Wolfia Inc. Data Processing Agreement

Last updated: May 4, 2026 · Effective: May 4, 2026

Notice. This Data Processing Agreement (DPA) forms part of our Master Services Agreement (MSA) at https://wolfia.com/terms between Wolfia Inc. and the customer that has agreed to it (Customer). For executed counterparts or customer-specific terms, contact legal@wolfia.com.

1. Introduction and Scope

This DPA applies whenever Wolfia Inc. (Wolfia, Provider, we, us, our) Processes Customer Personal Data on behalf of Customer in connection with the Services. It supplements the MSA and reflects the parties' agreement on the processing of Personal Data under the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (revFADP), the California Consumer Privacy Act as amended (CCPA), and other applicable data protection laws.

Where Customer is a Controller of Customer Personal Data, Wolfia is a Processor. Where Customer is itself a Processor of Customer Personal Data, Wolfia is a Subprocessor. In each case, Wolfia Processes Customer Personal Data only to provide the Services and on Customer's documented instructions.

2. Definitions

Capitalized terms not defined here have the meanings given in the MSA or in Applicable Data Protection Laws.

Applicable Data Protection Laws means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the GDPR, the UK GDPR, the revFADP, and the CCPA.

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing, Special Category Data, and Subprocessor have the meanings given in Applicable Data Protection Laws.

Customer Personal Data means Personal Data that Customer or its Authorized Users upload, submit, or otherwise provide to the Services and that is governed by this DPA.

DPF means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, administered by the U.S. Department of Commerce, available at https://www.dataprivacyframework.gov/.

EEA means the member states of the European Union together with Norway, Iceland, and Liechtenstein.

EU SCCs means the standard contractual clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914.

Security Incident means a Personal Data Breach as defined in Article 4 of the GDPR affecting Customer Personal Data Processed by Wolfia.

Services means the Wolfia products and services made available to Customer under the MSA.

UK GDPR means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

UK IDTA means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0) issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018, available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-data-transfer-agreement/.

3. Roles and Responsibilities

3.1 Controller / Processor. The parties acknowledge that, with respect to Customer Personal Data, Customer is the Controller (or a Processor acting on behalf of a third-party Controller) and Wolfia is the Processor (or Subprocessor). Each party will comply with its obligations under Applicable Data Protection Laws.

3.2 Customer Instructions and Compliance. Customer's complete and final instructions to Wolfia for the Processing of Customer Personal Data are: (a) to provide and maintain the Services; (b) as further specified through Customer's use of the Services; (c) as documented in the MSA and this DPA; and (d) as documented in any other written instructions issued by Customer and acknowledged by Wolfia. Customer represents that its instructions, and the Customer Personal Data it provides to the Services, comply with Applicable Data Protection Laws, and that Customer has obtained all necessary consents and provided all necessary notices to Data Subjects.

3.3 CCPA Service Provider. To the extent the CCPA applies, the parties acknowledge that Wolfia is a "service provider" receiving Personal Data from Customer for the limited and specified business purpose of providing the Services. Wolfia will not sell or share any Customer Personal Data, and will not retain, use, or disclose Customer Personal Data outside of the direct business relationship with Customer or for any purpose other than the specific business purpose set out in the MSA, except as permitted by the CCPA. Wolfia certifies that it understands these restrictions and will comply with them.

4. Wolfia's Processing Obligations

4.1 Documented Instructions. Wolfia will Process Customer Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by EU, EEA member state, UK, Swiss, or other applicable law to which Wolfia is subject. Where required to Process for any other reason, Wolfia will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

4.2 Confidentiality. Wolfia ensures that personnel authorized to Process Customer Personal Data are subject to written confidentiality obligations or are under appropriate statutory obligations of confidentiality.

4.3 Security. Wolfia implements and maintains the technical and organizational measures described in Annex II to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.

4.4 Cooperation. Wolfia will reasonably assist Customer (taking into account the nature of the Processing and the information available to Wolfia) to fulfill Customer's obligations under Applicable Data Protection Laws, including responding to Data Subject requests, implementing security measures, notifying Personal Data Breaches, and conducting data protection impact assessments and prior consultations with supervisory authorities.

4.5 Updates Reflecting Service Changes. If Wolfia updates the Services to add or modify products, features, or functionality, Wolfia may correspondingly update the categories of Data Subjects, categories of Personal Data, frequency of transfer, nature and purpose of Processing, and duration of Processing in Annex I by notifying Customer of the change.

4.6 No Sale; No Unauthorized Training. Wolfia will not sell Customer Personal Data, and will not use Customer Personal Data (including queries and indexed content) to train general-purpose AI/ML models offered to others without Customer's express prior written consent.

