search

Data Processing Agreement

Effective Date: 01/03/2025 Last Updated: 01/03/2026

This Data Processing Agreement (“DPA”) forms an integral part of, and is subject to, the WOCS AI Terms and Conditions available at https://www.wocs.ai/terms (the “Terms”) and the applicable order form or similar purchase instrument governing Customer’s use of the WOCS AI services (collectively, the “Agreement”), entered into by and between WOCS AI, Inc. (“WOCS AI”) and the customer identified in the applicable Order Form (“Customer”).

WOCS AI and Customer may be referred to individually as a “Party” and collectively as the “Parties.”

By accessing or using the WOCS AI platform available at https://mywocs.comarrow-up-right (the “Platform”), Customer agrees to this DPA and represents that it has full authority to bind the Customer to this DPA.

1. Definitions

1.1 Affiliate

Any entity that directly or indirectly controls, is controlled by, or is under common control with a Party. “Control” means ownership of more than 50% of the voting securities or voting interests.

1.2 Customer Personal Data

Any Personal Data processed by WOCS AI on behalf of Customer in connection with the Services.

1.3 Data Protection Laws

All applicable data protection, privacy, and security laws and regulations, including without limitation:

  • Regulation (EU) 2016/679 (“GDPR”)

  • UK GDPR and the UK Data Protection Act 2018

  • Swiss Federal Act on Data Protection (“FADP”)

  • California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”)

  • Other applicable U.S. state or international privacy laws

1.4 EU Standard Contractual Clauses (“EU SCCs”)

The standard contractual clauses adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914, as amended or replaced.

1.5 UK Addendum

The International Data Transfer Addendum issued by the UK Information Commissioner’s Office (version B1.0, effective 21 March 2022).

1.6 Swiss Addendum

The Swiss Federal Data Protection and Information Commissioner–approved modifications to the EU SCCs.

1.7 Sub-Processor

Any third party engaged by or on behalf of WOCS AI to process Customer Personal Data.

1.8 Interpretation

Terms such as “Personal Data,” “Processing,” “Controller,” “Processor,” “Data Subject,” and “Personal Data Breach” have the meanings given under the GDPR. For CCPA/CPRA purposes, “Controller” includes “Business” and “Processor” includes “Service Provider.”

2. Processing of Customer Personal Data

2.1 Roles of the Parties

Customer acts as the Controller of Customer Personal Data, and WOCS AI acts as a Processor.

2.2 Processing Instructions

WOCS AI shall process Customer Personal Data only on documented instructions from Customer, unless required to do so by applicable law. Where legally permitted, WOCS AI shall notify Customer of such legal requirement.

2.3 Authorized Processing

Customer authorizes WOCS AI to:

  • process Customer Personal Data solely to provide, operate, maintain, and improve the Services; and

  • transfer Customer Personal Data internationally as necessary to provide the Services, in accordance with this DPA and Data Protection Laws.

2.4 Customer Authority

Customer represents that it has obtained all necessary rights, consents, and lawful bases to provide Customer Personal Data to WOCS AI.

2.5 Processing Details

The subject matter, nature, purpose, and duration of processing are described in Annex 1.

3. Customer Obligations

Customer is responsible for compliance with all Data Protection Laws applicable to its collection and disclosure of Customer Personal Data.

Customer shall not intentionally provide special categories of personal data (as defined under Article 9 GDPR) unless expressly agreed in writing by WOCS AI.

4. Confidentiality

WOCS AI shall ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.

5. Security Measures

WOCS AI shall implement and maintain appropriate technical and organizational measures (“TOMs”) to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in accordance with GDPR Article 32.

A summary of the TOMs is provided in Annex 3.

6. Sub-Processing

6.1 Authorization

Customer authorizes WOCS AI to engage Sub-Processors in accordance with this Section.

6.2 Authorized Sub-Processors

WOCS AI maintains a list of authorized Sub-Processors in Annex 2 or via a publicly available sub-processor page referenced therein.

