Product Talk DPA
Effective Date: March 8, 2026
This Data Processing Addendum (“DPA Addendum”) supplements the agreement between:
Vistaly, Inc., a Delaware corporation (“Vistaly”), and
Product Talk LLC, an Oregon limited liability company (“Partner”)
(together the “Parties”).
1. Background and Purpose
1.1. Under the agreement between Vistaly and Partner, Partner provides Licensed Services that are integrated into the Vistaly platform.
1.2. In connection with the performance of the Licensed Services, Partner may access certain personal data belonging to Vistaly’s end customers through Vistaly’s hosted platform for the purposes of product research, service improvement, and quality assurance of the Licensed Services (collectively, “Permitted Purposes”).
1.3. This DPA Addendum sets forth the Parties’ obligations with respect to such personal data in compliance with applicable Data Protection Laws.
2. Definitions
2.1. “Customer Personal Data” means any personal data (as defined under applicable Data Protection Laws) contained within Vistaly’s end customers’ Service Data that Partner accesses through the Vistaly platform in connection with the Permitted Purposes.
2.2. “Data Protection Laws” means: (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); (b) the UK GDPR and the UK Data Protection Act 2018; (c) the Swiss Federal Act on Data Protection (“FADP”); and (d) to the extent applicable, the data protection or privacy laws of any other jurisdiction, in each case as amended or superseded from time to time.
2.3. “Platform Access” means Partner’s ability to view, query, and consult Customer Personal Data through Vistaly’s hosted platform interface, without downloading, copying, exporting, or storing such data outside of Vistaly’s infrastructure.
2.4. Terms not defined herein shall have the meanings given in the agreement between Vistaly and Partner, or applicable Data Protection Laws.
3. Scope of Processing
3.1. Access Model. Partner’s processing of Customer Personal Data shall be limited exclusively to Platform Access. Partner shall not download, export, copy, transfer, or store Customer Personal Data outside of Vistaly’s hosted infrastructure under any circumstances.
3.2. Purpose Limitation. Partner shall access Customer Personal Data solely for the Permitted Purposes and shall not process such data for any other purpose unless expressly authorized by Vistaly in writing.
3.3. Instructions. Partner shall process Customer Personal Data only on Vistaly’s documented instructions, which are set forth in this DPA Addendum and may be supplemented by Vistaly from time to time in writing. If Partner believes an instruction infringes applicable Data Protection Laws, Partner shall promptly notify Vistaly.
3.4. Description of Processing. The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are described in Annex A to this DPA Addendum.
4. Partner’s Obligations
4.1. Compliance. Partner shall comply with applicable Data Protection Laws in its processing of Customer Personal Data.
4.2. Personnel. Partner shall ensure that any person authorized to access Customer Personal Data is bound by appropriate confidentiality obligations.
4.3. No Sub-Processing. Partner shall not engage any third party to process Customer Personal Data without Vistaly’s prior written consent. For the avoidance of doubt, Partner’s use of standard business tools (e.g., internet service providers, general-purpose hardware) that do not involve access to or processing of Customer Personal Data does not constitute sub-processing.
4.4. Access Controls. Partner shall access Customer Personal Data only through Vistaly-provided credentials and authentication mechanisms. Partner shall maintain the security of its authentication credentials and promptly notify Vistaly of any suspected compromise.
4.5. No Data Extraction. Partner shall not use any means — including but not limited to screenshots, screen recording, manual transcription, automated scraping, or API calls — to extract, reproduce, or store Customer Personal Data outside of the Vistaly platform, except for de minimis incidental references in internal research notes that do not include any personal data or customer-identifiable information.
5. Security
5.1. Vistaly’s Infrastructure. The Parties acknowledge that because all Customer Personal Data remains within Vistaly’s hosted environment at all times, the technical and organizational security measures for the protection of such data are implemented and maintained by Vistaly. Vistaly’s current security measures are described in Annex II of Vistaly’s customer-facing Data Processing Addendum.
5.2. Partner’s Obligations. Partner shall: (a) use commercially reasonable security practices for its own systems and devices used to access the Vistaly platform; (b) maintain up-to-date operating systems and security software on devices used for Platform Access; and (c) not access the Vistaly platform from shared, public, or unsecured networks or devices.
