Data Processing Agreement

This Data Processing Agreement supplements the Terms of Service and applies when Wodby processes personal data on behalf of a customer in connection with the services.

The DPA forms part of the agreement between Wodby and the customer for the relevant services. If there is a conflict between this DPA and the Terms of Service regarding processing of personal data, this DPA controls for that subject matter.

For customer personal data processed under this DPA, the customer acts as controller or business, and Wodby acts as processor or service provider, unless the parties expressly agree otherwise in writing for a specific processing activity.

The customer is responsible for the lawfulness of the personal data and its instructions to Wodby, including providing any required notices and obtaining any required permissions.

Subject matter: the processing of customer personal data necessary to provide the services, including hosting, deployment, monitoring, backups, imports, support, security, troubleshooting, and related operational activities.

Duration: for the term of the services and any limited post-termination retention period needed for deletion workflows, legal compliance, security, or dispute resolution.

Categories of data may include account data, contact data, application data, database contents, logs, backups, import archives, and other personal data the customer chooses to submit or process through the services. Data subjects may include the customer's end users, employees, contractors, and other individuals whose data the customer submits.

Wodby will process customer personal data only on documented instructions from the customer, including instructions given through the normal use of the services, support requests, account settings, and written communications.

If Wodby believes an instruction violates applicable data protection law, Wodby may suspend execution of that instruction and notify the customer.

Wodby will ensure that personnel authorized to process customer personal data are subject to confidentiality obligations and receive access only on a need-to-know basis.

Wodby will maintain appropriate technical and organizational measures designed to protect customer personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the nature of the processing and the risks presented.

The customer authorizes Wodby to use subprocessors to support delivery of the services. Wodby will impose data protection obligations on subprocessors that are materially protective of customer personal data and consistent with Wodby's obligations under this DPA.

Information about Wodby's subprocessors and service-provider categories is available on the Subprocessors page. Wodby may update that list from time to time.

Taking into account the nature of the processing, Wodby will provide reasonable assistance to the customer to help it respond to requests from data subjects exercising applicable rights.

Wodby will also provide reasonable assistance, where required and feasible, with data protection impact assessments, prior consultations, and regulator inquiries relating to the services.

If Wodby becomes aware of a confirmed personal data breach affecting customer personal data processed under this DPA, Wodby will notify the customer without undue delay and provide reasonably available information to help the customer meet its legal obligations.

Wodby may provide information in phases as it becomes available and may take urgent steps to contain, mitigate, and remediate the incident before completing a full report.

If customer personal data subject to transfer restrictions is transferred to a country that does not provide an adequate level of protection under applicable law, the parties will rely on an appropriate transfer mechanism, which may include the European Commission's Standard Contractual Clauses or an equivalent lawful mechanism.

At the end of the services and on the customer's documented request, Wodby will delete or return customer personal data, unless applicable law requires retention or limited retention is reasonably necessary for security, backup rotation, legal compliance, or dispute handling.

Wodby will make available information reasonably necessary to demonstrate compliance with this DPA and will provide reasonable cooperation for audits or assessments appropriate to the services and risk profile, subject to confidentiality, security, and operational safeguards.