Data Processing Agreement based on EU Standard Contractual Clauses under Article 28 GDPR (Commission Implementing Decision (EU) 2021/915).
Last updated: February 22, 2026
Based on EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/915)
Eine deutsche Fassung dieses Auftragsverarbeitungsvertrags (AVV) ist verfügbar unter wysor.io/avv. Im Falle von Widersprüchen zwischen der deutschen und der englischen Fassung ist die englische Fassung maßgeblich.
| 1. Definitions | |
| Section I | Purpose and Scope (Clauses 1–4) |
| Section II | Obligations of the Parties (Clauses 5–9) |
| Section III | Audit and Reports (Clause 10) |
| Section IV | Cooperation (Clause 11) |
| Section V | Restricted Transfers (Clauses 12–16) |
| Section VI | Deletion of Customer Personal Data (Clauses 17–18) |
| Section VII | CCPA Compliance (Clause 19) |
| Section VIII | Supplement for Professionals Subject to §203 StGB (Clauses 20–24) |
| Section IX | Non-compliance and Termination (Clause 25) |
| Section X | Limitation of Liability (Clause 26) |
| Section XI | General Provisions (Clauses 27–29) |
| Annex I | List of Parties |
| Annex II | Description of Processing |
| Annex III | Technical and Organisational Measures |
| Annex IV | List of Subprocessors |
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between the Customer and Wysor IT Solutions UG (haftungsbeschränkt) ("Wysor", "Provider"), collectively the "Parties".
By accepting the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Authorised Users and end users. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" includes Customer and any Customer Affiliates.
The Parties have agreed to the following contractual clauses ("Clauses") in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
1.1 "Applicable Data Protection Laws" means all laws, rules, regulations, and other binding requirements that govern how the Service may process or use an individual's personal data, including the GDPR, UK GDPR, Swiss FDPA, and CCPA where applicable.
1.2 "Applicable Laws" means the laws, rules, regulations, court orders, and other binding requirements of a relevant government authority that apply to or govern a party.
1.3 "Controller" has the meaning given in the Applicable Data Protection Laws for the entity that determines the purpose and means of Processing Personal Data.
1.4 "Customer Personal Data" means Personal Data that Customer uploads or provides to Provider as part of the Service and that is governed by this DPA.
1.5 "EEA" means the European Economic Area (the member states of the European Union, Norway, Iceland, and Liechtenstein).
1.6 "EEA SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679.
1.7 "GDPR" means Regulation (EU) 2016/679 as implemented by local law in the relevant EEA member state.
1.8 "Personal Data" has the meaning given in the Applicable Data Protection Laws for personal information, personal data, or similar term.
1.9 "Processing" or "Process" has the meaning given in the Applicable Data Protection Laws for any operation performed on Personal Data, including by automated means.
1.10 "Processor" has the meaning given in the Applicable Data Protection Laws for the entity that Processes Personal Data on behalf of the Controller.
1.11 "Restricted Transfer" means (a) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA which is not subject to an adequacy determination by the European Commission; (b) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to a country not subject to adequacy regulations under Section 17A of the UK Data Protection Act 2018; or (c) where the Swiss FDPA applies, a transfer of Personal Data from Switzerland to a country not on the Swiss list of adequate jurisdictions.
1.12 "Security Incident" means a Personal Data Breach as defined in Article 4 of the GDPR.
1.13 "Service" means the product and services described in the Agreement.
1.14 "Special Category Data" has the meaning given in Article 9 of the GDPR.
1.15 "Subprocessor" has the meaning given in the Applicable Data Protection Laws for an entity that, with the approval of the Controller, assists the Processor in Processing Personal Data on behalf of the Controller.
1.16 "Swiss FDPA" means the Swiss Federal Act on Data Protection of 25 September 2020 (as revised).
1.17 "UK Addendum" means the International Data Transfer Addendum to the EEA SCCs issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018.
1.18 "UK GDPR" means Regulation (EU) 2016/679 as implemented by section 3 of the United Kingdom's European Union (Withdrawal) Act of 2018.
