®
Start Free Trial
Legal

Data Processing Addendum

Protecting your data with comprehensive data processing agreements.

Last updated: January 07, 2026

This Data Processing Addendum, including its Exhibits and Appendices ("DPA") forms part of the Master Subscription Agreement.

By signing the Agreement, You enter into this DPA on behalf of Yourself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of Your Authorized Affiliates.

In the course of providing the Services under the Agreement, Wenable may Process Personal Data on Your behalf and the parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

01How to Execute This DPA#

This DPA consists of two parts: (a) the main body of the DPA, and (b) Schedules 1 and 2.

  • 01This DPA has been pre-signed on behalf of Wenable. Schedule 2, section 1 has been pre-signed by Wenable, Inc. as the data importer. Please note that the contracting entity under the Agreement may be a different entity to Wenable, Inc.
  • 02To complete this DPA, You must:
    • Complete the information and sign in the signature box of section 15 of this DPA.
    • Send the completed and signed DPA in its entirety to Wenable by email to legal@weguard.com.

This DPA becomes legally binding upon receipt by Wenable of this validly executed DPA at the above email address.

02How This DPA Applies#

Party to Agreement

If the entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such case the Wenable entity that is party to the Agreement is party to this DPA.

Order Form Execution

If the entity signing this DPA has executed an Order Form with Wenable or its Affiliate pursuant to the Agreement, but is itself not a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Forms; and the Wenable entity that is party to such Order Form is party to this DPA.

Non-Party Entity

If the entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the entity who is a party to the Agreement executes this DPA.

Important: This DPA shall not replace any comparable or additional rights relating to Processing of Your Data contained in Your Agreement (including any existing data processing addendum to the Agreement).

03Definitions#

Affiliate

Any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control" for purposes of this definition, means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the subject entity.

Authorized Affiliate

Any of Your Affiliate(s) which (a) is subject to Data Protection Laws and Regulations and (b) is permitted to use the Services pursuant to the Agreement between You and Wenable, but has not signed its own Order Form with Wenable and is not "You" as defined under the Agreement.

Controller

The entity which determines the means and purposes of the Processing of Personal Data.

Data Subject

The identified or identifiable person to whom Personal Data relates.

Personal Data or Personal Information

Any information describing or relating to (i) an identified or identifiable natural person or household and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Your Data.

Processing

Any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor

The Party which Processes Personal Data on behalf of the Controller, including as applicable any "Service Provider" as that term is defined by the TCPA.

04Processing of Personal Data#

Roles of the Parties

The parties acknowledge and agree that (a) with regard to the Processing of Personal Data, You are the Controller or and Wenable is the Processor, as applicable, and (b) Wenable or members of the Wenable Group will engage Sub-processors pursuant to the requirements set forth in Section 5 "Sub-Processors" below.

Your Processing of Personal Data

You shall, in Your use of the Services, Process Personal Data in accordance with the requirements of all applicable Data Protection Laws and Regulations, including without limitation requirements to provide notice to Data Subjects of the use of Wenable as Processor. You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which You acquired Personal Data. You represent and warrant that You have established a lawful basis to Process Personal Data, Your use of the Services will not violate the rights of any Data Subject, and You have the right to transfer, or provide access to, the Personal Data to Wenable for Processing in accordance with the terms of the Agreement.

Wenable's Processing of Personal Data

You appoint Wenable to process the Personal Data contained in Your Data on Your behalf as necessary for Wenable to provide the Services under the Agreement. All Personal Data Processed under the Agreement (including this DPA) will be stored, organized, and made available to You as the Controller. Wenable shall treat Personal Data as Confidential Information.

05Rights of Data Subjects#

Wenable shall, to the extent legally permitted, promptly notify You if Wenable receives a request from a Data Subject to exercise the Data Subject's right under applicable Data Protection Laws and Regulations relating to Your Data, each such request being a "Data Subject Request". Taking into account the nature of the Processing, if You are unable to independently address a Data Subject Request, Wenable will assist You by appropriate technical and organizational measures, insofar as this is possible and to the extent Wenable is legally permitted to do so, for the fulfillment of Your obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. You shall be legally responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data and for all costs associated with the same.

06Wenable Personnel#

Confidentiality

Wenable shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Wenable shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

Reliability

Wenable shall take commercially reasonable steps to ensure the reliability of any Wenable personnel engaged in the processing of Personal Data.

Limitation of Access

Wenable shall ensure that Wenable's access to Personal Data is limited to those personnel who are necessary to provide the Services.

Data Protection Officer: Wenable has appointed a data protection officer. The appointed person may be reached at privacy@weguard.com.

07Sub-Processors#

Appointment of Sub-processors

You authorize Wenable to engage the Sub-Processors on our Sub-Processor List as of the effective date of this DPA to Process Your Data pursuant to the Agreement (including this DPA) and You acknowledge and agree that (a) Wenable's Affiliates may be retained as Sub-processors and (b) Wenable and Wenable's Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.

Objection Right for New Sub-processors

You may object to Wenable's use of a new Sub-processor by notifying Wenable promptly in writing within ten (10) business days after receipt of Wenable's notice. In the event You object to a new Sub-processor, Wenable will use reasonable efforts to make available to You a change in the Services or recommend a commercially reasonable change to Your configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor.

