Data Processing Agreement

This Data Processing Agreement supplements the Terms of Service and applies when Wodby processes personal data on behalf of a customer in connection with the services.

The DPA forms part of the agreement between Wodby and the customer for the relevant services. If there is a conflict between this DPA and the Terms of Service regarding processing of personal data, this DPA controls for that subject matter.

Annex-style processing details, technical and organizational measures, and subprocessor information are set out in this DPA, the Security and TOMs page, the Subprocessors page, and the SCC page, each of which is incorporated by reference for the relevant subject matter.

For customer personal data processed under this DPA, the customer acts as controller or business, and Wodby acts as processor or service provider, unless the parties expressly agree otherwise in writing for a specific processing activity.

The customer is responsible for the lawfulness of the personal data and its instructions to Wodby, including providing any required notices and obtaining any required permissions.

Subject matter: the processing of customer personal data necessary to provide the services, including hosting, deployment, monitoring, backups, imports, support, security, troubleshooting, and related operational activities.

Duration: for the term of the services and any limited post-termination retention period needed for deletion workflows, legal compliance, security, or dispute resolution.

Categories of data may include account data, contact data, application data, database contents, logs, backups, import archives, and other personal data the customer chooses to submit or process through the services. Data subjects may include the customer's end users, employees, contractors, and other individuals whose data the customer submits.

Wodby will process customer personal data only on documented instructions from the customer, including instructions given through the normal use of the services, support requests, account settings, and written communications.

If Wodby believes an instruction violates applicable data protection law, Wodby may suspend execution of that instruction and notify the customer.

Wodby will ensure that personnel authorized to process customer personal data are subject to confidentiality obligations and receive access only on a need-to-know basis.

Wodby will maintain appropriate technical and organizational measures designed to protect customer personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the nature of the processing and the risks presented.

A summary of Wodby's current technical and organizational measures is published on the Security and TOMs page, which functions as Annex II-style detail for this DPA and the SCC package.

The customer authorizes Wodby to use subprocessors to support delivery of the services. Wodby will impose data protection obligations on subprocessors that are materially protective of customer personal data and consistent with Wodby's obligations under this DPA.

Information about Wodby's subprocessors and service-provider categories is available on the Subprocessors page. Wodby may update that list from time to time.

If Wodby appoints a new subprocessor that is reasonably likely to process customer personal data, Wodby will update the Subprocessors page before or as of the effective date of the change. The customer may object by written notice to [email protected] within 15 days after the update if the objection is based on reasonable, documented data protection concerns specific to that subprocessor.

If the parties cannot resolve the objection in good faith within a reasonable period, Wodby may use commercially reasonable efforts to provide an alternative, avoid the contested processing, or allow the customer to terminate the affected services without penalty for the portion of the services that cannot reasonably continue without the objected-to subprocessor.

Taking into account the nature of the processing, Wodby will provide reasonable assistance to the customer to help it respond to requests from data subjects exercising applicable rights.

Wodby will also provide reasonable assistance, where required and feasible, with data protection impact assessments, prior consultations, and regulator inquiries relating to the services.

If Wodby becomes aware of a confirmed personal data breach affecting customer personal data processed under this DPA, Wodby will notify the customer without undue delay and provide reasonably available information to help the customer meet its legal obligations.

Wodby may provide information in phases as it becomes available and may take urgent steps to contain, mitigate, and remediate the incident before completing a full report.

If customer personal data subject to transfer restrictions is transferred to a country that does not provide an adequate level of protection under applicable law, the parties will rely on an appropriate transfer mechanism, which may include the European Commission's Standard Contractual Clauses or an equivalent lawful mechanism.

At the end of the services and on the customer's documented request, Wodby will delete or return customer personal data, unless applicable law requires retention or limited retention is reasonably necessary for security, backup rotation, legal compliance, or dispute handling.

Wodby will make available information reasonably necessary to demonstrate compliance with this DPA and will provide reasonable cooperation for audits or assessments appropriate to the services and risk profile, subject to confidentiality, security, and operational safeguards.

Unless a confirmed incident or mandatory law requires otherwise, audits should begin with documentation review, written responses, or remote assessment materials before any on-site or highly intrusive review is requested.

Wodby's current technical and organizational measures are described on the Security and TOMs page, including controls relating to governance, access restriction, confidentiality, encryption, monitoring, vulnerability management, incident response, resilience, backup, and subprocessor oversight.

Wodby may update those measures from time to time, provided that the changes do not materially reduce the overall security protections for customer personal data in the relevant services.

Wodby's current subprocessors and related service-provider roles are listed on the Subprocessors page. That page forms the current Annex III-style reference for this DPA and the SCC package.

New subprocessor appointments are subject to the notice and objection process described above under the Subprocessors section.