(a) These Clauses set out the rights and obligations of the Controller and the Processor when processing Personal Data on behalf of the Controller.
(b) The Clauses apply to the Processing of Personal Data as specified in Annex II.
(c) The Annexes form an integral part of these Clauses.
(d) These Clauses are without prejudice to obligations to which the Controller is subject by virtue of the GDPR.
(e) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of the GDPR. Section 5 (Restricted Transfers) of this DPA addresses international transfers separately.
(a) The Parties undertake not to modify these Clauses except for adding or updating information in the Annexes.
(b) This does not prevent the Parties from including these Clauses in a broader contract or from adding other clauses or additional safeguards, provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.
(a) Where these Clauses use terms defined in the GDPR, those terms have the same meaning as in that Regulation.
(b) These Clauses are read and interpreted in the light of the provisions of the GDPR.
(c) These Clauses may not be interpreted in a way that is inconsistent with rights and obligations provided for in the GDPR or in a way that prejudices the fundamental rights or freedoms of the data subjects.
In the event of a contradiction between these Clauses and the provisions of any other agreement between the Parties, the following order of precedence applies: (1) the EEA SCCs or the UK Addendum, (2) this DPA, and then (3) the Agreement.
(a) Provider as Processor. Where Customer is a Controller of Customer Personal Data, Provider is a Processor Processing Personal Data on behalf of Customer.
(b) Provider as Subprocessor. Where Customer is itself a Processor of Customer Personal Data, Provider is a Subprocessor of Customer Personal Data.
The details of the Processing operations, in particular the categories of Personal Data and the purposes of Processing, are specified in Annex II.
(a) The Processor processes Personal Data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject. In this case, the Processor informs the Controller of that legal requirement before Processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the Controller throughout the duration of the Processing. These instructions are always documented.
(b) The Processor immediately informs the Controller if, in the Processor's opinion, instructions given by the Controller infringe the GDPR or applicable Union or Member State data protection provisions.
(c) Customer instructs Provider to Process Customer Personal Data: (i) to provide and maintain the Service; (ii) as may be further specified through Customer's use of the Service; (iii) as documented in the Agreement; and (iv) as documented in any other written instructions given by Customer and acknowledged by Provider. Provider will abide by these instructions unless prohibited from doing so by Applicable Laws. Provider will immediately inform Customer if it is unable to follow the Processing instructions.
The Processor processes the Personal Data only for the specific purpose(s) of the Processing as set out in Annex II, unless it receives further instructions from the Controller.
Processing by the Processor takes place for the duration specified in Annex II.
(a) The Processor implements at least the technical and organisational measures specified in Annex III to ensure the security of the Personal Data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the data ("Personal Data Breach"). In assessing the appropriate level of security, the Parties take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, and the risks involved for the data subjects.
(b) The Processor grants access to the Personal Data undergoing Processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring the contract. The Processor ensures that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
If the Processing involves Special Category Data, the Processor applies the specific restrictions and additional safeguards described in Annex II. By default, Provider does not process Special Category Data. If Controller configures AI agents to handle Special Category Data, Controller is responsible for ensuring an appropriate legal basis and safeguards are in place and for notifying Provider.
(a) The Parties are able to demonstrate compliance with these Clauses.
(b) The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations set out in these Clauses and allows for and contributes to audits and inspections of the Processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the Controller may take into account relevant certifications held by the Processor.
(c) The Controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the Processor and, where appropriate, are carried out with reasonable notice of at least 30 days.
(d) The Parties make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority or authorities on request.
(e) Provider will maintain records of its compliance with this DPA for 3 years after the DPA ends.
(a) General written authorisation. The Processor has the Controller's general authorisation for the engagement of Subprocessors from the agreed list in Annex IV. The Processor specifically informs the Controller in writing of any intended changes to that list through the addition or replacement of Subprocessors at least 30 days in advance, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the Subprocessor(s). The Processor provides the Controller with the information necessary to enable the Controller to exercise the right to object. The current list of Subprocessors is available at wysor.io/subprocessors.
