WunderGraph, Inc. Data Processing Agreement (DPA)

Last modified: August 1st, 2024

This Data Processing Addendum (“DPA”) supplements the WunderGraph Cosmo Managed Service Terms of Use available at https://wundergraph.com/cosmo-managed-service-terms and/or individually–agreed Cosmo Enterprise Master Services Agreement (each the “Terms”), as applicable, between WunderGraph, Inc. (“WunderGraph” or “Processor”) and Customer (as defined in the applicable Agreement) (each, a “Party” and collectively, the “Parties”), and this DPA forms a binding part of the Terms. Processor agrees that it shall comply with the following provisions with respect to all Customer Personal Data (as defined below) for Customer. This DPA stipulates privacy, confidentiality, and security requirements and demonstrates compliance with applicable Data Protection Laws (as defined below). Capitalized terms not otherwise defined herein have the meaning given to them in the Terms.

WHEREAS,

The Customer acts as the “Data Controller” or “business” (as defined under applicable Data Protection Laws) and the Customer wishes to engage Processor to provide the Service, which may require the processing of Customer Personal Data. The Parties seek to implement a DPA in compliance with applicable Data Protection Laws.

The Parties hereby agree to the following:

1. Definitions

a. “Data Protection Laws” means any treaty, directive, laws, or regulations of any competent jurisdiction (s) that regulates the data privacy and security of Personal Information, including without limitation, GDPR, UK GDPR, Canadian Privacy Law, and the California Privacy Law as defined below, as applicable.

b. “California Privacy Law” means the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA), California Civil Code §§ 1798.100 et seq., including implementing regulations, as may be amended, superseded, or replaced.

c. “Canadian Privacy Law” means the Canadian federal Personal Information Protection and Electronic Document Act (“PIPEDA”), as may be amended, superseded, or replaced.

d. “Customer Personal Data” means Personal Information created wherever located, which is collected, generated, licensed, leased, or purchased by or on behalf of Customer, or otherwise under the control or responsibility of Customer.

e. “GDPR” means the General Data Protection Regulation (EU) 2016/679.

f. “UK GDPR” means the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679.

g. “Personal Information” means information or data (regardless of format) that (i) identifies or can be used to identify, contact, or locate an individual, or (ii) relates to an individual, whose identity can be either directly or indirectly inferred, including any information that is linked or linkable to that individual regardless of the citizenship, age, or other status of the individual. Personal Information does not include: (x) publicly available information from government records; or (y) deidentified or aggregated information.

h. “Processing” or “Process” means any operation or set of operations which is performed upon Customer Personal Data, whether or not by automatic means, such as access, collection, compilation, use, disclosure, duplication, organization, storage, alteration, transmission, combination, redaction, erasure, or destruction.

i. “Sub-Processor(s)” means any entity engaged by Processor to help provide the Service and that has access to Customer Personal Data.

2. Data Processor Responsibilities

a. Processor shall:

i. Maintain ongoing compliance with all applicable Data Protection Laws in the Processing of Customer Personal Data; and

ii. Not process data other than that which is covered by Customer’s documented instructions or as set forth in the applicable Terms.

iii. Take reasonable measures to ensure that any employee, agent or contractor of any Contracted Processor who may have access to Personal Data, complies with the applicable Data Security laws in the same and equal manner in which the Data Processor complies with such laws.

iv. Immediately inform Customer in writing if it cannot comply with any material term of this DPA. If this occurs, Customer may use reasonable efforts to remedy the non-compliance, and Customer shall be entitled to terminate any of Processor’s further Processing of Customer Personal Data, in accordance with the provisions contained in the Terms.

b. To the extent any Customer Personal Data constitutes “personal information” as defined in the California Privacy Law (“California Personal Information”), the Parties agree that Customer is a “business” and that it appoints Processor as its “service provider” for the purposes of the California Privacy Law. As such, Processor shall not (i) “sell” or “share” California Personal Information, (ii) retain, use, disclose, and otherwise Process California Personal Information, for any purposes other than for the business purposes of providing the Service as specified in the Terms, or as otherwise permitted by the California Privacy Law (“Permitted Purposes”); (iii) retain, use or disclose such California Personal Information for a commercial purpose other than the Permitted Purposes, (iv) retain, use, or disclose such California Personal Information outside of the direct business relationship between the Parties; or (v) combine the California Personal Information received from or on behalf of Customer with Personal Information that Processor (1) receives from, or on behalf of, another person or persons, or (2) collects from its own interaction with the consumer, unless otherwise approved by Customer in writing. For purposes of complying with the California Privacy Law, Processor certifies that it understands the rules, restrictions, and requirements, set out in this section and will comply with these terms.

c. Notwithstanding anything to the contrary, Processor may use Customer Personal Data for its own internal business purposes on the conditions that (i) the Customer Personal Data is aggregated with other Processor data such that Processor cannot separate out Customer Personal Data from Processor’s other data; and (ii) the Customer Personal Data is anonymized so that no Personal Information is available, including IP addresses.

