Data Processing Agreement
Last updated 7 July 2026
pursuant to Art. 28 of Regulation (EU) 2016/679 (GDPR)
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the vizrm Terms of Use (the "Agreement") between:
CodeBriada UG (haftungsbeschränkt), St. Rochus Str. 1, 82433 Bad Kohlgrub, Germany, provider of the vizrm software ("vizrm" or the "Processor")
and
the customer accepting the Agreement (the "Customer" or the "Controller"),
each a "Party" and together the "Parties".
This DPA is made available online at vizrm.com and applies automatically to all Customers whenever vizrm processes Personal Data on the Customer's behalf in the course of providing the Service. No separate signature is required; acceptance of the Agreement constitutes acceptance of this DPA. In the event of a conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA prevails.
1. Definitions
1.1 "GDPR" means Regulation (EU) 2016/679. "Personal Data", "Controller", "Processor", "Data Subject", "Processing", "Personal Data Breach" and "Supervisory Authority" have the meanings given in Art. 4 GDPR.
1.2 "Service" means the vizrm software for org chart building, account mapping and LinkedIn-to-CRM contact sync, operating natively inside HubSpot and Pipedrive, as provided under the Agreement.
1.3 "Customer Data" means all Personal Data Processed by vizrm on behalf of the Customer in connection with the Service, namely: (a) CRM records (contacts, companies/organizations, deals, and activities) read from and written to the Customer's connected CRM (HubSpot or Pipedrive); (b) account map data created by the Customer within the Service (relationship lines, groups, placeholders, etc.); and (c) LinkedIn-sourced data (name, job title, company, profile URL) captured on the Customer's explicit user action via the vizrm browser extension.
1.4 "User Data" means Personal Data relating to the Customer's account holders (e.g. name, work email address, company, billing information, usage and technical data) which vizrm Processes as an independent Controller for the purposes of providing, securing, billing and improving the Service. User Data is not subject to this DPA and is described in the vizrm App Privacy Policy.
1.5 "Sub-Processor" means any processor engaged by vizrm to Process Customer Data on behalf of the Customer.
2. Roles of the Parties and Scope
2.1 With respect to Customer Data, the Customer is the Controller (or, where the Customer itself acts as a processor for a third party, a processor, in which case the Customer warrants that its instructions and this DPA are consistent with its obligations to that third-party controller) and vizrm is the Processor.
2.2 The subject matter, duration, nature and purpose of the Processing, the categories of Personal Data and the categories of Data Subjects are set out in Annex 1.
2.3 By design, vizrm does not maintain a persistent copy of the Customer's CRM records outside the Customer's connected CRM. CRM records are read in real time and written back immediately, subject only to temporary technical caching necessary to render and operate the Service. The only Customer Data stored persistently on vizrm's infrastructure is account map data as defined in Section 1.3(b).
3. Processing on Documented Instructions
3.1 vizrm shall Process Customer Data only on the Customer's documented instructions, including with regard to transfers of Customer Data to a third country or an international organisation, unless required to do so by Union or Member State law to which vizrm is subject; in such a case, vizrm shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest (Art. 28(3)(a) GDPR).
3.2 The Parties agree that the Agreement, this DPA, and the Customer's configuration of and use of the Service (including connecting a CRM, defining sync scope, and user-initiated actions in the App and browser extension) constitute the Customer's complete documented instructions. Additional instructions require the Parties' written agreement.
3.3 vizrm shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.
3.4 vizrm shall not Process Customer Data for its own purposes. For the avoidance of doubt, aggregated or anonymized data generated by vizrm under the Agreement is derived from User Data and from non-personal usage data only, and not from Customer Data.
3.5 When the Customer configures an integration with a third-party enrichment provider using the Customer's own account and API credentials, the Customer instructs vizrm to disclose the relevant Customer Data to that provider and to receive data back. The provider acts on behalf of, or as an independent controller vis-à-vis, the Customer - not as vizrm's Sub-Processor. The Customer is solely responsible for its contract with the provider, for the lawfulness of the disclosure, and for Chapter V transfer compliance where the provider is outside the EEA.
4. Confidentiality
4.1 vizrm shall ensure that persons authorised to Process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).
4.2 Access to Customer Data is restricted to the personnel identified in Annex 2 on a need-to-know basis.
5. Security of Processing
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, vizrm shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR). The measures implemented as at the date of this DPA are described in Annex 2.
5.2 vizrm may update the measures in Annex 2 from time to time, provided that such updates do not materially reduce the overall level of security.
6. Sub-Processors
6.1 The Customer grants vizrm a general authorisation to engage Sub-Processors for the Processing of Customer Data (Art. 28(2) GDPR). The Sub-Processors engaged as at the date of this DPA are listed in Annex 3.