(b) Customer has 30 days after notice of a change to the approved Subprocessors to object. If Customer does not object within 30 days, Customer is deemed to accept the changes. If Customer objects within 30 days, Customer and Provider will cooperate in good faith to resolve Customer's objection or concern.
(c) Where the Processor engages a Subprocessor for carrying out specific Processing activities on behalf of the Controller, it imposes on the Subprocessor, by way of a written contract, the same data protection obligations as the ones imposed on the Processor in accordance with these Clauses. The Processor ensures that the Subprocessor complies with the obligations to which the Processor is subject pursuant to these Clauses and the GDPR.
(d) At the Controller's request, the Processor provides a copy of such a Subprocessor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including Personal Data, the Processor may redact the text of the agreement prior to sharing a copy.
(e) The Processor remains fully responsible to the Controller for the performance of the Subprocessor's obligations in accordance with its contract with the Processor. The Processor notifies the Controller of any failure by the Subprocessor to fulfil its contractual obligations.
(f) The Processor agrees a third-party beneficiary clause with the Subprocessor, whereby in the event that the Processor has factually disappeared, ceased to exist in law, or has become insolvent, the Controller has the right to terminate the Subprocessor contract and to instruct the Subprocessor to erase or return the Personal Data.
(a) Any transfer of Personal Data to third countries or international organisations by the Processor is done only on the basis of documented instructions from the Controller or in order to fulfil a specific requirement under Union or Member State law to which the Processor is subject, and takes place in compliance with Chapter V of the GDPR.
(b) The Controller agrees that where the Processor engages a Subprocessor in accordance with Clause 7.7 for carrying out specific Processing activities and those Processing activities involve the transfer of Personal Data within the meaning of Chapter V of the GDPR, the Processor and the Subprocessor can ensure compliance with Chapter V by using standard contractual clauses adopted by the Commission in accordance with Article 46(2) of the GDPR, provided the conditions for the use of those clauses are met.
(a) The Processor promptly notifies the Controller of any request it has received from a data subject. It does not respond to the request itself unless authorised to do so by the Controller.
(b) The Processor assists the Controller in fulfilling its obligations to respond to data subjects' requests to exercise their rights, taking into account the nature of the Processing. In fulfilling its obligations under (a) and (b), the Processor complies with the Controller's instructions.
(c) In addition to the Processor's obligation to assist the Controller pursuant to Clause 8(b), the Processor furthermore assists the Controller in ensuring compliance with the following obligations, taking into account the nature of the data Processing and the information available to the Processor:
(d) If required by Applicable Data Protection Laws, Provider will reasonably assist Customer in conducting any mandated data protection impact assessments or data transfer impact assessments ("DTIAs") and consultations with relevant data protection authorities, taking into consideration the nature of the Processing and Customer Personal Data.
(e) The Parties set out in Annex III the appropriate technical and organisational measures by which the Processor is required to assist the Controller in the application of this Clause, as well as the scope and the extent of the assistance required.
In the event of a Personal Data Breach, the Processor cooperates with and assists the Controller for the Controller to comply with its obligations under Articles 33 and 34 of the GDPR, taking into account the nature of Processing and the information available to the Processor.
In the event of a Personal Data Breach concerning data processed by the Controller, the Processor assists the Controller in:
(a) Notifying the Personal Data Breach to the competent supervisory authority or authorities, without undue delay after the Controller has become aware of it, where relevant (unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons).
(b) Obtaining the following information which, pursuant to Article 33(3) of the GDPR, must be stated in the Controller's notification, and including, at least:
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification contains the information then available and further information is, as it becomes available, subsequently provided without undue delay.
(c) Complying, pursuant to Article 34 of the GDPR, with the obligation to communicate without undue delay the Personal Data Breach to the data subject, when the Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons.
In the event of a Personal Data Breach concerning data processed by the Processor, the Processor notifies the Controller without undue delay, and no later than 72 hours after the Processor having become aware of the breach. Such notification contains, at least:
(a) A description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
(b) The details of a contact point where more information concerning the Personal Data Breach can be obtained;
(c) Its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification contains the information then available and further information is, as it becomes available, subsequently provided without undue delay.
