This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer") and Webase Global sp. z o.o. ("Provider", "we", "us") for the use of AI Smart (the "Services").
This DPA applies where we process Personal Data on Customer's behalf as a Processor. If there is a conflict between this DPA and other service terms regarding Personal Data processing, this DPA governs to the extent of that conflict.
"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Services, including where relevant GDPR, UK GDPR, and implementing national laws.
"Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Subprocessor", and "Supervisory Authority" have the meanings given in Applicable Data Protection Law.
Customer acts as Controller (or Processor on behalf of another Controller) for Customer Data submitted to the Services. Provider acts as Processor for that Customer Data when delivering service functionality requested by Customer.
For limited data categories required to operate the platform as a business (for example account administration, security telemetry, billing records, and anti-fraud controls), Provider may act as independent Controller as described in the Privacy Policy.
Subject matter: provision of multi-tenant SaaS capabilities, including workspace management, extensions, integrations, media handling, automation jobs, AI-assisted generation, publishing flows, and support operations.
Nature of processing: collection, storage, organization, retrieval, consultation, use, disclosure by transmission to subprocessors/integrations, combination, restriction, deletion, and destruction, as needed to provide the Services.
Duration: for the term of the Services, plus limited retention where legally required or technically necessary for security, financial compliance, or backup lifecycle.
Depending on Customer use, processed data may include account profile data, workspace/member data, uploaded files, prompts, generated outputs, publishing metadata, support records, integration metadata/tokens, and operational logs.
Data subjects may include Customer users, employees/contractors, leads/prospects, clients, end-customers, social-media audiences, and other third parties whose data Customer chooses to process in the Services.
Provider processes Personal Data only on documented instructions from Customer, including instructions implemented through product configuration, API credits, workspace settings, integration setup, automation scheduling, and user actions in the UI.
If Provider believes an instruction infringes Applicable Data Protection Law, Provider may notify Customer and suspend the relevant instruction until lawfulness is confirmed.
Customer is responsible for establishing an appropriate legal basis for processing, issuing required notices, collecting consents where needed, and handling Data Subject requests for Customer-controlled datasets.
Customer warrants it has the right to provide Personal Data to Provider for processing under this DPA and the service agreement.
Provider ensures personnel authorized to process Personal Data are bound by confidentiality obligations and access controls appropriate to their role. Access is granted on a least-privilege basis and reviewed as part of security operations.
Provider implements commercially reasonable technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.
Customer authorizes Provider to engage Subprocessors required to deliver the Services, including infrastructure, storage, payments, observability, communications, and AI/API providers.
Provider imposes data protection obligations on Subprocessors materially consistent with this DPA and remains responsible for Subprocessor performance to the extent required by Applicable Data Protection Law.
Current Subprocessor categories are disclosed through legal/product documentation and may be updated over time due to operational, security, legal, or commercial requirements.
Where required by Applicable Data Protection Law, Customer may submit a reasonable written objection to a new Subprocessor based on documented data protection concerns. The parties will work in good faith on commercially reasonable mitigation.
Personal Data may be transferred to and processed in jurisdictions outside the origin country/region. Where required by law, transfers are governed by valid transfer mechanisms such as adequacy decisions, Standard Contractual Clauses, UK transfer addendum mechanisms, or equivalent lawful safeguards.
Taking into account the nature of processing and available information, Provider provides reasonable assistance to Customer for handling Data Subject rights requests, including access, deletion, correction, restriction, portability, and objection requests, where technically feasible.
Provider provides reasonable assistance to Customer in meeting obligations relating to security of processing, personal data breach notification duties, DPIAs, and prior consultations with Supervisory Authorities, in each case to the extent required by Applicable Data Protection Law and proportionate to the processing performed by Provider.
If Provider confirms a Personal Data breach affecting Customer Data, Provider will notify Customer without undue delay and provide available information reasonably necessary for Customer to meet legal notification obligations.
Notification includes known facts, likely impact, and mitigation actions in progress. Information may be provided in phases as investigation continues.
Provider may disclose Personal Data where required by applicable law, regulation, court order, or binding governmental request. Where legally permitted, Provider will use reasonable efforts to notify Customer before disclosure.
Provider will make available information reasonably necessary to demonstrate compliance with this DPA. Where required by law and where remote evidence is insufficient, Customer may request a limited audit, subject to confidentiality commitments, proportional scope, operational safeguards, and reasonable advance notice.
Upon termination or valid written request, Provider will delete or return Customer Personal Data in accordance with service capabilities and retention constraints, unless continued retention is required by law.
Deletion from active systems may be immediate or staged. Residual copies may persist temporarily in backups and then be overwritten according to backup lifecycle controls.
Customer should submit only data necessary for the intended business use case and avoid unnecessary sensitive categories. Provider processes data for service delivery and related security/compliance purposes only, and does not repurpose Customer Data for unrelated commercial profiling.
Where Customer enables AI features, inputs and related context may be transmitted to configured model providers to generate requested outputs. Customer remains responsible for prompt hygiene, legal basis, and restrictions applicable to any personal/sensitive data included in prompts or workflows.
When Customer connects third-party integrations, Provider processes credentials/tokens and platform metadata solely to execute configured synchronization and publishing actions. Customer is responsible for lawful authorization and scope selection in connected platforms.
Liability, limitation, indemnity, and dispute terms in the main agreement apply to this DPA unless mandatory law requires otherwise. Nothing in this DPA removes rights that cannot be limited under Applicable Data Protection Law.
If Customer is subject to additional regional requirements (for example UK or U.S. state privacy addenda, or sector-specific obligations), the parties may execute supplementary terms. In case of conflict, mandatory local law prevails.
Provider may update this DPA to reflect legal, regulatory, security, infrastructure, or product changes. Material updates are communicated via legal pages, in-product notice, or account communications.
Data processing and privacy operations contact: legal@webase.global.