08Security#

Controls for the Protection of Your Data

Wenable shall maintain appropriate technical and organizational measures for protection of the security, confidentiality and integrity of Your Data. In doing so, Wenable shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Data Protection Impact Assessment

Upon Your request, Wenable shall provide You with reasonable cooperation and assistance needed to fulfill Your obligation under Data Protection Laws and Regulations to carry out a data protection impact assessment related to Your use of the Services.

09Data Incident Management and Notification#

Wenable shall notify You without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Your Data, including Personal Data, transmitted, stored or otherwise Processed by Wenable or its Sub-processors (a "Data Incident").

Wenable shall make reasonable efforts to identify the cause of such Data Incident and take such steps as Wenable deems necessary and reasonable to remediate the cause of such a Data Incident to the extent the remediation is within Wenable's reasonable control. At Your reasonable request, and to the extent Wenable is required to do so under applicable Data Protection Laws and Regulations, Wenable will promptly provide You with commercially reasonable assistance as necessary to enable You to meet Your obligations under applicable Data Protection Laws and Regulations to notify authorities and/or affected Data Subjects.

10Government Access Requests#

Wenable Requirements

If Wenable receives a legally binding request from a Public Authority to access Personal Data that Wenable Processes on Your behalf, Wenable shall, unless otherwise legally prohibited, promptly notify You including a summary of the nature of the request. Wenable shall challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful.

Sub-processors requirements

Wenable shall ensure that Sub-processors involved in the Processing of Personal Data are subject to the relevant commitments regarding Government Access Requests in the Standard Contractual Clauses.

11Return or Deletion of Personal Data#

Upon termination or expiration of the Agreement or any renewal term thereof, Wenable will delete all Personal Data Processed under the Agreement that is in Wenable's possession. In the case of any Personal Data not so deleted, Wenable will return, destroy, or render anonymous all such Personal Data in accordance with Your reasonable written Instructions submitted to Wenable within 30 days of termination or expiration of the Agreement, subject to the limitations described in the Agreement. The requirements do not apply to the extent that Wenable is required by applicable law to retain some or all of Your Data, or to Your Data that is archived on back-up systems, which data Wenable shall securely isolate and protect from any further Processing and delete in accordance with Wenable's deletion practices.

12European Specific Provisions#

This Section shall apply only to the extent Wenable Processes Personal Data subject to European Data Protection Laws and Regulations as Your Processor.

European Data Protection Laws and Regulations

Wenable will Process Personal Data in accordance with the European Data Protection Laws and Regulations requirements directly applicable to Wenable's provision of its Services.

Transfer Mechanisms for Data Transfers

If Personal Data that is subject to the GDPR or any other law relating to the protection or privacy of individuals that applies in Europe is transferred out of Europe to countries which do not ensure an adequate level of data protection, the transfer mechanism listed below shall apply: The EU C-to-P Transfer Clauses.

13Schedule 1: Transfer Mechanisms#

Transfer Mechanisms for European Data Transfers

This schedule outlines the Standard Contractual Clauses operative provisions and additional terms for EU Controller-to-Processor data transfers. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA.

Key Points:

  • Wenable has Your general authorisation to engage Sub-processors
  • Wenable shall notify You of any new Sub-processors
  • You have 10 business days to object to new Sub-processors
  • Wenable shall inform You of government access requests
  • Certification of deletion provided upon written request

14Schedule 2: Description of Processing/Transfer#

Description of Processing/Transfer

Categories of Data Subjects

Your Users authorized by You to use the Services

Categories of Personal Data

  • First Name, Last Name
  • Title
  • Employer
  • Photographic headshots (optional)
  • Unique identifier for authorized devices
  • Personal Information submitted by end users

Nature of Processing

The nature of the Processing is the provision of the Services pursuant to the Agreement

Duration of Processing

Wenable will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing

15Technical and Organisational Measures#

Access Control

  • The Wenable platform is hosted on Amazon Web Services, maintaining SOC 2 Type I and ISO 27001, 27017, 17018 compliance
  • Multi-factor authentication required for administrative access
  • Role-based access control with least privilege principle
  • API access requires authentication via API key with configurable constraints
  • Quarterly user access reviews of production servers, databases and applications
  • Background checks performed on new hires

Transmission Control

  • In-transit: Transport Layer Security version 1.2 or better with 256 bit AES Encryption (AES-256-GCM)
  • At-rest: All customer data is encrypted using cloud service provider's key management service
  • Passwords stored as non-reversible hashes

Input Control

  • Intrusion detection and infrastructure monitoring
  • IP Filtering configurations for approved networking rules
  • Web application firewalls on API interfaces
  • Distributed Denial of Service controls protecting against OSI layers 3, 4, and 7 attacks

16How to Reach Us#

If you have questions about this DPA, please contact us:

Email:legal@weguard.com
Privacy:privacy@weguard.com

17Document Updates#

This Data Processing Addendum was last updated on February 17, 2022. Wenable may update this addendum from time to time. Your continued use of the Services after any changes indicates your acceptance of the updated terms.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.

By clicking "Accept", you agree to our use of cookies.

Learn more