Data Processing Addendum (DPA)

Capitalized terms not defined here have the meanings given in the GDPR or CCPA, as applicable. “Personal Data,” “Processing,” “Controller,” “Processor,” “Sub-processor,” and “Data Subject” have the meanings given in Article 4 of the GDPR. “Personal Information,” “Business,” and “Service Provider” have the meanings given in the CCPA.

The subject matter of the Processing is the provision of the Weaver platform and related services to the Controller. Processing will continue for the duration of the agreement and any post-termination wind-down period required for return or deletion of Personal Data.

We Process Personal Data only to provide, secure, monitor, and improve the Weaver platform; to comply with our contractual obligations to the Controller; to comply with applicable law; and to follow the Controller's documented instructions, including configuration of the platform.

The categories of Personal Data and Data Subjects are determined by the Controller based on its use of the platform but typically include:

• Data Subjects: the Controller's end users, employees, customers, prospects, vendors, and other contacts.
• Personal Data categories: identifiers (name, email, phone), professional data (company, job title), commercial data (orders, invoices, expenses), usage and device data, and any other Personal Data the Controller chooses to upload to or generate within the platform.

The Controller authorizes us to engage Sub-processors to support the platform. Our current Sub-processors include:

• Vercel, Inc. — web hosting, edge delivery, and platform analytics.
• MongoDB, Inc. — primary managed database.
• Stripe, Inc. — payment processing and fraud prevention.
• Google LLC — transactional email delivery and, where enabled, analytics.

We will provide at least thirty (30) days' notice of any new Sub-processor. If the Controller has a reasonable, good-faith objection on data-protection grounds, the parties will work in good faith to resolve it; if not resolved, the Controller may terminate the affected services.

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, the parties rely on the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor) and, for UK transfers, the UK International Data Transfer Addendum, in each case as incorporated into this DPA by reference.

We implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure. These include, at a minimum:

• Encryption of Personal Data in transit (TLS) and at rest where supported by the underlying infrastructure.
• Role-based access controls, least-privilege principles, and audit logging for production systems.
• Network segmentation, secrets management, and routine vulnerability scanning.
• Documented incident-response, backup, and disaster-recovery procedures.
• Personnel training on confidentiality, privacy, and information security.

We will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller's Personal Data and will provide such information as is reasonably required for the Controller to meet its own notification obligations under applicable law.

To the extent permitted by law, we will assist the Controller through appropriate technical and organizational measures, insofar as possible, to fulfil the Controller's obligation to respond to requests by Data Subjects to exercise their rights under applicable data-protection laws.

We will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable prior notice and no more than once per year (except where required by a supervisory authority or following a Personal Data Breach), we will allow for and contribute to audits, including inspections, conducted by the Controller or an independent third-party auditor mandated by the Controller, subject to confidentiality and reasonable security restrictions.

Upon termination of the agreement, we will, at the Controller's choice, delete or return all Personal Data, and delete existing copies, unless storage is required by applicable law. Backups containing Personal Data will be deleted in accordance with our standard backup-retention schedule.

To the extent we Process Personal Information of California residents on the Controller's behalf, we act as a “Service Provider” under the CCPA. We will not (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information for any purpose other than performing the services specified in the agreement; or (c) combine Personal Information received from the Controller with information from other sources, except as permitted by the CCPA.

In the event of any conflict between this DPA and the underlying agreement, this DPA controls with respect to the subject matter herein. Where the Standard Contractual Clauses apply, the Clauses prevail to the extent of any conflict.

For DPA-related inquiries (including Sub-processor lists, security documentation, and breach notifications), contact us at [email protected].