Wippit

Data Processing Addendum (DPA)

Effective date: July 1, 2026 Last updated: July 1, 2026

This Data Processing Addendum ("DPA") forms part of the Terms and Conditions (the "Agreement") between Wippit Systems LLC ("Wippit", "Processor") and the customer identified in the Agreement ("Customer", "Controller", or "Tenant"), and governs Wippit's processing of Personal Data on the Customer's behalf in connection with the wipp.it platform and related services (the "Service").

In the event of a conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA prevails.


1. Scope and Roles

1.1 This DPA applies where Wippit processes Personal Data on the Customer's behalf as a processor — that is, personal data that the Customer or its end users submit to, create in, or store through the Service ("Customer Personal Data").

1.2 As between the parties, the Customer is the controller (or processor acting for a third-party controller) and Wippit is the processor of Customer Personal Data.

1.3 Out of scope. This DPA does not cover data for which Wippit is itself a controller — in particular, Wippit account, billing, and Wippit Network / WAS identity data (such as a user's email or phone used to provide a single Wippit identity). Wippit's handling of that data is described in the Wippit Privacy Policy. The Customer remains responsible, as controller, for the personal data its own services collect from its users.

2. Definitions

"Applicable Data Protection Law" means all privacy and data-protection laws applicable to the processing, including, as applicable, the California Consumer Privacy Act as amended by the CPRA ("CCPA") and other U.S. state privacy laws, the EU and UK General Data Protection Regulation ("GDPR"), and Mexico's Federal Law on Protection of Personal Data Held by Private Parties ("LFPDPPP").

"Personal Data," "controller," "processor," "data subject," "processing," and "personal data breach" have the meanings given in Applicable Data Protection Law. "Subprocessor" means any third party engaged by Wippit to process Customer Personal Data. "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission for transfers of personal data to third countries.

3. Processing of Customer Personal Data

3.1 Instructions. Wippit will process Customer Personal Data only on the Customer's documented instructions, including as set out in the Agreement, this DPA, and the Customer's use and configuration of the Service, unless required by law (in which case Wippit will, where permitted, inform the Customer first).

3.2 Purpose limitation. Wippit will not process Customer Personal Data for its own purposes, will not sell it, and will not "share" it for cross-context behavioral advertising. Wippit certifies that it understands and will comply with these CCPA restrictions.

3.3 Details of processing. The subject matter, duration, nature, purpose, types of Personal Data, and categories of data subjects are described in Annex I.

4. Confidentiality

Wippit will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as necessary to provide the Service.

5. Security

5.1 Wippit will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, as described in Annex II.

5.2 Wippit maintains such measures "as secure as current technology reasonably allows"; no method of protection can be guaranteed absolutely or indefinitely.

6. Subprocessors

6.1 The Customer provides general authorization for Wippit to engage Subprocessors to process Customer Personal Data. Current Subprocessors are listed in Annex III and include, at minimum, the infrastructure and communications providers necessary to operate the Service (for example, Amazon Web Services for hosting and storage, Stripe for payment processing, and email-delivery providers).

6.2 Wippit will impose data-protection obligations on each Subprocessor that are no less protective than those in this DPA, and remains responsible for its Subprocessors' performance.

6.3 Wippit will give the Customer reasonable prior notice of the addition or replacement of a Subprocessor. If the Customer reasonably objects on data-protection grounds, the parties will work in good faith to resolve the concern; if they cannot, the Customer may terminate the affected part of the Service.

7. Data Subject Requests

7.1 Taking into account the nature of the processing, Wippit will provide reasonable assistance (including appropriate technical and organizational measures) to help the Customer respond to requests from data subjects to exercise their rights under Applicable Data Protection Law.

7.2 If Wippit receives a request directly from a data subject regarding Customer Personal Data, it will, unless legally prohibited, promptly forward the request to the Customer and will not respond except on the Customer's instructions.

8. Personal Data Breach

Wippit will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to it to help the Customer meet its own notification obligations.

9. Assistance and Compliance

Taking into account the nature of processing and information available to Wippit, Wippit will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, where required by Applicable Data Protection Law.

10. Audits

Wippit will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable notice, confidentiality, and frequency limits, and at the Customer's expense. Wippit may satisfy this obligation by providing third-party certifications or reports where available.

11. International Transfers

11.1 Where Customer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to Wippit in a country not recognized as providing an adequate level of protection, the Standard Contractual Clauses are incorporated into this DPA by reference and apply to that transfer, with the Customer as data exporter and Wippit as data importer, completed as set out in Annex IV. The UK International Data Transfer Addendum applies to UK transfers.

11.2 The parties will reasonably cooperate to implement any additional transfer mechanism required by Applicable Data Protection Law.

12. Deletion and Return

Upon termination or expiry of the Agreement, Wippit will, at the Customer's choice, delete or return Customer Personal Data, and delete existing copies, except to the extent retention is required by law. Aggregated or de-identified data that no longer identifies any individual is not subject to this Section.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

14. Term

This DPA takes effect on the effective date above and remains in force for as long as Wippit processes Customer Personal Data under the Agreement.


Annex I — Details of Processing

Annex II — Technical and Organizational Security Measures

Annex III — Subprocessors (current)

Subprocessor Purpose Location
Amazon Web Services, Inc. Hosting, storage, infrastructure United States
Stripe, Inc. Payment processing United States
Email-delivery provider(s) Transactional and notification email United States

A current list is available on request; Wippit will provide notice of changes as set out in Section 6.

Annex IV — Standard Contractual Clauses (completion)


Contact: Wippit Systems LLC — 17350 State Hwy 249, Ste 220 #30606, Houston, Texas 77064, USA — support@wippit.systems