does not authorise the use of the external sub-processors.

Legal Information - Updated on 16th November 2025

This statement has been prepared based on provisions of multiple legislations, compliance and privacy best practices.

The above has to be read in conjunction and part of 'All' other terms, policies and disclaimers of this and other associated/ linked site(s). Please see and check updated terms, policy and disclaimer legal links on footer of home page at part of your own responsibility.

If you don't agree with 'All' the terms, policies and disclaimers, please do not visit the website links and use the products and services as part of your own free will informed choice.

This policy relates solely to this website and associated owned web properties links only, if not stated otherwise within this document or other legal links on this site.