5. Subprocessors

5.1 General Authorization. Customer provides general written authorization for Wolfia to engage Subprocessors to Process Customer Personal Data, subject to this Section 5. Wolfia's current list of approved Subprocessors, including each Subprocessor's identity, location, and processing activity, is published at https://trust.wolfia.com/?tab=subprocessors.

5.2 Notice and Right to Object. Wolfia will give Customer at least 30 days' prior notice (by email to the account contact, by update to the Subprocessor list, or by another means specified by Wolfia) before authorizing any new Subprocessor to Process Customer Personal Data. Customer may object to the new Subprocessor on reasonable data-protection grounds within 30 days of notice by emailing legal@wolfia.com. If Customer does not object within that period, Customer is deemed to have approved the Subprocessor. If Customer objects in good faith, the parties will work together in good faith to resolve the objection; if no resolution is reached, Customer may terminate the affected portion of the Services as its sole and exclusive remedy.

5.3 Flow-Down. Wolfia will impose data-protection obligations on each Subprocessor that are no less protective than those in this DPA, including the obligations required by Article 28(3) GDPR where applicable. Upon Customer's written request, Wolfia will provide a summary of its Subprocessor agreement, redacted as necessary to protect business secrets and other confidential information.

5.4 Liability. Wolfia remains fully liable to Customer for the performance of each Subprocessor's data-protection obligations.

6. Data Subject Rights

Taking into account the nature of the Processing, Wolfia will assist Customer by appropriate technical and organizational measures, insofar as possible, to enable Customer to fulfill its obligation to respond to requests by Data Subjects to exercise rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making). If Wolfia receives a request directly from a Data Subject relating to Customer Personal Data, Wolfia will, unless prohibited by law, promptly forward the request to Customer and will not respond to the request except on Customer's documented instructions or as required by law.

7. Personal Data Breach Notification

Wolfia will notify Customer without undue delay, and in any event no later than 72 hours, after becoming aware of a Security Incident affecting Customer Personal Data. The notice will describe, to the extent then known: the nature of the Security Incident, including the categories and approximate number of Data Subjects and records concerned; the likely consequences; and the measures Wolfia has taken or proposes to take to address the Security Incident and mitigate its possible adverse effects. Wolfia will provide additional information as it becomes available and will reasonably cooperate with Customer in investigating and responding. Notification of a Security Incident is not an acknowledgment by Wolfia of fault or liability.

8. Audits and Reports

8.1 Audit Reports. Wolfia is regularly audited by independent third-party auditors against recognized standards (including SOC 2 Type II and ISO 27001-aligned controls). Upon Customer's written request, no more than once per year, Wolfia will provide, on a confidential basis, a summary of its then-current third-party audit report so Customer can verify Wolfia's compliance with this DPA.

8.2 Audit Rights. Where the audit reports under Section 8.1 are insufficient to demonstrate compliance with Applicable Data Protection Laws, Customer may, on at least 60 days' prior written notice and no more than once per twelve (12) month period (except where required by a supervisory authority or following a confirmed Security Incident affecting Customer Personal Data), conduct or commission an audit of Wolfia's Processing of Customer Personal Data. Audits will be conducted during normal business hours, will not unreasonably interfere with Wolfia's operations, and will be subject to written confidentiality obligations. Customer will bear its own costs and Wolfia's reasonable costs of supporting the audit.

8.3 Records. Wolfia will maintain records of its compliance with this DPA for at least three (3) years after the DPA ends.

9. International Data Transfers

9.1 Authorization. Customer authorizes Wolfia to transfer Customer Personal Data outside the EEA, the UK, and Switzerland to the United States and to other jurisdictions in which Wolfia or its Subprocessors operate, as necessary to provide the Services, subject to the safeguards set out in this Section 9.

9.2 Data Privacy Framework (Primary Mechanism). Where Wolfia is self-certified under the EU-U.S. Data Privacy Framework, the UK Extension, and/or the Swiss-U.S. Data Privacy Framework, transfers of Customer Personal Data from the EEA, UK, and Switzerland to Wolfia in the United States are made under the DPF as the primary transfer mechanism. Wolfia will continue to apply the DPF Principles to such Customer Personal Data for as long as it retains the data, even if its certification later ends. The current status of Wolfia's certification is available at https://www.dataprivacyframework.gov/.

