Data Processing Addendum

GDPR & cross-border
data obligations.

Effective May 1, 2026. This DPA governs Winglo's processing of personal data on behalf of Customers subject to the GDPR, UK GDPR, or equivalent data protection laws.

Summary for data teams

Winglo is a data processor. You (the Customer) are the data controller. This DPA is incorporated into the Winglo Terms of Service and becomes binding when you accept the Terms. Enterprise customers may request a countersigned DPA by contacting legal@winglo.ai.

SCCs included

Module 2 (Controller → Processor)

Sub-processors

Listed and notified on change

HIPAA BAAs

Not currently available

1. Definitions

  • "Customer" means the entity that has accepted the Winglo Terms of Service and appointed Winglo as a data processor.
  • "Personal Data" has the meaning given in GDPR Article 4(1).
  • "Processing" has the meaning given in GDPR Article 4(2).
  • "Sub-processor" means any third party appointed by Winglo to process Personal Data on behalf of the Customer.
  • "Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for the transfer of personal data to third countries.

2. Scope and roles

This DPA applies when Winglo processes Personal Data on behalf of the Customer in the course of providing the Service. Winglo acts as a data processor; the Customer acts as a data controller.

Details of processing: The categories of data subjects, types of Personal Data, and purposes of processing are as described in Schedule A (Annex I) below.

3. Winglo's obligations

Winglo shall:

  • Process Personal Data only on documented instructions from the Customer, including those set out in these Terms
  • Ensure that persons authorized to process Personal Data have committed to confidentiality
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Article 32 GDPR)
  • Notify the Customer without undue delay upon becoming aware of a Personal Data breach
  • Assist the Customer in responding to requests from data subjects exercising their rights under GDPR
  • Delete or return all Personal Data upon termination, unless retention is required by law
  • Make available all information necessary to demonstrate compliance with GDPR Article 28

4. Sub-processors

The Customer grants Winglo general authorization to engage sub-processors. Winglo maintains a current list of sub-processors at winglo.ai/sub-processors. Winglo will notify the Customer of any intended changes to sub-processors at least 14 days before the change takes effect, providing the Customer an opportunity to object.

Winglo imposes equivalent data protection obligations on sub-processors through binding written contracts and remains liable for sub-processors' compliance with this DPA.

5. International data transfers

For Customers subject to GDPR or UK GDPR, Winglo incorporates the Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission on June 4, 2021, and as amended or replaced from time to time ("SCCs"). The SCCs are incorporated by reference and form part of this DPA.

All Winglo Customer data is currently hosted within the EU — primary database and authentication in Dublin, Ireland (AWS eu-west-1) and application infrastructure in Nuremberg, Germany. No Customer Personal Data is transferred outside the EU in the course of providing the Service. SCCs are incorporated as a safeguard for any incidental intra-group transfers.

6. Security measures

Winglo implements and maintains the following technical and organizational measures:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Per-workspace tenant isolation at the database and application layer
  • Role-based access controls with the principle of least privilege
  • Multi-factor authentication for all internal system access
  • Vulnerability scanning and periodic security reviews
  • Incident response procedures and data breach notification protocols
  • Access controls limiting customer data access to authorized personnel

7. Data subject rights

Winglo shall provide the Customer with reasonable assistance to enable the Customer to fulfil its obligations to respond to requests from data subjects exercising their rights under applicable data protection law (including rights of access, rectification, erasure, restriction, portability, and objection).

If Winglo receives a data subject request directly, it will redirect the data subject to the Customer and notify the Customer promptly.

8. HIPAA (Healthcare customers)

Winglo does not currently offer HIPAA-compliant infrastructure or Business Associate Agreements ("BAAs"). Customers who require HIPAA compliance for workloads involving protected health information ("PHI") should not use the Service for those workloads at this time.

HIPAA-ready infrastructure and BAA capability are on the product roadmap. Interested Enterprise customers may contact legal@winglo.ai to register interest and be notified when availability is confirmed.

9. Audits

Winglo shall allow for and contribute to audits, including inspections, conducted by the Customer or a mandated auditor, subject to reasonable notice (at least 30 days) and confidentiality obligations. Winglo may satisfy audit obligations by providing relevant compliance documentation and audit artifacts upon Customer request under NDA.

Schedule A — Details of processing

Categories of data subjects
Customer employees, end users, and third parties whose data is input into the Service
Types of personal data
Contact information, business data, operational content, usage logs, and any other data submitted by or on behalf of the Customer
Purposes of processing
To provide, operate, and improve the Winglo platform and its AI agents
Duration
For the term of the Customer's subscription, plus the retention period specified in the Privacy Policy
Nature of processing
Storage, retrieval, analysis, inference, reporting, and communication as required to operate the Service

Request a countersigned DPA

Enterprise customers requiring a countersigned DPA or custom data processing arrangements should contact our legal team. We respond within 5 business days.

Contact legal