6.2 vizrm shall inform the Customer of any intended addition or replacement of a Sub-Processor at least thirty (30) days before the change takes effect, by email to the account owner or by in-app notice. The Customer may object to the change on reasonable data protection grounds within this period. If the Parties cannot resolve the objection in good faith, the Customer may terminate the affected subscription with effect from the date the change takes effect.
6.3 vizrm shall impose on each Sub-Processor, by way of a contract, data protection obligations that are in substance no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures (Art. 28(4) GDPR). vizrm remains fully liable to the Customer for the performance of each Sub-Processor's obligations.
6.4 For the avoidance of doubt, service providers that Process only User Data (including analytics, communications, marketing, support, scheduling, billing and automation tools such as Amplitude, Intercom, HubSpot, Stripe, Courier, lemlist, Make and Calendly) are not Sub-Processors under this DPA, because they do not receive or access Customer Data.
7. Assistance with Data Subject Rights
7.1 Taking into account the nature of the Processing, vizrm shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests by Data Subjects exercising their rights under Chapter III GDPR (Art. 28(3)(e) GDPR).
7.2 The Parties acknowledge that, given the architecture described in Section 2.3, the Customer can in most cases fulfil access, rectification and erasure requests directly in its own CRM, and that changes made there are reflected in the Service in real time. Where a request concerns account map data stored by vizrm, or otherwise cannot be fulfilled by the Customer through the Service or its CRM, vizrm shall provide reasonable assistance within a reasonable period upon the Customer's written request.
7.3 If a Data Subject contacts vizrm directly regarding Customer Data, vizrm shall not respond substantively (except to direct the Data Subject to the Customer) and shall forward the request to the Customer without undue delay.
8. Personal Data Breach Notification
8.1 vizrm shall notify the Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Customer Data (Art. 28(3)(f), Art. 33(2) GDPR).
8.2 The notification shall, to the extent then known, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects. Information may be provided in phases as it becomes available.
8.3 vizrm shall reasonably assist the Customer in meeting the Customer's obligations under Art. 33 and Art. 34 GDPR. Notification under this Section is not an acknowledgement of fault or liability.
9. Assistance with Impact Assessments and Prior Consultation
9.1 Taking into account the nature of the Processing and the information available to it, vizrm shall provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with Supervisory Authorities to the extent they relate to the Processing of Customer Data under this DPA (Art. 28(3)(f), Art. 35–36 GDPR).
10. Information and Audit Rights
10.1 vizrm shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR (Art. 28(3)(h) GDPR). As the standard mechanism, vizrm shall respond to the Customer's reasonable written security and compliance questionnaires, and shall provide relevant documentation of its own measures and of the certifications and attestations of its hosting Sub-Processor (Microsoft Azure), within a reasonable period, at no charge and no more than once per calendar year unless a Personal Data Breach or a Supervisory Authority requires otherwise.
10.2 Where the information provided under Section 10.1 is demonstrably insufficient to evidence compliance, or where an audit is required by a Supervisory Authority or mandatory law, vizrm shall allow for and contribute to an audit, including an inspection, conducted by the Customer or an independent auditor mandated by the Customer (which shall not be a competitor of vizrm). Such audit shall be subject to at least thirty (30) days' prior written notice, shall take place during normal business hours, shall not unreasonably interfere with vizrm's business operations, shall be limited to information relevant to Customer Data, and shall occur no more than once per calendar year absent a Personal Data Breach or Supervisory Authority requirement. Each Party bears its own costs; where an audit is requested without indication of non-compliance and none is found, vizrm may charge reasonable costs for its contribution.
11. Return and Deletion of Customer Data
11.1 Upon termination or expiry of the Agreement, or upon cancellation of the Customer's account, vizrm shall, at the choice of the Customer, delete or return all Customer Data and delete existing copies, unless Union or Member State law requires storage of the Personal Data (Art. 28(3)(g) GDPR).
11.2 The Parties acknowledge that CRM records remain in the Customer's own CRM at all times (Section 2.3) and therefore do not require return. The Customer may request an export of its account map data in a commonly used, machine-readable format within thirty (30) days of the effective date of termination or cancellation.
11.3 Unless the Customer requests an export under Section 11.2, or return or earlier deletion under Section 11.1, vizrm shall delete all Customer Data, including cached CRM records and account map data, within thirty (30) days of the effective date of termination or cancellation. Deletion from backups occurs in the ordinary course of vizrm's backup rotation cycle; backup copies remain protected by the measures in Annex 2 until overwritten or destroyed and are not restored to production except as necessary for disaster recovery.
11.4 Where mandatory law requires vizrm to retain specific Customer Data beyond this period, vizrm shall inform the Customer of that requirement, restrict the retained data from further Processing, and delete it once the retention obligation lapses.
12. International Data Transfers
12.1 Customer Data is hosted exclusively on Microsoft Azure in the Germany West Central region (EEA). vizrm's personnel access Customer Data from within the EEA.
