Privacy Policy

Viva Ops operates an AI-powered operations intelligence platform that processes business workflow data on behalf of our customers. We treat that data as our customers' property, hold it under strict confidentiality, and never sell it.

We comply with SOC 2 Type II, GDPR for users in the European Economic Area, the UK Data Protection Act 2018, the CCPA for California residents, and equivalent regulations. This policy explains what we collect, how we use it, and the controls available to you.

Account data — when your organisation registers:

• ✦Administrator name, business email, and phone number
• ✦Company name, billing address, and tax identifiers
• ✦Job titles and roles for each invited user
• ✦Billing information (processed via Stripe — we never store card numbers)

Operations data — submitted by you or your team:

• ✦Workflow definitions and AI agent configurations
• ✦Connections and credentials for systems you integrate (ERP, CRM, ticketing, Slack, Teams, etc.)
• ✦Documents, tickets, transactions, and other records routed through Viva Ops
• ✦Execution logs, run histories, and AI-generated outputs

Usage and telemetry — collected automatically:

• ✦Pages visited, features used, and session duration
• ✦Device type, browser, and operating system (anonymised)
• ✦Error logs and performance traces to diagnose and fix issues

• ✦To operate, deliver, and improve the Viva Ops service
• ✦To run AI agents and workflow automations on your behalf
• ✦To provide customer support and respond to your requests
• ✦To process payments and issue invoices
• ✦To send service announcements, security alerts, and product updates (you can unsubscribe from non-essential communications)
• ✦To detect and prevent fraud, abuse, or security incidents
• ✦To comply with legal obligations and lawful requests

We do not use your operations data to train shared or general-purpose AI models. Customer data stays segregated to your tenant and is never used to improve any model exposed to other customers.

When you invoke an AI agent, Viva Ops sends the relevant prompt and context to a model provider on your behalf. We use the following AI subprocessors and execute requests under their zero-retention enterprise terms:

• ✦Anthropic — Claude family models (zero-retention enterprise tier)
• ✦OpenAI — GPT family models (zero-retention enterprise tier)
• ✦AWS Bedrock & Google Vertex AI — for self-hosted or regional deployments

Customers on the Enterprise plan may restrict which model providers their tenant may use, or require all AI calls be routed through a self-hosted model behind their own VPC.

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Our infrastructure runs on SOC 2 Type II certified cloud providers (AWS and Google Cloud) with physical access controls, automated backups, and 99.9% uptime SLAs.

• ✦Each customer's tenant is logically isolated; cross-tenant data access is impossible by design
• ✦Audit logs are retained for 12 months; Enterprise customers may request 7-year retention
• ✦Passwords are hashed with Argon2id — we never store plaintext credentials
• ✦SSO (SAML 2.0, OIDC) and SCIM provisioning available on Growth and Enterprise plans
• ✦Two-factor authentication is mandatory for administrator accounts

Beyond AI providers, we share data with a limited set of trusted subprocessors to operate the service:

• ✦AWS & Google Cloud — infrastructure and storage
• ✦Stripe — payment processing (PCI-DSS Level 1 certified)
• ✦Postmark — transactional email delivery
• ✦PagerDuty — incident response and on-call routing
• ✦Datadog — operational telemetry (no customer payloads)

All subprocessors are bound by data-processing agreements and prohibited from using your data for their own purposes. We do not share data with advertisers, data brokers, or general-purpose analytics companies. The full subprocessor list is published at vivaopscp.com/subprocessors and updated with 30 days' notice before any addition.

You own your data. All workflow definitions, integration data, AI outputs, and audit trails belong to your organisation. Viva Ops acts as a data processor on your behalf, not a data owner.

You can export a full copy of your data in JSON or CSV at any time from the admin console. Upon account deletion, all customer data is permanently purged within 30 days; backups containing the data expire within 90 days.

• ✦Access — request a copy of all personal data we hold about you
• ✦Correction — ask us to correct inaccurate or incomplete data
• ✦Deletion — request permanent deletion of your account and associated data
• ✦Portability — export your data in machine-readable format
• ✦Objection — opt out of any non-essential data processing
• ✦Restrict processing — pause processing while a request is reviewed

To exercise any of these rights, email privacy@vivaopscp.com. We respond within 30 days. EU and UK data subjects may also lodge a complaint with their local supervisory authority.

Customer data is hosted in the region you select at provisioning time (US, EU, or UK). Where data must cross borders, transfers are made under Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent recognised mechanisms.

Viva Ops uses strictly necessary cookies for authentication and session management, and optional analytics cookies to improve the product. You can manage cookie preferences via the banner on your first visit. We do not use advertising or third-party tracking cookies.

Questions about this policy or a data request? Contact our privacy team at privacy@vivaopscp.com or write to Flexpart Vanta INC., 340 Pine St, Suite 800, San Francisco, CA 94104.