Data Processing Agreement

Last updated: [DATE]

This Data Processing Agreement (“DPA”) forms part of the agreement between [COMPANY LEGAL NAME] (“Processor”, “KWAYZER”) and the customer (“Controller”) and reflects the parties’ agreement on the processing of personal data in accordance with Article 28 of the GDPR.

1. Roles of the Parties

The Controller determines the purposes and means of processing Customer Personal Data. KWAYZER acts as Processor and processes Customer Personal Data only on documented instructions from the Controller, including with regard to international transfers, unless required to act otherwise by applicable law.

2. Subject Matter & Duration

The subject matter is the provision of the KWAYZER Service. Processing continues for the duration of the agreement and until deletion or return of Customer Personal Data as set out in this DPA.

3. Nature & Purpose of Processing

KWAYZER processes Customer Personal Data to host, operate, maintain, secure, and support the Service, and to provide the features requested by the Controller, including AI-assisted functionality.

4. Categories of Data Subjects & Personal Data

  • Data subjects— the Controller’s authorized users, customers, prospects, and contacts.
  • Personal data — identifiers and contact details, account and profile information, communication content, and usage and activity data submitted to the Service.

5. Sub-Processors

The Controller authorizes KWAYZER to engage the sub-processors listed in our Privacy Policy (including Supabase, Stripe, Resend, Anthropic, and PostHog). KWAYZER imposes data protection obligations on each sub-processor consistent with this DPA and remains responsible for their performance. We will provide reasonable prior notice of any intended changes, allowing the Controller to object on reasonable grounds.

6. Security Measures

KWAYZER implements appropriate technical and organizational measures under Article 32 GDPR, including encryption in transit, access controls and least-privilege principles, network and infrastructure security, logging and monitoring, regular backups, and personnel confidentiality obligations.

7. Data Subject Requests

Taking into account the nature of the processing, KWAYZER will assist the Controller by appropriate technical and organizational measures, insofar as possible, in responding to requests from data subjects exercising their rights under Chapter III of the GDPR.

8. Breach Notification

KWAYZER will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably necessary to enable the Controller to meet its own notification obligations.

9. Audits

KWAYZER will make available information reasonably necessary to demonstrate compliance with Article 28 GDPR and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable confidentiality and scheduling arrangements.

10. Deletion or Return of Data

Upon termination of the Service, KWAYZER will, at the Controller’s choice, delete or return Customer Personal Data and delete existing copies, unless retention is required by applicable law.

11. Governing Law

This DPA is governed by the laws of [CITY, COUNTRY] within the European Union. In the event of a conflict between this DPA and the main agreement regarding the processing of personal data, this DPA prevails.

12. Contact

For matters relating to this DPA, contact [CONTACT EMAIL] or [COMPANY LEGAL NAME], [ADDRESS], [CITY, COUNTRY].