Data Processing Addendum

This Data Processing Addendum (“DPA”) is for business customers who need a signed agreement governing how Viewport processes personal data on their behalf — typically required by security or procurement review. It forms part of, and is governed by, our Terms of Service. To execute a countersigned copy, email [email protected].

For account data and the session metadata Viewport processes to run the Service, Viewport acts as a processor and you act as the controller. The daemon keeps your code, transcripts, and tool output on your machine; Viewport is neither controller nor processor of that content. Viewport processes personal data only on your documented instructions, which these Terms and your use of the Service constitute.

Data subjects: your authorized users (engineers, reviewers, admins). Categories: account data (name, email, organization and team membership), session metadata (machine id, working-directory path, repo metadata, run status and summaries), and the audit ledger (governance decisions and timestamps). No special categories of data are processed by design.

You authorize Viewport to engage the subprocessors below. We impose data-protection terms on each that are no less protective than this DPA, and we remain responsible for their performance. We will give notice of new subprocessors before they begin processing and give you a reasonable opportunity to object on data-protection grounds.

Integrations you connect (for example GitHub and Slack) process data under their own terms and at your direction; they are not Viewport subprocessors.

Viewport maintains technical and organizational measures appropriate to the risk, including encryption in transit, edge encryption of context-vault bodies (we hold only ciphertext), scoped virtual keys for model access, least-privilege access controls, and audit logging. Our control plane is metadata-only by architecture, which limits the personal data exposed to it in the first place.

Where processing involves transferring personal data out of the EEA, UK, or Switzerland, the parties rely on the EU Standard Contractual Clauses (and the UK Addendum / Swiss adaptations as applicable), incorporated by reference into this DPA, together with any supplementary measures reasonably required.

Viewport will, taking into account the nature of processing, assist you in responding to data-subject requests and in meeting your security, breach-notification, and impact-assessment obligations. We will notify you without undue delay after becoming aware of a personal-data breach affecting your data.

On termination, Viewport will delete or return personal data processed on your behalf, except where retention is required by law. Consistent with the Terms, your audit ledger stays exportable for 30 days after cancellation and is then deleted.

On reasonable request and subject to confidentiality, Viewport will make available information necessary to demonstrate compliance with this DPA, including relevant third-party reports as they become available (SOC 2 readiness today; certification is in progress).

Email [email protected] to request a signed copy or ask a question.