LEGAL

Data Processing Addendum

Effective date: April 2026
Last updated: April 2026
Applies to: Customers of Wollow Inc. who act as Controllers of Personal Data Processed through the Service

This Data Processing Addendum ("DPA") forms part of the Terms of Service and any related order between Wollow Inc. ("Wollow", "Processor") and the Customer identified in that agreement ("Customer", "Controller"). It governs the Processing of Personal Data by Wollow on behalf of the Customer to the extent that such Processing is subject to the European Union General Data Protection Regulation (GDPR), the United Kingdom GDPR, the Brazilian Lei Geral de Proteção de Dados (LGPD), or any substantially similar data protection law (collectively, "Data Protection Laws").

If the Customer is an individual consumer using the Service for personal purposes, this DPA does not apply and the processing of the Customer's Personal Data is governed exclusively by the Privacy Policy.

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given to them in the Terms of Service. In addition:

  • Customer Personal Data means any Personal Data that Wollow Processes on behalf of the Customer in the course of providing the Service.
  • Data Subject means the identified or identifiable natural person to whom Customer Personal Data relates.
  • Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Customer Personal Data.
  • Sub-Processor means any third party engaged by Wollow to Process Customer Personal Data on its behalf.
  • Standard Contractual Clauses or SCCs means the standard contractual clauses approved by the European Commission in Decision 2021/914 and any corresponding mechanism recognized under UK GDPR.

2. Roles of the Parties

The parties acknowledge and agree that with respect to Customer Personal Data:

  • The Customer is the Controller (or the Processor, where the Customer Processes on behalf of a third-party Controller).
  • Wollow is the Processor.
  • With respect to a narrow category of data that Wollow determines the purposes of (such as billing data, account authentication records, aggregated service telemetry, and abuse-prevention signals), Wollow acts as an independent Controller as described in the Privacy Policy; that Processing is not subject to this DPA.

3. Scope and Instructions

Wollow will Process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers of Customer Personal Data to a third country, unless required to do so by applicable law. The Customer's instructions are set out in (i) the Terms of Service, (ii) this DPA, and (iii) the configuration choices the Customer makes within the Service (for example, connecting an integration, enabling a channel, or invoking a tool through an AI agent).

The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex 1.

Wollow will inform the Customer if, in its opinion, an instruction infringes applicable Data Protection Laws, in which case Wollow may suspend performance of the relevant instruction until the Customer confirms, modifies, or withdraws it.

4. Confidentiality

Wollow will ensure that any person it authorizes to Process Customer Personal Data is subject to a duty of confidentiality, whether by contract or by statutory obligation, and is trained on the handling of Personal Data proportionate to their role.

5. Security Measures

Wollow will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against a Security Incident, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Those measures include, at a minimum:

  • Encryption of Customer Personal Data in transit using modern TLS and encryption of authentication secrets and third-party credentials at rest;
  • Deployment of Customer workloads onto dedicated per-Customer servers with logical isolation from other Customers;
  • Role-based access control and least-privilege administration for Wollow personnel;
  • Centralized logging of administrative operations affecting the Service;
  • Periodic review of access rights, credential rotation, and vulnerability management of the underlying infrastructure;
  • A documented incident-response process including internal escalation paths and external notification obligations.

6. Sub-Processors

The Customer provides Wollow with a general authorization to engage Sub-Processors to assist in providing the Service, subject to the conditions of this Section. The canonical list of Sub-Processors is published at wollow.ai/subprocessors and is also reproduced in Section 7.1 of the Privacy Policy.

Wollow will impose on each Sub-Processor data protection obligations that are no less protective than those set out in this DPA, including the requirement to Process Customer Personal Data only for the purposes of performing the services for which they are engaged.

Wollow will provide the Customer with at least thirty (30) days' advance notice by email to the Customer's designated administrator of the addition or replacement of a Sub-Processor. The Customer may object to the engagement of a new Sub-Processor on reasonable and legitimate data protection grounds by notifying Wollow at privacy@wollow.ai within that period. If the parties cannot resolve the objection, the Customer may terminate the affected portions of the Service for convenience and receive a pro-rata refund of prepaid fees for the unused period.

7. International Transfers

Where Wollow transfers Customer Personal Data from the European Economic Area, the United Kingdom, Switzerland, or Brazil to a country that is not the subject of an adequacy decision, the parties agree that the Standard Contractual Clauses (Module Two: Controller-to-Processor, or Module Three: Processor-to-Processor where applicable) are incorporated by reference into this DPA and form a binding part of it. Wollow will complete the Annexes to the SCCs consistent with this DPA and the Privacy Policy, and will apply supplementary technical, organizational, and contractual measures where a transfer impact assessment identifies that such measures are required.

