Data Processing Agreement (DPA)

Version 2.0 · Effective from June 2026 · This version supersedes any prior DPA accepted during pilot or trial periods

This Data Processing Agreement ("DPA") forms an integral part of the Order Form and Terms of Service entered into between Wismify (the "Processor") and the Customer (the "Controller"), and governs the processing of personal data carried out by Wismify on behalf of the Customer in connection with the Services.

This DPA is concluded pursuant to Article 28 of Regulation (EU) 2016/679 (the "GDPR") and Spanish Organic Law 3/2018 (the "LOPDGDD"). Both parties undertake to comply with all applicable data protection laws.

1. Definitions

  • "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject" and "Personal Data Breach" have the meanings set forth in the GDPR.
  • "Services" means the customer support platform, AI agents, voice integrations and related modules provided by Wismify under the Order Form.
  • "Sub-processor" means any third party engaged by Wismify to process Controller Personal Data, as listed in Annex II.

2. Subject Matter, Duration and Purpose

Wismify processes Controller Personal Data exclusively for the purpose of providing the Services described in the Order Form, on documented instructions from the Controller. The duration of processing coincides with the term of the Order Form, plus any post-termination retention period required by law or expressly agreed by the parties.

3. Categories of Personal Data and Data Subjects

The processing covers, as a general rule, the following categories:

  • Personal contact data: name, email, phone, postal address, IP address.
  • Account and authentication data: user identifiers, hashed credentials, session tokens, MFA factors, audit logs.
  • Communication content: email message bodies, chat transcripts, voice call transcripts and recordings, IM content, internal notes, attachments.
  • Interaction metadata: ticket history, status, channel, timestamps, assignments, response times.
  • Commercial / operational data referenced in support interactions: order references, transaction IDs, shipping addresses, returns information.
  • Technical metadata: device info, user-agent, access timestamps, security and audit log entries.

Categories of Data Subjects: end-customers of the Controller; employees, agents and contractors of the Controller (panel users); business partners, suppliers, prospects and website visitors of the Controller.

Special categories of data (Article 9 GDPR): not intentionally processed. Where data subjects voluntarily include such information within communications, the data is treated as content within the categories above; no automated processing of special categories is performed.

4. Obligations of the Processor

  • Process Controller Personal Data only on documented instructions from the Controller.
  • Ensure that persons authorised to process Controller Personal Data are bound by confidentiality obligations.
  • Implement the technical and organisational measures described in Annex III.
  • Engage Sub-processors solely in accordance with Section 8 below.
  • Assist the Controller in fulfilling its obligations to respond to Data Subject rights requests as set out in Section 5.
  • Assist the Controller with security, breach notification, impact assessments and prior consultations pursuant to Articles 32-36 GDPR.
  • Upon termination, return or delete all Controller Personal Data unless retention is required by Union or Member-State law.
  • Make available to the Controller all information necessary to demonstrate compliance and allow for audits in line with Section 11.

5. Data Subject Rights Assistance

The Processor shall assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligation to respond to requests for exercising data subject rights under Articles 15–22 GDPR. The Processor shall forward any relevant information to gdpr@ecoalf.com (or the address provided by the Controller in the Order Form) within three (3) business days of becoming aware of such requests.

6. Confidentiality

The Processor shall ensure that all personnel processing Controller Personal Data are subject to written confidentiality undertakings equivalent in effect to those of this DPA, both during the term and after termination of their relationship with the Processor.

7. Technical and Organisational Security Measures (Article 32 GDPR)

The Processor implements the technical and organisational measures detailed in Annex III — Technical and Organisational Measures, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256-GCM) for tokens, secrets and sensitive fields.
  • Mandatory MFA for all internal users with access to Controller data, principle of least privilege, quarterly access reviews.
  • Multi-tenant architectural isolation by owner_id with row-level security (RLS) at database layer.
  • Primary data hosting within the EU (Supabase eu-central-1, Frankfurt; Hetzner Online GmbH, Germany).
  • Encrypted backups with 30-day retention; geographically redundant disaster recovery.
  • Centralised audit logging with 90-day retention; anomaly detection on administrative actions.
  • Documented incident response runbook with defined escalation chain and post-incident review.
  • Confidentiality agreements and GDPR awareness training for all personnel with access to Controller data.

