This Data Processing Agreement forms part of the agreement between the customer as controller or business and WISPGate as processor or service provider where WISPGate processes personal data on behalf of the customer through the services.
The subject matter is the processing of personal data necessary to provide the services. Processing continues for the subscription term and the applicable retention period, unless earlier deleted according to the customer’s lawful instructions and the contract.
Processing may include hosting, storage, organization, retrieval, analysis for operational support, transmission, backup, restoration, security review, troubleshooting, controlled indexing, and deletion.
Data subjects may include customer personnel, customer subscribers, prospective subscribers, support contacts, and related business contacts. Categories of data may include identity data, contact data, account data, service-plan data, billing data, usage-related metadata, device-related fields, and support records, to the extent submitted by customer.
WISPGate will process personal data only on documented instructions from customer, except where required otherwise by applicable law. Use of the platform by customer, administrator configurations, submitted tickets, approved workflows, enabled modules, API calls, and signed statements of work constitute documented instructions for ordinary service processing.
WISPGate will ensure that persons authorized to process personal data are bound by confidentiality obligations.
WISPGate will implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are further described at a high level in the Security Policy and may be supplemented by contract schedules.
Customer grants general authorization for WISPGate to engage subprocessors. WISPGate will maintain a subprocessor list and require subprocessors to undertake data-protection obligations appropriate to the nature of the processing.
Taking into account the nature of processing, WISPGate will provide reasonable assistance, at customer cost where appropriate, for data subject requests, security assessments, breach response coordination, DPIA support, and regulatory inquiries, to the extent required by law and technically feasible.
WISPGate will notify customer without undue delay after confirming a personal-data breach affecting personal data processed under this DPA, and will provide available information reasonably necessary for customer to meet its own obligations. Notification does not constitute admission of fault or liability.
Upon termination and expiration of the applicable retention window, WISPGate will delete or make inaccessible personal data unless retention is required by law, dispute preservation, security necessity, or backup-cycle constraints.
Where legally required and contractually agreed, customer may request reasonable information regarding WISPGate’s security posture. Any audit rights shall be exercised in a manner that does not expose other customers, systems, trade secrets, or platform security, and may be satisfied through reports, certifications, questionnaires, or controlled review rather than unrestricted direct access.
Where applicable law requires transfer safeguards, the parties shall implement the appropriate legal mechanism, such as standard contractual clauses or another recognized transfer basis.
Liability under this DPA is subject to the liability limitations in the master commercial agreement unless prohibited by non-waivable law.