9.3 EU Standard Contractual Clauses (Fallback). Where the DPF does not apply, or no longer applies, to a transfer of Customer Personal Data protected by the GDPR from Customer in the EEA to Wolfia outside the EEA, the parties are deemed to have entered into the EU SCCs, which are incorporated by reference and completed as follows:

  • Module Two (Controller to Processor) applies where Customer is a Controller and Wolfia is a Processor. Module Three (Processor to Processor) applies where Customer is a Processor and Wolfia is a Subprocessor.
  • Clause 7 (docking clause): applies — additional entities may accede to the EU SCCs as data exporter or data importer with the agreement of all parties.
  • Clause 9 (sub-processors): Option 2 (general written authorization) applies, with the time period for prior notice of Subprocessor changes set at 30 days, as further described in Section 5.
  • Clause 11 (redress): the optional language allowing Data Subjects to lodge complaints with an independent dispute resolution body does not apply. Data Subjects retain their statutory rights to lodge complaints with a supervisory authority and to seek judicial remedy.
  • Clause 17 (governing law): the EU SCCs are governed by the law of the EU member state in which the data exporter is established. Where the law of the data exporter's member state does not allow third-party beneficiary rights, the law of Ireland applies.
  • Clause 18 (forum and jurisdiction): disputes arising from the EU SCCs will be resolved by the courts of the EU member state in which the data exporter is established.
  • Annexes I, II, and III: are populated by Annex I, Annex II, and Annex III of this DPA below.

9.4 UK Transfers. For transfers of Customer Personal Data protected by the UK GDPR from Customer in the United Kingdom to Wolfia outside the UK, the parties are deemed to have entered into the UK IDTA (Version B1.0), incorporated by reference and completed as set out in Annex IV. The UK IDTA is read together with the EU SCCs as modified by the UK IDTA, and disputes are subject to the laws of England and Wales and the courts of England and Wales.

9.5 Swiss Transfers. For transfers of Customer Personal Data protected by the revFADP from Switzerland to Wolfia outside Switzerland, the EU SCCs apply with the modifications set out in Annex V: references to the GDPR are read as references to the revFADP where required; the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC); references to a "Member State" are read to include Switzerland; and Data Subjects in Switzerland may bring claims before the Swiss courts.

9.6 Conflict. If there is any conflict between this DPA and the EU SCCs, the UK IDTA, or the Swiss-modified clauses, the EU SCCs, UK IDTA, or Swiss modifications (as applicable) prevail.

10. Deletion and Return of Customer Personal Data

10.1 During the Term. The Services include functionality that allows Customer to delete or export Customer Personal Data. Wolfia will give effect to deletion instructions issued by Customer through the Services as soon as reasonably practicable, except where retention is required by Applicable Law.

10.2 On Termination. Within 30 days after termination or expiration of the MSA, Wolfia will, at Customer's written election, return or delete all Customer Personal Data in its possession or control, except where Applicable Law requires further retention. Where deletion is not technically feasible (for example, encrypted backups), Wolfia will continue to protect the Customer Personal Data and will purge it on a 90-day rolling backup cycle. Upon Customer's written request, Wolfia will provide written certification of deletion.

11. Term

This DPA takes effect on the effective date of the MSA and continues in effect for the duration of the MSA. Provisions that by their nature should survive termination — including Sections 4.6, 7, 8.3, 9, 10, 12, and 13 — survive termination of the DPA and the MSA.

12. Liability

Each party's liability under this DPA is subject to the exclusions and limitations of liability in the MSA. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Laws, including liabilities to Data Subjects under the third-party beneficiary clauses of the EU SCCs or the UK IDTA. Any claims brought against Wolfia under this DPA may only be brought by the Customer entity that is a party to the MSA.

13. Miscellaneous

13.1 Order of Precedence. If there is any conflict between this DPA, the MSA, and any incorporated transfer mechanism, the following order of precedence applies for matters relating to the Processing of Personal Data: (1) the EU SCCs, the UK IDTA, or the Swiss modifications (as applicable); (2) this DPA; and (3) the MSA.

13.2 Governing Law. Except where the EU SCCs, the UK IDTA, or the Swiss modifications require otherwise, this DPA is governed by the laws of the State of Delaware, without regard to its conflict-of-laws rules. The parties submit to the exclusive jurisdiction of the state and federal courts located in New Castle County, Delaware for any dispute relating to this DPA, except where Applicable Data Protection Laws or the transfer mechanisms require a different forum.

13.3 Severability. If any provision of this DPA is held invalid or unenforceable, that provision will be modified to the minimum extent necessary, and the remaining provisions will remain in full force.

13.4 Amendments. Wolfia may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, the Services, or its Subprocessors, by posting an updated version at https://wolfia.com/legal/dpa. Material adverse changes will be communicated by email or in-product notice. Continued use of the Services after the effective date of an updated DPA constitutes acceptance.