Provider's notification of or response to a Security Incident will not be construed as an acknowledgment by Provider of any fault or liability for the Security Incident.
(a) Provider will give Customer all information reasonably necessary to demonstrate its compliance with this DPA and will allow for and contribute to audits, including inspections by Customer, to assess Provider's compliance with this DPA. However, Provider may restrict access to data or information if Customer's access would negatively impact Provider's intellectual property rights, confidentiality obligations, or other obligations under Applicable Laws.
(b) Customer acknowledges that Provider is regularly audited against the standards defined in the Security Policy by independent third-party auditors or through internal security reviews. Upon written request, Provider will give Customer, on a confidential basis, a summary copy of its then-current audit report so that Customer can verify Provider's compliance with the security standards.
(c) In addition to audit reports, Provider will respond to reasonable requests for information made by Customer to confirm Provider's compliance with this DPA, including responses to information security, due diligence, and audit questionnaires. All such requests must be in writing to [email protected] and may only be made once per year.
(a) If Provider receives any inquiry or request from a third party about the Processing of Customer Personal Data, Provider will notify Customer about the request and will not respond to the request without Customer's prior consent, unless required by Applicable Law. This includes judicial, administrative, or regulatory orders, as well as requests from data subjects.
(b) If allowed by Applicable Law, Provider will follow Customer's reasonable instructions about these requests, including providing status updates and other information reasonably requested by Customer.
(c) If a data subject makes a valid request under Applicable Data Protection Laws to delete or access Customer Personal Data, Provider will assist Customer in fulfilling the request in accordance with the Applicable Data Protection Law.
Customer agrees that Provider may transfer Customer Personal Data outside the EEA, the United Kingdom, or Switzerland as necessary to provide the Service. If Provider transfers Customer Personal Data to a territory for which the European Commission, UK Secretary of State, or Swiss Federal Council (as applicable) has not issued an adequacy decision, Provider will implement appropriate safeguards for the transfer consistent with Applicable Data Protection Laws.
Customer and Provider agree that if the GDPR protects the transfer of Customer Personal Data, the transfer is from Customer within the EEA to Provider outside of the EEA, and the transfer is not governed by an adequacy decision made by the European Commission, then by entering into this DPA, Customer and Provider are deemed to have signed the EEA SCCs and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the EEA SCCs, which are completed as follows:
(a) Module Two (Controller to Processor) of the EEA SCCs apply when Customer is a Controller and Provider is Processing Customer Personal Data for Customer as a Processor.
(b) Module Three (Processor to Sub-Processor) of the EEA SCCs apply when Customer is a Processor and Provider is Processing Customer Personal Data on behalf of Customer as a Subprocessor.
(c) For each module, the following applies (when applicable):
Customer and Provider agree that if the UK GDPR protects the transfer of Customer Personal Data, the transfer is from Customer within the United Kingdom to Provider outside of the United Kingdom, and the transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State, then by entering into this DPA, Customer and Provider are deemed to have signed the UK Addendum and its Annexes, which are incorporated by reference. Any such transfer is made pursuant to the UK Addendum, which is completed as follows:
(a) Clause 13 of this DPA contains the information required in Table 2 of the UK Addendum.
(b) Table 4 of the UK Addendum is modified as follows: Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum. To the extent the ICO issues a revised Approved Addendum under Section 18 of the UK Addendum, the parties will work in good faith to revise this DPA accordingly.
(c) The Annexes to this DPA contain the information required by Annex 1A, Annex 1B, Annex II, and Annex III of the UK Addendum.
For transfers where Swiss law (and not the law in any EEA member state or the United Kingdom) applies to the international nature of the transfer, references to the GDPR in Clause 4 of the EEA SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act (FDPA), and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.
The competent supervisory authority is the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.
Provider will enable Customer to delete Customer Personal Data in a manner consistent with the functionality of the Service. Provider will comply with this instruction as soon as reasonably practicable except where further storage of Customer Personal Data is required by Applicable Law.
