Data Processing Addendum

Notice. This page is a plain-English reference copy of the DPA. The binding form is executed as a schedule to the underlying commercial contract. The executed form prevails over this summary in the event of conflict.

\u00a7 1. Definitions

Capitalised terms have the meanings given in the underlying agreement, the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). “Processor” and “Controller” are used with their GDPR meanings; “Service Provider” has its CCPA/CPRA meaning.

\u00a7 2. Scope and roles

In respect of Member Data processed in operating the Platform for the Controller, Wavestar acts as Processor. In respect of data Wavestar processes for its own purposes — billing, system security, product analytics — Wavestar acts as an independent Controller. The roles are described in Annex A.

\u00a7 3. Instructions

Wavestar will process personal data only on documented instructions from the Controller, including as set out in the underlying agreement, this DPA, and written instructions given in the ordinary course of the service. Wavestar will notify the Controller if an instruction infringes applicable data protection law.

\u00a7 4. Confidentiality

Wavestar will ensure that personnel authorised to process personal data are bound by enforceable confidentiality obligations, have received appropriate training, and have role-based access commensurate with their duties.

\u00a7 5. Security

Wavestar will implement and maintain the technical and organisational measures described in Annex B, which reflect the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing, and which are designed to ensure a level of security appropriate to the risk.

\u00a7 6. Sub-processors

The Controller provides general written authorisation for Wavestar to engage the sub-processors listed at /legal/subprocessors. Wavestar will provide not less than 30 days’ prior notice of any intended change by updating that page and, for enterprise customers, by notifying the Controller’s authorised contact. The Controller may object for reasonable data protection grounds; the remedies are set out in the underlying agreement.

\u00a7 7. Data subject rights

Wavestar will assist the Controller, by appropriate technical and organisational measures, in responding to requests from data subjects exercising their rights under applicable law. Direct data subject requests received by Wavestar will be promptly forwarded to the Controller unless Wavestar is required by law to respond.

\u00a7 8. Personal data breach

Wavestar will notify the Controller without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach affecting the Controller’s data, and will provide such information as is reasonably required to enable the Controller to meet its own notification obligations to supervisory authorities and data subjects.

\u00a7 9. Data protection impact assessments

Wavestar will provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, having regard to the nature of processing and the information available to Wavestar.

\u00a7 10. International transfers

Where personal data is transferred out of the European Economic Area, the United Kingdom, or Switzerland, the transfer is governed by (i) the EU Standard Contractual Clauses, Module 2 (Controller to Processor) where the Controller is EEA-based, or Module 3 (Processor to Processor) where applicable; (ii) the UK’s International Data Transfer Addendum; and (iii) supplementary measures described in Annex B.

\u00a7 11. Return or deletion

At termination, Wavestar will, at the Controller’s election, return or delete personal data, except to the extent retention is required by law. Backup deletion cycles run for up to 90 days after the primary deletion.

\u00a7 12. Audits

Wavestar will make available to the Controller all information necessary to demonstrate compliance with this DPA, including copies of its SOC 2 Type II and ISO 27001 reports. On-site audits may be conducted once per calendar year on not less than 30 days’ written notice, subject to customary confidentiality and security controls.

\u00a7 13. CCPA/CPRA terms

When processing personal information of California residents on behalf of a Controller acting as a “Business” under the CCPA/CPRA, Wavestar acts as a “Service Provider” and certifies that it will not (i) sell or share personal information, (ii) retain, use, or disclose personal information outside the direct business relationship, or (iii) combine personal information with other data except as permitted by the CCPA/CPRA.