Standard Contractual Clauses
This page explains how Wodby and its customers rely on Standard Contractual Clauses or equivalent mechanisms for restricted international transfers when required.
Purpose and scope
This page explains when Wodby and its customers rely on Standard Contractual Clauses for restricted international transfers and provides annex-style supporting detail.
This page supplements the Data Processing Agreement and describes the framework Wodby uses when customer personal data is transferred internationally and an appropriate transfer mechanism is required under applicable data protection law.
Where the European Commission's Standard Contractual Clauses or a substantially equivalent lawful mechanism are required for a restricted transfer, those clauses are incorporated by reference into the agreement between Wodby and the customer for the relevant services.
Party roles and module selection
The applicable SCC module depends on the legal roles the parties have for the transferred data.
For most customer personal data processed under the services, the customer acts as controller or business and Wodby acts as processor or service provider. In that case, the controller-to-processor module of the SCCs is intended to apply.
If a particular processing activity involves a different legal role allocation that the parties expressly document in writing, the corresponding SCC module will apply to that activity instead.
The SCCs apply only to transfers that actually require them. If another lawful transfer mechanism applies, including an adequacy decision or replacement statutory mechanism, that mechanism may be used instead to the extent legally permitted.
Annex I parties and transfer details
This section provides the parties, roles, data categories, purposes, and duration information typically requested for the SCC annexes.
| Data exporter | The customer identified in the applicable order, account, or written agreement. |
| Data importer | Wodby Inc. |
| Roles | Usually controller to processor for customer personal data handled through the services; another SCC module applies only where the parties specifically document a different role split. |
| Data subjects | The customer's end users, employees, contractors, and other individuals whose personal data is submitted to the services. |
| Data categories | Account data, contact data, workload and database contents, logs, support materials, backups, and import/export artifacts, depending on customer use of the services. |
| Special categories | Not intended by default unless the parties expressly agree in writing to a supported use case. |
| Frequency | Continuous, episodic, or on-demand depending on service usage, support activity, configuration, and customer instructions. |
| Nature and purpose of transfer | Hosting, deployment, support, troubleshooting, backup, monitoring, security, and related service operations as described in the DPA and customer instructions. |
| Retention | For the duration described in the DPA, including any limited retention period for deletion workflows, backups, security, legal compliance, or dispute resolution. |
Annex II technical and organizational measures
The SCC security annex is satisfied by Wodby’s published TOMs summary and the DPA security commitments.
The technical and organizational measures applicable to the services are described in the DPA and on the Security and TOMs page, including governance, access controls, confidentiality, encryption, monitoring, incident response, resilience, and subprocessor oversight measures.
Those measures may evolve over time, provided the overall level of protection for customer personal data is not materially reduced for the relevant transfers.
Annex III onward transfers and subprocessors
Wodby may rely on subprocessors for service delivery, subject to appropriate transfer safeguards and the DPA objection process.
Wodby may use subprocessors to support infrastructure, support, communications, diagnostics, and other service functions, consistent with the DPA and the information published on the Subprocessors page.
Where a subprocessor participates in a restricted transfer, Wodby will use a lawful onward-transfer mechanism as required, which may include SCCs, an adequacy decision, or another recognized legal basis.
The current subprocessor list is maintained on the Subprocessors page. Customer objections to new subprocessors are handled through the DPA notice and objection process.
Practical interpretation points
References in the SCCs are interpreted in the context of Wodby’s services, support workflows, and customer-controlled workloads.
- References to the main agreement mean the customer's applicable agreement with Wodby, including the Terms of Service, order form, and DPA.
- References to instructions include service configuration choices, support requests, API use, dashboard actions, and other documented directions issued by or on behalf of the customer.
- References to data deletion or return are subject to the operational limits, retention windows, and exceptions described in the DPA, including security, backup rotation, legal compliance, and dispute handling needs.
Changes to transfer mechanisms
If the law or official transfer mechanisms change, Wodby may update this page and rely on a replacement mechanism where appropriate.
If the SCCs are replaced, amended, or supplemented by a new approved transfer mechanism, Wodby may update this page and the incorporated mechanism accordingly, provided the replacement mechanism is legally recognized for the relevant transfers.
Wodby may also make updates needed to reflect changes in law, regulator guidance, subprocessor arrangements, or the services, so long as the overall level of protection required by applicable law is not materially reduced for the relevant restricted transfers.
Questions and signed copies
Questions about transfer mechanisms or requests for a countersigned copy can be sent to Wodby.
Questions about this page, international transfers, or requests for a countersigned SCC addendum can be sent to [email protected].