(a) After the DPA expires, Provider will return or delete Customer Personal Data at Customer's instruction unless further storage of Customer Personal Data is required or authorised by Applicable Laws. If return or destruction is impracticable or prohibited by Applicable Laws, Provider will make reasonable efforts to prevent additional Processing of Customer Personal Data and will continue to protect the Customer Personal Data remaining in its possession, custody, or control.
(b) If Customer and Provider have entered the EEA SCCs or the UK Addendum as part of this DPA, Provider will only give Customer the certification of deletion of Personal Data described in Clause 8.1(d) and Clause 8.5 of the EEA SCCs if Customer asks for one.
To the extent the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. ("CCPA") applies, the Parties acknowledge and agree that Provider is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement, which constitutes a business purpose. Provider will not sell or share (as defined under the CCPA) any Personal Data provided by Customer under the Agreement. In addition, Provider will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Provider certifies that it understands the restrictions of this clause.
This section applies where Customer is subject to professional secrecy obligations under §203 of the German Criminal Code (Strafgesetzbuch, “StGB”), including but not limited to physicians, dentists, pharmacists, psychotherapists, lawyers, tax advisors, auditors, and their professional staff.
(a) Provider acknowledges that Customer may be subject to the obligation of professional secrecy pursuant to §203 StGB and that data processed under the Agreement may include secrets protected by §203 StGB (“Protected Secrets”). It is the Customer’s responsibility to identify which data falls under §203 StGB and to make this known to the Provider.
(b) Customer’s obligation to obtain consent. Where Customer uses the Service to process Protected Secrets (e.g., recording and transcribing patient or client conversations), Customer is solely responsible for obtaining the informed consent of the affected data subject (e.g., patient, client) prior to any such processing. Pursuant to §203 Abs. 1 StGB, disclosure of a Protected Secret is only unlawful if made without authorisation (“unbefugt”). The data subject’s consent constitutes such authorisation and lifts the secrecy obligation for the specific disclosure to Provider and its Subprocessors. Customer must ensure that the data subject is informed, at a minimum, that:
(c) Customer warrants that it will not submit any Protected Secrets to the Service without having obtained the necessary consent from the data subject. Provider is not liable for any §203 StGB violation arising from Customer’s failure to obtain proper consent.
(d) Provider undertakes to maintain strict confidentiality regarding all Protected Secrets and to only access such data to the extent necessary for the performance of the Service.
(e) Provider acknowledges that persons participating in the professional activity of a Berufsgeheimnisträger who unauthorisedly disclose a secret that has become known to them in the course of or on the occasion of their activity are criminally liable under §203 Abs. 4 Satz 1 StGB (punishable by imprisonment of up to one year or a fine). Furthermore, Provider acknowledges that a participating person is also criminally liable under §203 Abs. 4 Satz 2 Nr. 2 StGB if it engages further participating persons who unauthorisedly disclose secrets and has not ensured that those persons were bound to secrecy.
(a) Provider ensures that all employees and other persons acting on behalf of Provider (including Subprocessors) who are involved in the Processing of Protected Secrets have been bound to secrecy in Textform (within the meaning of §126b BGB) prior to commencing work and have been instructed about the potential criminal liability under §203 Abs. 4 StGB. Provider maintains a record of all persons so bound.
(b) Provider will carefully select any Subprocessors and, insofar as they may obtain knowledge of Protected Secrets in the course of their activity, bind them to secrecy. Provider will further require its Subprocessors to bind all of their personnel and any further subcontractors who may come into contact with Protected Secrets to equivalent secrecy obligations and to instruct them about the consequences of a breach. This obligation applies to all further levels of sub-contracting.
(c) Subprocessors are also informed about the right to refuse testimony (§53a StPO) and the seizure prohibition (§97 StPO), including the instruction that the Customer (as Berufsgeheimnisträger) decides on the exercise of these rights and that Provider and its Subprocessors must immediately contact Customer regarding the exercise of these rights.
