Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the agreement between Whobela and any business or organizational customer (“Customer”) that uses Whobela in a way that involves Whobela processing personal data on the Customer's behalf, to the extent required by the GDPR or equivalent data protection law. Where Whobela is acting as controller of a User's or Visitor's personal data in the ordinary operation of the consumer-facing Service, this DPA does not apply, and our Privacy Policy governs instead.

1. Roles

• Customer acts as the data controller for personal data it submits to or collects via the Service in a business context.
• Whobela acts as the data processor, processing personal data only on behalf of, and under the instructions of, the Customer for the purposes of providing the Service.

2. Processing Instructions

Whobela will process personal data only as necessary to provide the Service, in accordance with the Customer's documented instructions, and as otherwise required by applicable law. If Whobela believes an instruction violates data protection law, it will inform the Customer before carrying it out.

3. Confidentiality

Whobela ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations.

4. Security Measures

Whobela implements appropriate technical and organizational measures to protect personal data, including:

• Encryption of data in transit;
• Access controls limiting personal data access to personnel who need it;
• Hashed storage of account passwords;
• Regular review and improvement of security practices;
• Monitoring and processes to detect and respond to security incidents.

5. Subprocessors

Whobela uses the following categories of subprocessors to provide the Service: hosting providers, payment processors (Stripe, PayPal), storage providers, analytics providers, and email delivery providers. Whobela ensures subprocessors are bound by data protection obligations consistent with this DPA, and will make reasonable efforts to notify Customers of material changes to subprocessors where required by law.

6. Data Subject Requests

Whobela will provide reasonable assistance to the Customer in responding to requests from data subjects exercising their rights under applicable data protection law, to the extent Whobela is able to do so.

7. Personal Data Breach

Whobela will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and will provide reasonably available information to help the Customer meet its own notification obligations.

8. International Transfers

Where personal data is transferred outside the Customer's jurisdiction, Whobela will use appropriate safeguards as required by applicable data protection law (such as Standard Contractual Clauses).

9. Data Deletion

On termination of the Service, or upon Customer request, Whobela will delete or return personal data processed on the Customer's behalf, except to the extent retention is required by applicable law, consistent with the retention practices described in our Privacy Policy.

10. Audits

Whobela will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice and confidentiality protections.

11. Contact

Questions about this DPA can be sent to privacy@whobela.com.