Wismify intends to pursue ISO 27001 certification as part of its information security roadmap, without contractual deadline at this stage. Security questionnaires (SIG Lite) and Annex III evidence are available to the Controller upon written request.

Wismify maintains executed Data Processing Agreements with each Sub-processor listed in Annex II, accepted through the relevant provider's Terms of Service or executed as separate addenda. Public URLs of each Sub-processor DPA are available upon written request.

8. Sub-processors

8.1 General authorisation

The Controller hereby grants general written authorisation for the engagement of the Sub-processors listed in Annex II. The Processor shall provide the Controller with at least thirty (30) calendar days' prior written notice of any intended addition or replacement of Sub-processors. The Controller may object in writing within that period on reasonable data-protection grounds. If the parties cannot agree on a resolution, the Controller may terminate the affected Services without penalty as its sole and exclusive remedy.

8.2 Processor liability for Sub-processors (Art. 28(4) GDPR)

Where a Sub-processor fails to fulfil its data protection obligations, Wismify shall remain fully liable to the Controller for the performance of that Sub-processor's obligations.

8.3 Sub-processor flow-down

Each Sub-processor shall be bound by data protection obligations no less protective than those imposed on the Processor under this DPA. Where a Sub-processor is located outside the EEA, the transfer mechanism set forth in Annex II shall apply.

9. International Data Transfers

The Controller grants its express written authorisation for international data transfers solely to those Sub-processors listed in Annex II, in accordance with the transfer mechanism specified for each. Any additional international transfer shall require prior written authorisation in accordance with Section 8.

10. Personal Data Breach Notification

The Processor shall notify the Controller at gdpr@ecoalf.com (or the address provided by the Controller in the Order Form) without undue delay, and in any event no later than forty-eight (48) hours after becoming aware of a Personal Data Breach affecting Controller's data, providing the information specified in GDPR Article 33(3). Where the full information cannot be provided within this timeframe, the Processor shall provide it in phases without further undue delay.

11. Audits and Records

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Article 28 GDPR, and shall allow for and contribute to audits conducted by the Controller or another auditor mandated by the Controller. Audits shall be carried out with reasonable prior notice, no more than once per calendar year (except in cases of documented incident), during normal business hours and in a manner that minimises disruption to the Processor's operations.

12. Return or Deletion of Personal Data

Upon termination of the Services, and at the choice of the Controller, the Processor shall return all Controller Personal Data and delete existing copies within thirty (30) days, unless Union or Member-State law requires retention of the data for a longer period.

13. Records of Processing

The Processor maintains a record of all categories of processing activities carried out on behalf of the Controller, as required by Article 30(2) GDPR. Such record is available upon written request from the Controller.

14. Term and Termination

This DPA shall remain in effect for as long as the Processor processes Controller Personal Data pursuant to the Order Form. The provisions relating to confidentiality, return/deletion of data, audits and liability shall survive termination.

15. Liability and Indemnification

15.1 General Liability Cap

Subject to Sections 15.3 and 15.3.bis, the aggregate liability of each party arising out of or relating to this Agreement (whether in contract, tort, statute or otherwise) shall not exceed the total fees paid or payable by the Controller to the Processor under the corresponding Order Form during the twelve (12) months preceding the event giving rise to the claim.

15.2 Enhanced Cap for Data Protection Breaches

Notwithstanding Section 15.1, the Processor's liability for breaches of its obligations under this DPA caused by the Processor's negligence shall be limited to an amount equal to two (2) times the total fees paid or payable by the Controller in the twelve (12) months preceding the breach.

15.3 Excluded from the Cap

The limitations of liability in Sections 15.1 and 15.2 shall NOT apply to liability arising from:

  • the Processor's gross negligence or wilful misconduct;
  • breach of confidentiality involving wilful or grossly negligent disclosure of Controller Personal Data to unauthorised third parties;
  • third-party intellectual property infringement indemnification.