6. Data Breach Notification
6.1. Partner shall notify Vistaly without undue delay (and in any event within twenty-four (24) hours) upon becoming aware of any actual or suspected unauthorized access to Customer Personal Data, including any compromise of Partner’s platform credentials.
6.2. Partner shall cooperate with Vistaly in investigating and remediating any such incident and shall provide Vistaly with all information reasonably necessary for Vistaly to comply with its breach notification obligations to its customers and applicable supervisory authorities.
7. Data Subject Rights
7.1. If Partner receives any request from a data subject (or from Vistaly on behalf of a data subject) regarding Customer Personal Data, Partner shall promptly notify Vistaly and shall not respond to the request directly unless instructed to do so by Vistaly.
7.2. Partner shall provide Vistaly with reasonable assistance in fulfilling Vistaly’s obligations to respond to data subject requests under applicable Data Protection Laws.
8. Audit
8.1. Upon Vistaly’s reasonable request (and no more than once per calendar year, unless a data breach or evidence of non-compliance necessitates an additional review), Partner shall provide Vistaly with reasonable information and cooperation to demonstrate compliance with this DPA Addendum.
8.2. Because all Customer Personal Data resides within Vistaly’s SOC 2 Type II-audited infrastructure, the Parties agree that audit requests from Vistaly’s end customers regarding the security of Customer Personal Data are primarily addressed by Vistaly’s own audit reports and security documentation. Partner shall reasonably cooperate with Vistaly in responding to any customer inquiry specifically relating to Partner’s access practices.
9. International Data Transfers
9.1. Partner’s Platform Access constitutes a transfer of Customer Personal Data from Vistaly to Partner. To the extent such access involves Customer Personal Data originating from the EEA, United Kingdom, or Switzerland, such transfers are made in reliance on Vistaly’s EU-U.S. Data Privacy Framework certification and, where applicable, the Standard Contractual Clauses as set forth in Vistaly’s customer-facing Data Processing Addendum.
9.2. Partner shall access Customer Personal Data only from the United States. If Partner intends to access the platform from any other jurisdiction, Partner shall obtain Vistaly’s prior written approval.
10. Return and Deletion
10.1. Partner does not independently store Customer Personal Data. Upon termination or expiration of the agreement between Vistaly and Partner (or this DPA Addendum), Vistaly shall revoke Partner’s Platform Access, and no further action by Partner is required with respect to Customer Personal Data.
10.2. Partner shall, upon Vistaly’s request, certify in writing that it has not retained any Customer Personal Data outside of the Vistaly platform.
11. Liability
11.1. The liability of each Party under this DPA Addendum is subject to the limitations set forth in the agreement between Vistaly and Partner.
12. Relationship to Existing Agreements
12.1. This DPA Addendum supplements, and is incorporated into, the agreement between Vistaly and Partner. In the event of any conflict between this DPA Addendum and the underlying agreement, this DPA Addendum shall prevail with respect to the processing of Customer Personal Data.
12.2. The confidentiality obligations in the agreement between Vistaly and Partner continue to apply to all Customer Personal Data and are not diminished by this DPA Addendum.
12.3. This DPA Addendum may be amended only by written agreement of both Parties.
13. Term
13.1. This DPA Addendum shall remain in effect for as long as Partner has Platform Access to Customer Personal Data. The obligations in Sections 4.5, 6, 7, and 10 shall survive termination.
Annex A — Description of Processing
| Element | Description |
|---|---|
| Subject Matter | Partner’s access to Vistaly end-customer data through the Vistaly platform in connection with the Licensed Services. |
| Duration | For the term of the agreement between Vistaly and Partner, or until Platform Access is revoked. |
| Nature of Processing | Consultation, viewing, and analysis of data through Platform Access. No storage, downloading, or independent processing by Partner. |
| Purpose | Product research, improvement of Licensed Services (Interview Snapshot Generator, Incremental OST Update, Full OST Update), and quality assurance. |
| Types of Personal Data | Name, email address, job title, IP address, and any personal data contained in customer interview transcripts, opportunity solution trees, and related Service Data. |
| Categories of Data Subjects | End users of the Vistaly platform (customer employees, contractors, and agents); individuals whose personal data is included in customer Service Data (e.g., interview participants, feedback providers). |
For more information, see our Sub-Processors, Privacy Policy, and Security Policy.
If you have questions about this DPA, please contact us at dpo@vistaly.com.