Data Processing Addendum
GDPR & cross-border
data obligations.
Effective May 1, 2026. This DPA governs Winglo's processing of personal data on behalf of Customers subject to the GDPR, UK GDPR, or equivalent data protection laws.
Summary for data teams
Winglo is a data processor. You (the Customer) are the data controller. This DPA is incorporated into the Winglo Terms of Service and becomes binding when you accept the Terms. Enterprise customers may request a countersigned DPA by contacting legal@winglo.ai.
SCCs included
Module 2 (Controller → Processor)
Sub-processors
Listed and notified on change
HIPAA BAAs
Not currently available
1. Definitions
- "Customer" means the entity that has accepted the Winglo Terms of Service and appointed Winglo as a data processor.
- "Personal Data" has the meaning given in GDPR Article 4(1).
- "Processing" has the meaning given in GDPR Article 4(2).
- "Sub-processor" means any third party appointed by Winglo to process Personal Data on behalf of the Customer.
- "Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for the transfer of personal data to third countries.
2. Scope and roles
This DPA applies when Winglo processes Personal Data on behalf of the Customer in the course of providing the Service. Winglo acts as a data processor; the Customer acts as a data controller.
Details of processing: The categories of data subjects, types of Personal Data, and purposes of processing are as described in Schedule A (Annex I) below.
3. Winglo's obligations
Winglo shall:
- Process Personal Data only on documented instructions from the Customer, including those set out in these Terms
- Ensure that persons authorized to process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Article 32 GDPR)
- Notify the Customer without undue delay upon becoming aware of a Personal Data breach
- Assist the Customer in responding to requests from data subjects exercising their rights under GDPR
- Delete or return all Personal Data upon termination, unless retention is required by law
- Make available all information necessary to demonstrate compliance with GDPR Article 28
4. Sub-processors
The Customer grants Winglo general authorization to engage sub-processors. Winglo maintains a current list of sub-processors at winglo.ai/sub-processors. Winglo will notify the Customer of any intended changes to sub-processors at least 14 days before the change takes effect, providing the Customer an opportunity to object.
Winglo imposes equivalent data protection obligations on sub-processors through binding written contracts and remains liable for sub-processors' compliance with this DPA.
5. International data transfers
For Customers subject to GDPR or UK GDPR, Winglo incorporates the Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission on June 4, 2021, and as amended or replaced from time to time ("SCCs"). The SCCs are incorporated by reference and form part of this DPA.
All Winglo Customer data is currently hosted within the EU — primary database and authentication in Dublin, Ireland (AWS eu-west-1) and application infrastructure in Nuremberg, Germany. No Customer Personal Data is transferred outside the EU in the course of providing the Service. SCCs are incorporated as a safeguard for any incidental intra-group transfers.
6. Security measures
Winglo implements and maintains the following technical and organizational measures:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Per-workspace tenant isolation at the database and application layer
- Role-based access controls with the principle of least privilege
- Multi-factor authentication for all internal system access
- Vulnerability scanning and periodic security reviews
- Incident response procedures and data breach notification protocols
- Access controls limiting customer data access to authorized personnel
7. Data subject rights
Winglo shall provide the Customer with reasonable assistance to enable the Customer to fulfil its obligations to respond to requests from data subjects exercising their rights under applicable data protection law (including rights of access, rectification, erasure, restriction, portability, and objection).
If Winglo receives a data subject request directly, it will redirect the data subject to the Customer and notify the Customer promptly.
8. HIPAA (Healthcare customers)
Winglo does not currently offer HIPAA-compliant infrastructure or Business Associate Agreements ("BAAs"). Customers who require HIPAA compliance for workloads involving protected health information ("PHI") should not use the Service for those workloads at this time.
HIPAA-ready infrastructure and BAA capability are on the product roadmap. Interested Enterprise customers may contact legal@winglo.ai to register interest and be notified when availability is confirmed.
9. Audits
Winglo shall allow for and contribute to audits, including inspections, conducted by the Customer or a mandated auditor, subject to reasonable notice (at least 30 days) and confidentiality obligations. Winglo may satisfy audit obligations by providing relevant compliance documentation and audit artifacts upon Customer request under NDA.
Schedule A — Details of processing
Request a countersigned DPA
Enterprise customers requiring a countersigned DPA or custom data processing arrangements should contact our legal team. We respond within 5 business days.
Contact legal