Visage
Contact SalesBook a Demo

Visage Data Processing Addendum

Updated: 22/12/2025

This Data Processing Addendum, including its Annexes and the Standard Contractual Clauses (collectively, the “DPA”), sets forth the parties’ obligations with respect to the processing of Personal Data in connection with the Service, and is incorporated into and forms part of the terms and conditions of the Master Service Agreement or any other agreement under which Visage, Inc. (“Visage”) provides services to the party identified as the customer in the Agreement or the Order Form(s) (“Customer”).

Due to the nature of the Service, Visage may process Personal Data as a Processor and/or Controller in the performance of the Service. Therefore, Visage’s responsibilities under this DPA will depend on whether Visage is acting as a Processor or Controller under Data Protection Laws.

Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Permitted Affiliates.  For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and such Permitted Affiliates. Any capitalized terms used but not defined in this DPA shall have the meaning set forth in the Agreement.

  1. Definitions

1.1       “Affiliate” means any entity under the control of a party where “control” means ownership of or right to control greater than 50% of the voting securities of such entity.

1.2       “Controller” means an entity that, alone or jointly with others, determines the purposes and means of processing Personal Data, and include a “Business” as defined under the CCPA.

1.3       “Data Protection Laws” means, as applicable to a party’s processing of Personal Data under the Agreement: (i) European Data Protection Laws; and (iii) US State Privacy Laws.

1.4       “Data Subject” means an identified or identifiable natural person, and includes a “Consumer” as defined under the CCPA.

1.5       “Europe” means, for the purposes of this DPA, the European Economic Area (“EEA”) and its Member States, Switzerland and the United Kingdom.

1.6       “European Data Protection Laws” means all data protection and privacy laws and regulations enacted in Europe, including: (i) Regulation (EU) 2016/679 (“GDPR”); (ii) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, “UK Data Protection Laws“); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“);and (iv) all applicable national data protection and privacy laws made under or pursuant to (i), (ii), or (iii); in each case, as may be amended, superseded or replaced from time to time.

1.7       “Permitted Affiliate” means any Affiliate of Customer which: (i) is subject to Data Protection Laws; (ii) is permitted to use the services provided by Visage pursuant to the Agreement; and (iii) has not signed its own Order Form or Agreement with Visage and is not a “Customer” as defined under the Agreement.

1.8       “Personal Data” means any information which is protected as “personal data”, “personally identifiable information”, or “personal information” under Data Protection Laws.

1.9       “Processor” means an entity that processes Personal Data on behalf of the Controller, and includes a “Service Provider” as defined under the CCPA.

1.10      “Security Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

1.11      “Sub-processor” means any third party Processor engaged by Visage to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA.  Sub-processors may include third parties or Visage Affiliates but shall exclude any Visage employee, independent contractor or consultant.

1.12      “US State Privacy Laws” means (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, Cal. Civ. Code §§ 1798.100 et seq., and any implementing regulations relating to the same (together, the “CCPA”); (ii) the Virginia Consumer Data Protection Act; (iii) the Colorado Privacy Act; (iv) the Connecticut Data Privacy Act; (v) the Utah Consumer Privacy Act; and (vi) any other US state privacy laws that are modelled on or equivalent to (i)-(v); in each case when effective and as amended, replaced or superseded from time to time.

1.13      The terms “process” (including “processing”, “processes”, “processed” and other variations thereof) and “sale” (including “sell”, “selling”, “sold” and other variations thereof) shall have the meanings given to them under applicable Data Protection Laws.

  1. Scope and Applicability of this DPA

2.1       Scope. This DPA applies where and only to the extent that either party processes Personal Data that is subject to Data Protection Laws in connection with the Service provided by Visage to Customer pursuant to the Agreement.

2.2       Role of the Parties. The parties acknowledge and agree that:

  1. a) Customer is a Controller of Customer Profiles and Visage shall process Customer Profiles only as a Processor on behalf of Customer; and
  2. b) each party is a Controller of Visage Profiles and shall process Visage Profiles in accordance with the Agreement (including this DPA) and applicable Data Protection Laws.

3          Customer Obligations

3.1       Customer Obligations. Customer shall ensure that it: (i) complies with applicable Data Protection Laws in respect of its use of the Service and any processing instructions it issues to Visage; (ii) has an appropriate legal basis to process Personal Data and makes available to Data Subjects a privacy statement that fulfils the requirements of applicable Data Protection Laws; and (iii) has the right to transfer or make available Customer Profiles to Visage and for providing all notice and obtaining all consents necessary under applicable Data Protection Laws for Visage to lawfully process Customer Profiles for the purposes contemplated by the Agreement (including this DPA).

  1. 3. Processing of Customer Profiles

3.1       Scope of this Section. The terms contained in this Section 3 (Customer Profiles) apply to the extent that Visage processes any Customer Profiles on behalf of Customer in connection with the provision of the Service, as further described in Annex A of this DPA.

3.2       Processing Instructions.  Visage shall only process Customer Profiles for the purposes described in the Agreement (including this DPA) and only in accordance with Customer’s documented lawful instructions. The parties agree that the Agreement sets out the Customer’s complete and final instructions to Visage in relation to the processing of Customer Profiles and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties. Visage shall notify Customer in writing, unless prohibited from doing so under applicable laws, if it becomes aware or believes that any data processing instruction from Customer violates Data Protection Laws.

3.3       No Sale or Sharing. Visage shall not (i) retain, use, or disclose Customer Profiles for any purpose, including a commercial purpose, other than for the specific purposes described in the Agreement (including this DPA); (ii) sell Customer Profiles or share Customer Profiles for the purposes of targeted or cross-context behavioral advertising (as defined under applicable US State Privacy Laws).

We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking "Accept", you consent to our use of cookies. Read our Privacy Policy and Cookie Policy to learn more.