13.5 Notices. Notices to Wolfia under this DPA must be sent to legal@wolfia.com and Wolfia Inc., Attn: Legal, 10500 Avery Club Drive Unit 6, Austin, TX 78717. Security notices may also be sent to security@wolfia.com. Data Subject rights requests under Applicable Data Protection Laws may be sent to privacy@wolfia.com.

Annex I — Description of Transfer

A. List of Parties.

Data Exporter: the Customer that has agreed to the MSA. Activities relevant to the transfer: see Section B below. Role: Controller (or Processor, where Customer is itself a Processor).

Data Importer: Wolfia Inc., 10500 Avery Club Drive Unit 6, Austin, TX 78717, USA. Contact: Naren Manoharan, CEO. Activities relevant to the transfer: see Section B below. Role: Processor (or Subprocessor, where Customer is a Processor).

B. Description of Transfer.

Service. Wolfia is a SaaS platform that automates completion of security questionnaires, RFPs, and vendor risk documentation using agentic retrieval-augmented generation (RAG). The Services ingest customer-provided data, apply AI models to generate responses, and surface results via a web dashboard and API.

Categories of Data Subjects: Customer's end users or customers; Customer's employees, contractors, and Authorized Users.

Categories of Personal Data: name; contact information such as email, phone number, or address; account and profile data; authentication identifiers; user activity, device information, and IP address; and content uploaded or connected by Customer to the Services.

Special Category Data: none. Customer should not upload Special Category Data (Article 9 GDPR) to the Services unless separately agreed in writing with Wolfia.

Frequency of Transfer: continuous, for the duration of the MSA.

Nature and Purpose of Processing: receiving data (collection, accessing, retrieval, recording, data entry); holding data (storage, organization, structuring); using data (analysis, consultation, testing, automated decision-making, profiling); updating data (correction, adaptation, alteration, alignment, combination); protecting data (restricting, encrypting, security testing); and erasing data (destruction, deletion). The purpose is the provision and improvement of the Wolfia Services for Customer.

Duration of Processing: for the duration of the MSA, plus a 30-day post-termination retrieval period and the rolling 90-day encrypted-backup purge cycle, except where Applicable Law requires longer retention.

C. Competent Supervisory Authority. The competent supervisory authority is the supervisory authority of the data exporter, determined in accordance with Clause 13 of the EU SCCs. For UK transfers, the UK Information Commissioner's Office is the competent authority. For Swiss transfers, the Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent authority.

Annex II — Technical and Organizational Measures

Wolfia maintains the following technical and organizational measures designed to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. The current Security Policy is published at https://wolfia.com/security and https://trust.wolfia.com.

  • Pseudonymization and Encryption. Customer Personal Data is encrypted in transit using TLS 1.2+ and at rest using AES-256 with AWS KMS-managed keys. Direct identifiers are redacted or tokenized in logs and analytics where full fidelity is unnecessary.
  • Confidentiality, Integrity, Availability, and Resilience. Production services run in redundant AWS Availability Zones behind least-privilege security groups and WAF rules. Continuous monitoring via Sentry, PostHog, AWS CloudWatch, OpenObserve, and AWS GuardDuty alerts engineering on uptime, integrity, and anomalous activity against SLA-backed metrics.
  • Restoration of Availability. Encrypted database snapshots are taken regularly and stored cross-region. Disaster-recovery procedures are tested periodically. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets are documented in Wolfia's Business Continuity Plan and reviewed annually; current targets are RTO of 24 hours and RPO of 24 hours.
  • User Identification and Authorization. Internal Wolfia access requires Google Workspace SSO with enforced MFA. Provisioning, periodic access reviews, and deprovisioning follow a documented joiner-mover-leaver process supported by identity-governance tooling, across least-privilege IAM roles. Customer access is authenticated via OpenID Connect, with role-based access control (RBAC) enforced at the application layer.
  • Transmission Security. All external and inter-service traffic is forced over HTTPS with HSTS. Mutual TLS is used for microservice calls. Cipher suites are restricted to industry-recommended configurations and verified by automated SSL scans.
  • Storage Security. Primary data stores reside in encrypted Amazon RDS instances and S3 buckets, with encryption keys rotated annually. File-level integrity is protected with object-lock versioning and server-side checksums.
  • Physical Security. Customer Personal Data resides exclusively in AWS data centers maintaining ISO 27001 and SOC 1/2/3 certifications, with 24x7 badge access, CCTV, and biometric controls.
  • Events Logging. Security, application, and audit logs are streamed to a centralized, tamper-evident log archive account. Immutable logs feed real-time alerting and support forensic analysis under our incident-response plan.
  • Governance. Wolfia's Security Committee meets quarterly to review risk, vulnerabilities, and policy compliance. All staff complete annual security awareness training and sign the Acceptable Use and Confidentiality Policy upon hire.
  • Data Minimization. The platform ingests only fields required to provide the Services. Optional uploads are off by default. Automated jobs purge transient processing data within 24 hours.
  • Data Quality. Input validations, schema constraints, and automated tests prevent malformed records. Periodic reconciliations compare source data to generated outputs to detect drift or corruption.
  • Limited Retention. Customer workspace data is deleted 30 days after contract termination or upon verified request; encrypted backups age out on a rolling 90-day cycle.
  • Erasure. Verified deletion requests trigger a documented erasure workflow across primary and secondary systems within 30 days.
  • Secrets Management. OAuth access and refresh tokens, API keys, and similar credentials are stored in an encrypted, access-controlled secrets vault and are never written to application logs.
  • Vulnerability Management and Incident Response. Wolfia maintains a documented vulnerability management program (including automated dependency scanning and periodic penetration testing) and a documented incident-response plan.
  • Subprocessor Oversight. Subprocessors are vetted before engagement and reviewed periodically for continued alignment with these measures, as further described in Section 5 and Annex III.