For transfers subject to UK GDPR, the parties incorporate the International Data Transfer Addendum issued by the United Kingdom Information Commissioner's Office. For transfers subject to LGPD, the parties will rely on the standard contractual clauses approved by the Autoridade Nacional de Proteção de Dados when and as they become mandatory.

8. Assistance to the Customer

Taking into account the nature of the Processing, Wollow will assist the Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfil the Customer's obligation to respond to Data Subject requests. In particular, the Service provides self-service tooling that allows the Customer administrator to access, export, correct, and delete Customer Personal Data stored on the Customer's dedicated server.

Wollow will also assist the Customer in ensuring compliance with its obligations regarding the security of Processing, notification of Security Incidents, communication of a Security Incident to Data Subjects, data protection impact assessments, and prior consultation with a supervisory authority, taking into account the nature of the Processing and the information available to Wollow.

9. Security Incidents

Wollow will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident affecting Customer Personal Data. The notification will describe, to the extent then known, the nature of the Security Incident, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures Wollow has taken or proposes to take to address the Security Incident and mitigate its possible adverse effects. Wollow will cooperate with the Customer and provide additional information as it becomes available.

10. Audits

Wollow will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. The Customer may exercise audit rights no more than once per calendar year, except where a Security Incident affecting the Customer has occurred in the preceding twelve (12) months or where an audit is required by a supervisory authority.

Audits will be conducted during normal business hours, with at least thirty (30) days' advance written notice, subject to reasonable confidentiality and security restrictions, and at the Customer's expense. Wollow may satisfy its audit obligation by providing relevant third-party certifications, penetration test reports, or written responses to a standard industry questionnaire (such as SIG-Lite or CAIQ) in lieu of an on-site audit.

11. Return and Deletion

Upon termination of the Terms of Service, and at the Customer's election, Wollow will delete or return all Customer Personal Data and delete existing copies, unless applicable law requires continued storage. Wollow's standard practice is to destroy the dedicated Customer server and all associated Customer Personal Data within seven (7) days of termination, as described in the Privacy Policy and the Terms of Service.

12. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Terms of Service, and any reference in the Terms of Service to the liability of a party means the aggregate liability of that party under the Terms of Service and all addenda, including this DPA, taken together. The Standard Contractual Clauses, where they apply, will prevail to the extent of any conflict with this Section for the specific Processing governed by the SCCs.

13. Precedence and Modification

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the Processing of Customer Personal Data. Wollow may update this DPA from time to time to reflect changes in applicable law, Sub-Processor engagements, or security practices; Wollow will notify Customer administrators of material changes at least thirty (30) days in advance where reasonably feasible.

14. Execution

This DPA becomes binding automatically when the Customer accepts the Terms of Service or continues to use the Service after the effective date above, whichever occurs later. A Customer that requires a counter-signed copy for internal recordkeeping purposes may request one by emailing legal@wollow.ai.

Annex 1 — Description of Processing

  • Subject matter: provision of the Wollow platform, including the deployment and operation of AI agents on a dedicated per-Customer server.
  • Duration: the term of the Terms of Service, plus any period of up to seven (7) days required to complete secure deletion.
  • Nature and purpose: hosting, storing, transmitting, orchestrating, and otherwise Processing Personal Data as required to execute the actions the Customer configures, including conversations with End Users, integrations with Connected Accounts, and tool invocations by AI agents.
  • Types of Personal Data: identifiers (names, email addresses, phone numbers), message and conversation content, files uploaded to agents, tokens and credentials issued by Connected Accounts, and any Personal Data contained in data the Customer provides or that End Users submit to the agents.
  • Categories of Data Subjects: the Customer's employees, contractors, and authorized users; End Users interacting with the Customer's agents; and any individuals referenced in content Processed through the Service.
  • Frequency of the transfer: continuous, for as long as the Customer uses the Service.
  • Retention: as described in Section 9 of the Privacy Policy and Section 11 of this DPA.

Annex 2 — Technical and Organizational Measures

The measures listed in Section 5 of this DPA, together with Section 10 of the Privacy Policy and the public Security page, constitute the technical and organizational measures implemented by Wollow. Additional detail is available to Customers under a non-disclosure agreement by emailing security@wollow.ai.

Contact

Questions about this DPA may be directed to privacy@wollow.ai or to Wollow Inc., Delaware, United States.