15.3.bis Enhanced Cap for Regulatory Fines

The Processor's liability for administrative fines lawfully imposed on the Controller by a supervisory authority under Article 83 GDPR shall be limited to five (5) times the total fees paid or payable by the Controller in the twelve (12) months preceding the breach, and shall only apply to the extent such fines are documented to result directly and exclusively from the Processor's gross negligence or wilful misconduct in breach of its obligations under this DPA.

15.4 Indemnification

The Processor shall indemnify and hold harmless the Controller against direct losses arising from the matters set forth in Sections 15.3 and 15.3.bis, subject to the Controller (a) giving prompt written notice of any claim, (b) granting the Processor sole control of the defence and settlement, and (c) cooperating in good faith.

16. Assignment

Wismify may assign this Agreement, in whole or in part, to (i) an affiliate, (ii) a successor entity resulting from a corporate reorganisation, merger, consolidation or sale of all or substantially all of its assets, or (iii) a newly incorporated Spanish entity controlled by the same beneficial owner, upon written notice to the Controller. Any permitted assignee shall remain bound by the terms hereof. The Controller may object on reasonable data-protection grounds within thirty (30) calendar days of the notice.

17. Governing Law and Jurisdiction

This DPA shall be governed by the laws of Spain. The parties submit to the exclusive jurisdiction of the courts of Madrid for any dispute arising out of or in connection with this DPA, without prejudice to mandatory consumer-protection provisions where applicable.

Annex I — Description of Processing

Subject matter: Customer support operations management (tickets, voice, chat, AI assistance, analytics).

Duration: Term of the Order Form plus any required retention period.

Nature and purpose: Provision of the Services as defined in the Order Form, on documented instructions from the Controller.

Types of Personal Data and categories of Data Subjects: as listed in Section 3.

Annex II — Authorised Sub-processors

Sub-processor Service Location Transfer mechanism
Supabase Inc. (AWS eu-central-1)Database & authenticationEU (Germany)N/A — no international transfer
Hetzner Online GmbHApplication hosting (VPS)EU (Germany)N/A — no international transfer
Anthropic, PBCAI inference (Claude)USASCCs 2021/914, Module 3
ElevenLabs Inc.Voice AI synthesisUSASCCs 2021/914, Module 3
Twilio Inc. / Twilio Ireland LimitedVoice telephony & SMS infrastructureUSA / IrelandSCCs 2021/914 + EU-US Data Privacy Framework

Not Sub-processors: Google LLC (Customer's own email infrastructure is used for outbound communications, e.g. Microsoft 365 / Microsoft Graph API where connected), Meta Platforms Ireland Ltd. (WhatsApp not enabled in scope), OpenAI, L.L.C. (used solely for Processor's internal services unrelated to Controller data), Vercel, Inc. (Next.js is an open-source framework; production hosting runs on Hetzner), ByteDance / TikTok (marketing website only, no Controller data processed).

Annex III — Technical and Organisational Measures

Encryption

  • TLS 1.3 in transit for all client-server communications.
  • AES-256-GCM at rest for tokens, secrets and sensitive PII fields.
  • Database-level encryption managed by infrastructure provider (Supabase / AWS).

Identity & Access

  • Mandatory MFA for all internal users with access to Controller data.
  • Principle of least privilege; access scoped to job function.
  • Quarterly access reviews; immediate revocation upon offboarding (target <24 hours).

Multi-tenant isolation

  • Architectural isolation by owner_id with row-level security (RLS) at database layer.
  • No shared compute, storage or query context between tenants.

Infrastructure

  • Primary data hosted within the EU (Supabase eu-central-1, Frankfurt; Hetzner Online GmbH, Germany).
  • Encrypted backups with 30-day retention.
  • Geographically redundant disaster recovery.

Logging & Monitoring

  • Centralised access logs with 90-day retention.
  • Anomaly detection on administrative actions.
  • Alerting on unauthorised access attempts.

Incident Response

  • Documented incident response runbook.
  • Defined escalation chain.
  • Post-incident review for all P1 events.

Personnel

  • Confidentiality agreements signed by all personnel with access to Controller data.
  • GDPR awareness training during onboarding and annually thereafter.

If you have any questions about this DPA, contact us at legal@wismify.com.

© 2026 Wismify. All rights reserved.