Annex III — Subprocessors

The current list of authorized Subprocessors, including the identity, location, and processing activity of each Subprocessor, is published and maintained at https://trust.wolfia.com/?tab=subprocessors. Wolfia will give Customer at least 30 days' prior notice of any addition or replacement of a Subprocessor, as set out in Section 5.

Annex IV — UK International Data Transfer Addendum (IDTA)

Where Customer Personal Data is transferred from the United Kingdom and protected by the UK GDPR, the parties incorporate the UK IDTA (Version B1.0) issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018. The UK IDTA modifies and supplements the EU SCCs as set out in this Annex IV.

Table 1 — Parties. Start date: the effective date of the MSA. The Exporter is the Customer that has agreed to the MSA; the Importer is Wolfia Inc., 10500 Avery Club Drive Unit 6, Austin, TX 78717, USA. Key contact (Importer): Naren Manoharan, CEO, legal@wolfia.com. Importer signature: by entering into the MSA and this DPA, Wolfia is deemed to have signed the UK IDTA.

Table 2 — Selected SCCs, Modules and Selected Clauses. The "Approved EU SCCs" are the EU SCCs as completed in Section 9.3 and Annex I of this DPA. Module Two (Controller to Processor) applies where Customer is a Controller; Module Three (Processor to Processor) applies where Customer is a Processor. Clause 7 (docking clause) applies. Clause 9: Option 2 with 30 days' notice. Clause 11: optional language does not apply. Clause 17: governed by the law of England and Wales. Clause 18: forum is the courts of England and Wales.

Table 3 — Appendix Information. Annex 1A (List of Parties), Annex 1B (Description of Transfer), Annex II (Technical and Organizational Measures), and Annex III (Subprocessors) of the EU SCCs are populated by Annex I, Annex II, and Annex III of this DPA.

Table 4 — Ending the IDTA. Neither party may end the UK IDTA as set out in Section 19 of the UK IDTA on the basis that the Approved Addendum has been changed. If the UK Information Commissioner issues a revised Approved Addendum under Section 18 of the UK IDTA, the parties will work in good faith to update this DPA accordingly.

Annex V — Swiss Addendum

For transfers of Customer Personal Data from Switzerland subject to the revised Swiss Federal Act on Data Protection (revFADP), the EU SCCs as completed in Section 9.3 and Annex I apply with the following modifications:

  • References to the GDPR in the EU SCCs are read as references to the revFADP, to the extent legally required.
  • The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC) for transfers governed exclusively by the revFADP, and the relevant EEA supervisory authority (per Clause 13 of the EU SCCs) for transfers governed by both the GDPR and the revFADP.
  • References to "Member State" in the EU SCCs are read to include Switzerland, so that Data Subjects habitually resident in Switzerland may exercise their third-party beneficiary rights and bring claims before the Swiss courts.
  • Until the entry into force of the revFADP for legal entities, the EU SCCs also protect Customer Personal Data of legal entities to the extent required under Swiss law.

Contact

Legal: legal@wolfia.com

Privacy / Data Subject Rights: privacy@wolfia.com

Security: security@wolfia.com

Mail: Wolfia Inc., Attn: Legal, 10500 Avery Club Drive Unit 6, Austin, TX 78717