(d) The obligation to maintain confidentiality continues without limitation after the termination of the Agreement.
(a) Zeugnisverweigerungsrecht (§53a StPO). Provider is informed that data processed on behalf of a Berufsgeheimnisträger may be subject to the right to refuse testimony of participating persons under §53a of the German Code of Criminal Procedure (Strafprozessordnung, “StPO”). The Customer (as Berufsgeheimnisträger) decides on the exercise of this right. In the event of any questioning or request for testimony relating to Protected Secrets, Provider will object with reference to §53a StPO and immediately inform the Customer, who will then decide on the exercise of the right to refuse testimony.
(b) Beschlagnahmeverbot (§97 StPO). Provider is informed that Protected Secrets in its custody are subject to the seizure prohibition under §97 Abs. 2 StPO. Protected Secrets may not be surrendered without the consent of the Customer (as Berufsgeheimnisträger). In the event of a seizure or attempted seizure, Provider will object and immediately inform the Customer.
In addition to the measures set out in Annex III, Provider implements the following measures to protect Protected Secrets:
(a) Logical separation or equivalent technical isolation of Customer data where the Customer is subject to §203 StGB, ensuring that Protected Secrets are not accessible to unauthorised personnel.
(b) Access to Protected Secrets is logged and auditable.
(c) Protected Secrets are encrypted at rest and in transit in accordance with the state of the art (see Annex III).
(d) Upon termination of the Agreement, all Protected Secrets are deleted or returned in accordance with Clause 18 of this DPA. Provider will, upon request, provide a written confirmation of deletion.
The Customer’s rights to audit and inspect pursuant to Section III of this DPA apply in full to the Processing of Protected Secrets. Provider will cooperate with any audit conducted by the Customer or a supervisory authority regarding compliance with §203 StGB obligations.
(a) Without prejudice to any provisions of the GDPR, in the event that the Processor is in breach of its obligations under these Clauses, the Controller may instruct the Processor to suspend the Processing of Personal Data until the latter complies with these Clauses or the contract is terminated. The Processor promptly informs the Controller in case it is unable to comply with these Clauses, for whatever reason.
(b) The Controller is entitled to terminate the contract insofar as it concerns the Processing of Personal Data in accordance with these Clauses if:
(c) The Processor is entitled to terminate the contract insofar as it concerns the Processing of Personal Data under these Clauses where, after having informed the Controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1(b), the Controller insists on compliance with its instructions.
(d) Following termination of the contract, the Processor, at the choice of the Controller, deletes all Personal Data processed on behalf of the Controller and certifies to the Controller that it has done so, or returns all the Personal Data to the Controller and deletes existing copies unless Union or Member State law requires storage of the Personal Data. Until the data is deleted or returned, the Processor continues to ensure compliance with these Clauses.
(a) Liability caps. To the maximum extent permitted under Applicable Data Protection Laws, each party's total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement.
(b) Related-party claims. Any claims made against Provider or its affiliates arising out of or related to this DPA may only be brought by the Customer entity that is a party to the Agreement.
(c) Exceptions. This DPA does not limit any liability to an individual about the individual's data protection rights under Applicable Data Protection Laws. In addition, this DPA does not limit any liability between the parties for violations of the EEA SCCs or UK Addendum.
This DPA forms part of and supplements the Agreement. If there is any inconsistency between this DPA, the Agreement, or any of their parts, the part listed earlier will control over the part listed later for that inconsistency: (1) the EEA SCCs or the UK Addendum, (2) this DPA, and then (3) the Agreement.
This DPA takes effect when Provider and Customer agree to the Agreement (including by electronic acceptance) and continues until the Agreement expires or is terminated. However, each party remains subject to the obligations in this DPA and Applicable Data Protection Laws until Customer stops transferring Customer Personal Data to Provider and Provider stops Processing Customer Personal Data.
These Clauses are governed by German law. Any dispute arising from these Clauses is resolved by the courts of Hamburg, Germany. For Restricted Transfers, the governing law for the EEA SCCs is German law and the governing law for the UK Addendum is the law of England and Wales.