12.2 vizrm shall not transfer Customer Data to a country outside the EEA (other than to a country subject to an adequacy decision under Art. 45 GDPR) unless it has first implemented a valid transfer mechanism under Chapter V GDPR, in particular the European Commission's Standard Contractual Clauses, and informed the Customer in accordance with Section 6.2 where the transfer results from a Sub-Processor change.
13. Liability
13.1 The liability of each Party under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Agreement, save that nothing in this DPA or the Agreement limits either Party's liability with respect to any Data Subject's rights under Art. 82 GDPR or any liability that cannot be limited under applicable law.
13.2 As between the Parties, each Party is liable for administrative fines imposed on it in accordance with Art. 83 GDPR.
14. Term, Governing Law, Final Provisions
14.1 This DPA takes effect upon acceptance of the Agreement and remains in force for as long as vizrm Processes Customer Data, including the deletion period under Section 11.
14.2 This DPA is governed by the laws of the Federal Republic of Germany. The exclusive place of jurisdiction follows the Agreement.
14.3 vizrm may update this DPA where required by changes in law, guidance of Supervisory Authorities, or changes to the Service, provided that updates do not materially reduce the level of protection for Customer Data. Material changes will be notified to the Customer in advance.
14.4 Should individual provisions of this DPA be or become invalid, the validity of the remaining provisions remains unaffected.
Annex 1 - Description of the Processing (Art. 28(3) GDPR)
Subject matter
Provision of the vizrm software: org chart building, account mapping, and LinkedIn-to-CRM contact sync, operating natively inside HubSpot and Pipedrive.
Duration
The term of the Agreement, plus the post-termination deletion period set out in Section 11 of this DPA.
Nature and purpose of the Processing
Real-time reading and writing of CRM records from and to the Customer's connected HubSpot or Pipedrive account; display and organisation of that data in org charts and account maps; storage of account-planning data created by the Customer within the Service; creation or matching of CRM contacts and logging of activities from LinkedIn profile data upon explicit user action; transmission to and receipt from Customer-designated enrichment providers upon explicit user action.
Categories of Personal Data
- CRM records synced from the Customer's connected CRM: contacts, companies/organizations, deals, and activities. No additional data types (e.g. email content, call logs, free-text notes) are pulled beyond these standard CRM object types.
- Account map data created within the Service: relationship lines, groups, placeholders, saved views.
- LinkedIn-sourced data: name, job title, company, profile URL - captured only upon explicit user action, not by automatic or background sync.
- Contact data returned by Customer-designated enrichment providers (e.g. business email address, phone number).
No special categories of Personal Data (Art. 9 GDPR) are required by, or intended to be Processed through, the Service. The Customer shall not use the Service to Process special categories of Personal Data.
Categories of Data Subjects
- The Customer's business contacts, leads, and prospects, as synced from the Customer's CRM.
- Internal team members of the Customer (e.g. employees assigned to deals or accounts).
Annex 2 - Technical and Organisational Measures (Art. 32 GDPR)
The following measures reflect vizrm's actual practice as at the date of this DPA. vizrm does not currently hold independent certifications (e.g. SOC 2, ISO 27001); infrastructure-level controls and certifications are inherited from Microsoft Azure.
Hosting and infrastructure
- All Customer Data is hosted on Microsoft Azure in the Germany West Central region (EEA).
- Physical security, environmental controls, network infrastructure security and encryption at rest are provided through Microsoft Azure's platform-level controls, which are certified under ISO/IEC 27001, SOC 1/2/3 and further standards documented in Microsoft's compliance documentation (Service Trust Portal).
Encryption
- All data in transit between the Customer's browser, the Service, connected CRMs and Azure infrastructure is encrypted using HTTPS (TLS).
- Data at rest is encrypted through Azure platform-level storage encryption.
Access control
- Access to Customer Data is restricted to two named individuals: the co-founders Markus Meier and Jakob Porer. No other personnel have access.
- Access to production systems requires individual authenticated accounts; credentials are not shared.
- User passwords for the Service are stored in hashed form only.
Organisational measures
- Confidentiality undertakings by all persons with access to Customer Data (Section 4 of this DPA).
- Separation of Customer Data from User Data: Customer Data is not transmitted to or accessible by analytics, communications, marketing, scheduling, support or automation tools.
- Sub-processor due diligence and contractual flow-down of data protection obligations (Section 6 of this DPA).
Availability and resilience
- Availability, redundancy and backup capabilities are provided through Microsoft Azure platform services; backups are subject to the same access restrictions as production data.
Annex 3 - Authorised Sub-Processors for Customer Data
- Microsoft Azure - Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (EEA). Function: hosting and infrastructure for all Customer Data. Hosting region: Germany West Central (EEA).
Microsoft Azure is the sole Sub-Processor with access to Customer Data. Providers of analytics, communications, marketing, billing, support, scheduling and automation services (including Amplitude, Intercom, HubSpot, Stripe, Courier, lemlist, Make and Calendly) Process User Data only and are listed in the vizrm App Privacy Policy.