Data Processing Addendum

Last updated 2026-04-30 · SCC-based template

This document is a placeholder pending final legal review. The URL is stable; the binding text will appear here on review completion. A pre-signed copy is available on request.

1. Parties & subject matter

This Data Processing Addendum ("DPA") supplements the Wrendex Terms of Service and applies whenever Wrendex processes personal data on behalf of a customer in a controller-processor relationship.

2. Roles

The customer is the controller; Wrendex is the processor. The customer determines the purposes and means of processing; Wrendex processes only on documented instructions from the customer.

3. Categories of data & data subjects

The personal data processed under this DPA consists of any personal data contained in URLs the customer asks Wrendex to audit, plus account data of customer’s members. Data subjects include the customer’s users, employees, and (where applicable) the visitors of the customer’s site.

4. Sub-processors

Wrendex’s current sub-processors are listed at /legal/sub-processors. We provide thirty days’ notice before adding a new sub-processor; customers may object on reasonable grounds.

5. International transfers

For transfers of personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, the EU Standard Contractual Clauses ("SCCs") apply, supplemented by the UK IDTA where relevant.

6. Security

Wrendex implements technical and organisational measures appropriate to the risk, including AES-256 encryption at rest with KMS-managed keys, TLS 1.3 in transit, principle-of-least-privilege access controls, audit logging, and a documented incident response plan.

7. Personal data breach notification

Wrendex will notify the customer without undue delay (and within seventy-two hours where feasible) of becoming aware of a personal data breach affecting customer data.

8. Data subject requests

Wrendex will assist the customer in responding to data subject requests, including access, correction, deletion, and portability, by providing reasonable cooperation and tooling.

9. Audit rights

Wrendex will make available, upon written request, the most recent third-party audit reports it holds (e.g. SOC 2). On-site audits are limited to a reasonable scope and frequency, subject to confidentiality.

10. Termination & deletion

Upon termination, Wrendex will delete or return all customer personal data within sixty days, unless retention is required by law.

11. Execution

This DPA forms part of the Terms of Service. Customers requiring a counter-signed copy should request one via /contact.