3. Security of Data Processing

a. Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to mitigate security risks.

b. Processor shall take account of particular risks associated with Breaches (as defined below) of Personal Information and establish a process by which to address and remedy Breaches of Personal Information.

4. Sub-processing

a. Processor may engage third-party Sub-processors in connection with the provision of the Service. The current list of Sub-Processors is set forth in Schedule 1 attached hereto, which may be amended or updated by Processor from time to time upon written notice to Customer.

5. Data Subject Rights

a. Data Subjects are those individuals who share their Personal Information with Customer, which thereby shares such information with Processor.

b. Processor shall promptly notify Customer of any requests received by Processor from Data Subjects with respect to Customer Personal Data.

c. Processor will not respond to Data Subject requests unless expressly authorized by Customer or as required by applicable Data Protection Laws.

6. Personal Data Breach

a. Processor shall notify Customer without any undue delay if Processor becomes aware of an unauthorized or illegal access, destruction, use, modification, or disclosure (“Breach”) that affects Customer Personal Data, and shall provide Customer with sufficient information to allow Customer to fulfill its reporting obligations and inform the affected Data Subjects of the Breach.

b. Processor shall cooperate with Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the Breach.

7. Deletion or Return of Customer Personal Data

a. Upon the termination of its Service to Customer, Processor shall delete all copies of Customer Personal Data in its possession within ten (10) business days of the effective date of termination of Services.

b. Processor shall provide written certification to the Customer that it has fully complied with the requirements of this section.

8. Audit Rights

a. Subject to this section, Processor shall make available upon Customer’s request, all information necessary to demonstrate Processor’s compliance with this DPA, and shall allow for and cooperate with audits, including inspections by Customer or an auditor authorized by Customer.

b. Customer will provide reasonable notice of such audits, and they shall be conducted in a manner to avoid causing undue disruption to Processor's operations.

9. Data Transfer

a. Processor may not transfer or authorize transfer of data from the United Kingdom (UK), European Union (EU) and/or the European Economic Area (EEA) to countries outside of the UK, EU and/or EEA without the prior written consent of the Customer.

b. If Customer Personal Data processed under this DPA is transferred from the UK or a country within the EU or EEA to a country outside the UK, EU or EEA, the Parties shall ensure that the Personal Data is adequately protected in accordance with applicable Data Protection Laws. To achieve this, the Parties shall rely on EU approved standard contractual clauses (“Standard Contractual Clauses”) for the transfer of Personal Data. For any transfers of Customer Personal Data subject to GDPR, UK GDPR or equivalent Data Protection Laws, the Parties hereby agree to negotiate such Standard Contractual Clauses in good faith and amend this DPA by reference accordingly. In the event of any conflict or inconsistency between this DPA and the applicable Standard Contractual Clauses, the applicable Standard Contractual Clauses shall prevail to the extent of the conflict.

10. Confidentiality

a. Each Party must keep this DPA and any information it receives about the other Party and its business related to this DPA confidential, and neither Party shall disclose such information without prior written consent of the other Party unless (i) disclosure is required by law; or (ii) the relevant information is already in the public domain.

SCHEDULE 1

List of Sub-Processors

NamePurpose / Type of ServiceData Hosting Location
Google LLCGoogle Cloud Platform (GCP) to host and provide Cosmo, data storageU.S.A.
Clickhouse, Inc.Serverless database service for storing analytics, tracing dataU.S.A.
Cloudflare, Inc.Content Delivery Network (CDN) for caching, system/network protectionU.S.A.
ActiveCampaign LLCE-mail communication automationU.S.A.
Cloud-IAM Software IncAuthentication and identity managementEU
Slack Technologies, LLCCommunication with customer engineering teams, support channelU.S.A.
Konfetti, Inc.Web analyticsU.S.A.
Stripe, Inc.Collecting and managing payments for our servicesU.S.A.
GitHub, Inc.Open-source repository management and versioningU.S.A.
Linear Orbit, Inc.Ticket systemU.S.A.
Xero LimitedAccountingU.S.A.
HubSpot, Inc.Customer Relationship Management (CRM)U.S.A.
Pylon Labs, Inc.Support request managementU.S.A.
Crisp IM SASWebsite chat widgetEU