Name, address, contact person, and activities relevant to the data transferred under these Clauses are as specified in the Agreement.
Role: Controller (or Processor, where Customer is itself processing on behalf of a third-party controller).
| Name | Wysor IT Solutions UG (haftungsbeschränkt) |
| Address | c/o Postflex #9898, Emsdettener Str. 10, 48268 Greven, Germany |
| Contact | [email protected] |
| Register Court | Amtsgericht Hamburg |
| Registration Number | HRB 195891 |
| Activities | AI agent platform providing browser automation, customer service, data analysis and other AI-powered services on behalf of the Controller |
| Role | Processor (or Subprocessor, where Customer is itself a Processor) |
| Service | Wysor AI Agent Platform |
| Categories of data subjects | Customer's end users, employees, contacts, and customers as determined by Customer's use of the Service |
| Categories of personal data | Data determined by Customer's use of the Service, which may include: names, contact information (email, phone, address), user activity data (device information, IP addresses, browser metadata), page content and interaction data, transactional information, and any other personal data submitted to the platform by the Controller or its end users |
| Special category data | Not processed by default. If Controller configures AI agents to handle Special Category Data, Controller is responsible for ensuring an appropriate legal basis and safeguards are in place |
| Frequency of transfer | Continuous, for the duration of the Service |
| Nature and purpose of processing | Receiving data (collection, accessing, retrieval, recording); holding data (storage, organisation, structuring); using data (analysis, consultation, automated processing); updating data (correction, adaptation, alteration); protecting data (restricting, encrypting, security testing); returning data to the data exporter or data subject; erasing data (destruction, deletion) — all in connection with providing the Service as described in the Agreement |
| Duration of processing | For the term of the Agreement. Upon termination, data is deleted or returned in accordance with Clause 18 |
The Processor implements the following technical and organisational measures to ensure an appropriate level of security:
The Controller has authorised the use of the Subprocessors listed at wysor.io/subprocessors.
The Processor notifies the Controller at least 30 days in advance of any intended changes to the Subprocessor list. The Controller may object to any new Subprocessor within 30 days of notification.
A summary of current Subprocessors:
| Provider | Purpose | Location | DPA |
|---|---|---|---|
| Fly.io, Inc. | Application hosting | EU | Available on request |
| Amazon Web Services EMEA SARL | Cloud storage, email, AI models (Bedrock) | EU + USA* | AWS DPA |
| Google LLC (Vertex AI) | AI models, embeddings | EU + USA* | Google Cloud DPA |
| OpenAI, L.L.C. | AI models (GPT) | USA* | OpenAI DPA |
| Anthropic PBC (via AWS Bedrock) | AI models (Claude) | EU | Anthropic DPA (via AWS) |
| AssemblyAI, Inc. | Speech-to-text transcription | EU | AssemblyAI DPA |
| Perplexity AI, Inc. | AI search | USA* | Perplexity DPA |
| PostHog Inc. | Product analytics | EU | PostHog DPA |
| Functional Software Inc. (Sentry) | Error monitoring | EU | Sentry DPA |
| Stripe, Inc. | Payment processing | USA* | Stripe DPA |
| Google LLC | Analytics, OAuth | USA* | Google DPA |
| Microsoft Corporation | OAuth login | USA* | Microsoft DPA |
| Cloudflare, Inc. | Bot protection, CAPTCHA | USA* | Cloudflare DPA |
| RunPod, Inc. | GPU cloud computing — EU Secure Cloud (AI model inference) | EU | RunPod DPA |
| Twilio Ireland Limited | Telephony, voice, phone number provisioning | EU | Twilio DPA |
*EU Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR are in place for transfers to the USA.
For full details on each Subprocessor, including data protection commitments and retention policies, see our Subprocessor List.
Wysor IT Solutions UG (haftungsbeschränkt) c/o Postflex #9898, Emsdettener Str. 10, 48268 Greven, Germany Email: [email protected]
See also: Privacy Policy | Terms of Service | Subprocessor List
Last Updated: February 22, 2026