6.3 New Sub-Processors

WOCS AI shall provide prior notice of any new Sub-Processor. Customer may object within seven (7) days on reasonable data protection grounds.

6.4 Sub-Processor Obligations

WOCS AI shall ensure that each Sub-Processor:

  • is bound by written obligations providing a level of data protection materially equivalent to this DPA; and

  • remains fully under WOCS AI’s responsibility for performance of processing obligations.

7. Data Subject Requests

Customer is responsible for responding to Data Subject requests.

WOCS AI shall promptly notify Customer of any such request received and shall not respond unless instructed by Customer or required by law. WOCS AI shall provide reasonable assistance, taking into account the nature of the processing.

8. Personal Data Breach

8.1 Notification

WOCS AI shall notify Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data.

8.2 Assistance

WOCS AI shall reasonably assist Customer in investigating, mitigating, and complying with breach notification obligations.

9. Data Protection Impact Assessments

Upon written request, WOCS AI shall provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, limited to processing under this DPA.

10. Deletion or Return of Data

Within sixty (60) days following termination of the Services, WOCS AI shall delete or anonymize Customer Personal Data unless retention is required by law. Upon request, WOCS AI shall provide written certification of deletion.

11. Audit Rights

WOCS AI shall make available information reasonably necessary to demonstrate compliance with this DPA.

Audits:

  • require at least fourteen (14) days’ prior written notice;

  • must be conducted by a reputable independent auditor; and

  • shall not unreasonably disrupt WOCS AI’s operations or compromise security.

12. International Data Transfers

12.1 Adequacy Decisions

Transfers to countries covered by adequacy decisions (including the EU-US Data Privacy Framework) are permitted.

12.2 SCCs

Where required, the EU SCCs (Modules 2 or 3), the UK Addendum, and/or the Swiss Addendum are incorporated by reference.

12.3 Government Access Requests

WOCS AI shall:

  • challenge unlawful government access requests where permitted;

  • notify Customer unless legally prohibited; and

  • provide reasonable assistance with Transfer Impact Assessments.

13. CCPA / CPRA Commitments

WOCS AI acts as a Service Provider / Processor and shall:

  • not sell or share Personal Information;

  • not retain, use, or disclose Personal Information outside the business purpose;

  • not combine Customer Personal Data with data from other customers except as permitted by law.

14. General Terms

14.1 Governing Law

As specified in the Terms.

14.2 Limitation of Liability

As set forth in the Terms, subject to applicable Data Protection Laws.

14.3 Order of Precedence

This DPA prevails over the Terms solely with respect to data protection obligations.

14.4 Changes in Law

The Parties shall negotiate in good faith to amend this DPA as required by changes in Data Protection Laws.

14.5 Severability

Invalid provisions shall be replaced with valid provisions reflecting the Parties’ original intent.

Annex 1 – Details of Processing

Purpose: Provision of WOCS AI cybersecurity services, including CISOaaS, Security Culture, and SECaaS modules via https://mywocs.comarrow-up-right.

Duration: For the term of the Agreement.

Types of Personal Data:

  • Name, business email, phone number

  • Role, organization, department

  • Authentication and SSO attributes

  • IP address, device and browser metadata

  • Audit logs and activity records

  • Security awareness, phishing simulation, and training results

  • Policy acknowledgments and compliance records

Categories of Data Subjects: Authorized Customer users and personnel.

Annex 2 – Authorized Sub-Processors

A current list of Sub-Processors is maintained at: [WOCS AI Sub-Processors Page – to be linked in Trust Center]

Annex 3 – Technical and Organizational Measures (Summary)

  • Encryption in transit (TLS 1.2+) and at rest

  • Role-based access control and least-privilege enforcement

  • Multi-factor authentication for administrative access

  • Centralized logging and security monitoring

  • Secure software development lifecycle (SSDLC)

  • Vulnerability management and patching

  • Backup, disaster recovery, and incident response procedures

  • Employee security awareness training and confidentiality obligations

PreviousTerms of UseNextService Level Agreements

Last updated