Wocha Docs

Data Processing Agreement

Standard GDPR-compliant Data Processing Agreement for Wocha Cloud customers.

This Data Processing Agreement ("DPA") forms part of the agreement between Elementary Digital Ltd ("Processor", "Wocha", "we") and the entity agreeing to Wocha's terms of service ("Controller", "you", "Customer").

This template is provided for review purposes. Enterprise customers may request a countersigned copy from compliance@wocha.ai.


1. Definitions

TermMeaning
Personal DataAny information relating to an identified or identifiable natural person processed by Processor on behalf of Controller via Wocha Cloud
ProcessingAny operation performed on Personal Data, including collection, storage, use, disclosure, and deletion
Sub-processorA third party engaged by Processor to process Personal Data
Data SubjectAn identified or identifiable natural person whose Personal Data is processed
GDPRRegulation (EU) 2016/679
ServicesWocha Cloud authentication, authorisation, and related platform services

Capitalised terms not defined here have the meaning given in the main service agreement.


2. Scope and roles

2.1 Controller determines the purposes and means of processing Personal Data of Controller's end users ("End Users") through the Services.

2.2 Processor processes Personal Data solely on documented instructions from Controller, including via configuration of the Services, Customer API calls, and hosted login settings.

2.3 Processor shall not process Personal Data for any purpose other than providing the Services unless required by applicable law, in which case Processor shall inform Controller before processing (unless prohibited by law).


3. Details of processing

ItemDescription
Subject matterAuthentication, authorisation, and identity management for Controller's applications
DurationFor the term of the service agreement plus deletion period in Section 9
Nature and purposeUser registration, login, MFA, OAuth token issuance, organisation membership, SCIM provisioning, audit logging
Categories of Data SubjectsController's End Users, administrators, and invited members
Categories of Personal DataName, email address, profile attributes, authentication metadata (IP address, user agent, session timestamps), organisation membership, SSO attributes
Special categoriesNot intentionally processed; Controller must not submit special category data without prior written agreement

4. Processor obligations

Processor shall:

4.1 Process Personal Data only on documented instructions from Controller.

4.2 Ensure persons authorised to process Personal Data are bound by confidentiality obligations.

4.3 Implement appropriate technical and organisational measures as described in Annex II (Security Measures).

4.4 Not engage Sub-processors without Controller's general written authorisation (Section 5).

4.5 Assist Controller in responding to Data Subject requests (Section 7).

4.6 Assist Controller with data protection impact assessments and prior consultations where required.

4.7 Delete or return Personal Data upon termination (Section 9).

4.8 Make available information necessary to demonstrate compliance and allow audits (Section 10).

4.9 Notify Controller without undue delay upon becoming aware of a Personal Data breach (Section 8).


5. Sub-processors

5.1 Controller provides general authorisation for Processor to engage Sub-processors listed in Annex III.

5.2 Processor shall notify Controller of intended changes to Sub-processors at least 30 days in advance via email to the Controller's registered account contact. Controller may object on reasonable grounds relating to data protection within 14 days.

5.3 Processor shall impose data protection obligations on Sub-processors equivalent to those in this DPA.

5.4 Processor remains liable for Sub-processor performance.

Annex III — Sub-processors (current)

Sub-processorPurposeLocation
Railway Corp.Cloud hosting and computeUnited States
Cockroach LabsManaged database (CockroachDB)EU / US (per tenant region)
HashiCorpVault Transit key managementUnited States
Ory Corp.Identity and OAuth software (self-hosted by Processor)Per tenant region

This list is updated periodically. The current version is available at compliance@wocha.ai.


6. International transfers

6.1 Where Personal Data is transferred outside the European Economic Area ("EEA") or United Kingdom, Processor shall ensure appropriate safeguards under GDPR Chapter V.

6.2 Processor relies on Standard Contractual Clauses (SCCs) approved by the European Commission (Module Two: Controller to Processor), incorporated by reference into this DPA.

6.3 For UK transfers, the UK International Data Transfer Addendum applies alongside the SCCs.

6.4 Processor implements supplementary measures as described in Annex II where required by transfer impact assessments.


7. Data subject rights

7.1 Processor shall assist Controller in fulfilling Data Subject requests to exercise rights under GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection).

7.2 Controller may fulfil requests via the Customer API:

RightWocha capability
AccessGET /users/{id} — export user profile and metadata
RectificationPATCH /users/{id} — update traits and metadata
ErasureDELETE /users/{id} — delete identity and associated sessions
RestrictionSuspend user via metadata flag or revoke sessions
PortabilityJSON export via Customer API

7.3 If Processor receives a Data Subject request directly, it shall redirect the Data Subject to Controller unless legally required to respond, in which case Processor shall notify Controller.


8. Data breach notification

8.1 Processor shall notify Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach affecting Controller's data.

8.2 Notification shall include, to the extent available:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences
  • Measures taken or proposed to address the breach

8.3 Processor shall cooperate with Controller in meeting Controller's obligations to notify supervisory authorities and Data Subjects.


9. Data retention and deletion

9.1 Processor retains Personal Data for the duration of the service agreement.

9.2 Upon termination or Controller's written request, Processor shall delete Personal Data within 90 days, except where retention is required by applicable law.

9.3 Controller may export data via Customer API prior to termination. Backups containing Personal Data are purged on a rolling 30-day schedule following deletion.


10. Audits and compliance

10.1 Processor shall make available SOC 2 Type II reports (when available), penetration test summaries, and this DPA upon request under reasonable confidentiality terms.

10.2 Controller may audit Processor's compliance no more than once per year with 30 days' notice, during business hours, without disrupting operations. Controller bears audit costs unless material non-compliance is found.

10.3 Processor may satisfy audit requests through third-party certification reports rather than on-site inspection.


11. Liability

Liability under this DPA is subject to the limitations set forth in the main service agreement. Nothing in this DPA limits either party's liability for breaches of data protection law where such limitation is prohibited.


12. Term and precedence

12.1 This DPA remains in effect for the duration of the service agreement.

12.2 In the event of conflict between this DPA and the main service agreement regarding data protection, this DPA prevails.


Annex I — Processing details

See Section 3 above.


Annex II — Security measures

Processor implements the measures described in the Security practices documentation, including:

CategoryMeasures
EncryptionTLS 1.2+ in transit; encrypted storage at rest
Access controlRole-based access; least privilege for production systems
Key managementJWKS signing keys in Vault Transit; API key hashing
IsolationSchema-per-tenant database isolation
AuthenticationMFA for production access; OAuth 2.1 with PKCE for End Users
MonitoringAudit logging; automated health checks; incident response plan
NetworkPrivate networking for databases; webhook SSRF protection via DNS pinning
Vulnerability managementDependency scanning; patch cadence for critical CVEs
Business continuityMulti-region deployment; regular backups with tested restore

Annex III — Sub-processors

See Section 5.4 above.


Contact

PurposeEmail
DPA and compliancecompliance@wocha.ai
Privacy enquiriesprivacy@wocha.ai
Security incidentssecurity@wocha.ai

Processor address: Elementary Digital Ltd — contact details provided in countersigned agreements.


Last updated: June 2026. This template may be updated without notice; bound customers receive notification of material changes.