Data Processing Agreement (DPA)
Last Updated: 1st March 2025
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Master Subscription Agreement ("Agreement") between WaveQuery Ltd ("WaveQuery") and the Customer ("Customer") to comply with data protection laws, including UK GDPR, EU GDPR, CCPA, and international data transfer regulations.
2. Roles & Responsibilities
- Customer as Data Controller: Customer determines what data is processed via WaveQuery and is responsible for compliance with all applicable data protection laws.
- WaveQuery as Data Processor: WaveQuery processes data only as instructed by the Customer and does not store customer query results.
- Third-Party Subprocessors: WaveQuery engages trusted subprocessors for service functionality (listed in Section 4).
3. Data Processed by WaveQuery
3.1 Data We Process
- Account Data: Name, email, authentication details.
- Query Metadata: Query execution logs, IP addresses, and usage timestamps (retained for 90 days).
- Third-Party LLM Data: Query contents processed by the selected AI provider (e.g., OpenAI, Anthropic, Google Gemini, self-hosted Llama).
- Customer Communications: Support interactions via Linear (ticketing) and Productlane (changelog and roadmap feedback).
3.2 Special Categories of Data
WaveQuery does not require or intentionally process sensitive categories of personal data (e.g., health, biometric, financial information). Customers remain responsible for ensuring compliance if they choose to process such data via their queries.
4. Approved Subprocessors
| Service | Provider | Purpose |
|---|---|---|
| Payment Processing | Stripe | Subscription payments |
| Ticketing System | Linear | Customer support requests |
| Changelog & Roadmap | Productlane | Feature tracking & updates |
| DNS & Security | Cloudflare | DDoS protection & security |
| Analytics | Posthog, Google Analytics | Product usage insights |
| Email & Calendar | Email, document storage | |
| Transactional Email | Resend | Service notifications |
| Marketing Email | Brevo | Customer marketing emails |
| Client Email Management | Superhuman | Business email tracking |
| Error Monitoring | Sentry | Application logging |
| AI Processing | OpenAI, Anthropic, Google Gemini, Llama (self-hosted) | AI-powered query generation |
5. Security & Compliance
- Data Encryption: TLS 1.2+ encryption for data in transit.
- Access Controls: Role-based permissions and multi-factor authentication (MFA).
- Security Monitoring: Regular penetration testing and real-time monitoring via Sentry.
- Incident Response: WaveQuery will notify the Customer within 48 hours of any detected data breach impacting Customer data.
6. Data Retention & Deletion
- Query Logs: Retained for 90 days and automatically purged unless legally required.
- Customer Data Deletion: Upon termination, account data is erased unless needed for compliance.
7. International Data Transfers
WaveQuery complies with Standard Contractual Clauses (SCCs) for data transfers outside the UK & EU.
8. Liability & Indemnification
- The Customer agrees to indemnify WaveQuery against any regulatory actions, fines, or claims resulting from the Customer's misuse of the Services.
- WaveQuery's total liability for any data processing-related claims is limited to the total fees paid by the Customer in the preceding 12 months.
9. Contact Information
For data protection inquiries, contact [email protected].