This Data Processing Agreement ("DPA") forms part of the Wizper Terms of Service ("Terms") between the Customer and Wizper ("Processor") and governs the processing of personal data by Wizper on behalf of Customer in connection with the Services. This DPA is effective from the date Customer accepts the Terms.

1. Definitions

• "Controller" means the Customer, who determines the purposes and means of processing personal data.
• "Processor" means Wizper, who processes personal data on behalf of the Controller.
• "Customer Personal Data" means any personal data processed by Wizper on behalf of Customer pursuant to the Terms.
• "Data Protection Laws" means all applicable data protection and privacy laws, including GDPR, CCPA, and Colombia's Law 1581 of 2012, as applicable.
• "GDPR" means EU General Data Protection Regulation 2016/679.
• "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data.
• "Subprocessor" means any third party engaged by Wizper to process Customer Personal Data.
• "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission for international transfers of personal data.

2. Scope & Role of the Parties

The parties acknowledge that for the purposes of Data Protection Laws, Customer is the Controller and Wizper is the Processor of Customer Personal Data. Wizper shall process Customer Personal Data only to provide the Services and as documented in these Terms.

3. Processing Instructions

3.1 Documented Instructions

Wizper shall process Customer Personal Data only on Customer's documented instructions, as set forth in the Terms and this DPA. If Wizper is required by applicable law to process Customer Personal Data for any other purpose, Wizper will notify Customer before such processing unless prohibited by law.

3.2 Details of Processing

• Subject matter: AI-powered productivity assistance for macOS.
• Duration: For the term of the Agreement.
• Nature: Collection, storage, and real-time processing to generate productivity suggestions.
• Purpose: Providing the Services as described in the Terms.
• Types of data: Account information, usage data, session context, device data.
• Categories of data subjects: Customer's employees, contractors, or authorized users.

4. Confidentiality

Wizper shall ensure that all personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations. Access to Customer Personal Data is limited to personnel who need it to perform the Services.

5. Security

5.1 Technical & Organizational Measures

Wizper shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data against unauthorized access, disclosure, alteration, or destruction, including:

• Encryption of data in transit using TLS and at rest using AES-256.
• Access controls and least-privilege principles.
• Regular security assessments and vulnerability management.
• Incident detection and response procedures.

5.2 Personnel Training

Wizper shall ensure all personnel handling Customer Personal Data receive appropriate data protection training.

6. Subprocessors

6.1 Authorized Subprocessors

Customer authorizes Wizper to engage the following Subprocessors to process Customer Personal Data:

Name	Purpose	Location
Paddle.com	Payment processing & billing	United Kingdom
PostHog	Product analytics	United States / EU

6.2 New Subprocessors

Wizper will notify Customer at least 14 days before engaging any new Subprocessor. Customer may object within 10 days of notification. If no resolution is reached, Customer may terminate the Agreement without penalty.

6.3 Subprocessor Obligations

Wizper shall impose data protection obligations on all Subprocessors equivalent to those in this DPA and shall remain liable to Customer for Subprocessor compliance.

7. Data Subject Rights

Wizper shall promptly notify Customer of any requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection) and shall assist Customer in responding to such requests, taking into account the nature of the processing.

8. Personal Data Breach Notification

Wizper shall notify Customer without undue delay, and within 72 hours, upon becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall include:

• Description of the nature of the breach.
• Categories and approximate number of data subjects affected.
• Likely consequences of the breach.
• Measures taken or proposed to address the breach.

9. Data Protection Impact Assessments

Upon Customer's request, Wizper shall provide reasonable assistance with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, taking into account the nature of the processing and information available to Wizper.

10. International Data Transfers

Where Wizper transfers Customer Personal Data outside the EEA to a country without adequate data protection, Wizper shall ensure appropriate safeguards are in place, including Standard Contractual Clauses as approved by the European Commission. By entering into this DPA, the parties are deemed to have executed the applicable SCCs.

11. Audit Rights

Upon Customer's reasonable written request (no more than once per year), Wizper shall provide information necessary to demonstrate compliance with this DPA. Wizper may satisfy audit requests by providing relevant certifications or third-party audit reports where available.

12. Deletion & Return of Data

Upon termination of the Agreement or upon Customer's written request, Wizper shall delete or return all Customer Personal Data within 30 days, unless applicable law requires longer retention. Wizper shall certify deletion in writing upon request.

13. No Training on Customer Data

14. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms. Wizper's aggregate liability under this DPA shall not exceed the fees paid by Customer in the twelve (12) months preceding the claim.

15. Term & Termination

This DPA remains in effect for the duration of the Agreement. Obligations regarding Customer Personal Data processed before termination survive for as long as Wizper retains such data.

16. Governing Law

This DPA shall be governed by the same law as the Terms. For EEA customers, this DPA shall be interpreted in accordance with GDPR.

17. Contact

For DPA-related inquiries or to request a signed copy: support@wizper.co