Legal

Data Processing Addendum

Last updated: May 12, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Wonderful Agent, Inc. ("Wonderful Agent", "we", "us") and the customer identified in the underlying order or subscription ("Customer", "you"). It explains how we handle personal data on your behalf when you use the Services. We've written it in plain English wherever possible — the legal weight is the same, the reading shouldn't be a slog.

1. Definitions

Words that look formal are pulling their weight. In this DPA:

• Applicable Data Protection Law means the GDPR, the UK GDPR, the California Consumer Privacy Act as amended, and any other privacy or data-protection law that applies to the processing.
• Controller means the party that decides why and how personal data is processed. For Customer Data, that's you.
• Processor means the party that processes personal data on the Controller's instructions. For Customer Data, that's us.
• Customer Data means any data you, your users, or your end users submit to the Services, or that the Services generate on your behalf — including the personal data within it.
• Personal Data means information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Law.
• Subprocessor means a third party we engage to help us deliver the Services and that processes Personal Data in doing so.
• Standard Contractual Clauses or SCCs means the European Commission's standard contractual clauses for international transfers (Decision 2021/914).
• UK IDTA means the UK International Data Transfer Agreement or the UK Addendum to the SCCs, as applicable.

2. Scope and roles

This DPA applies whenever we process Personal Data as your Processor in the course of providing the Services. You are the Controller of Customer Data; we are the Processor. If you are itself a Processor for another Controller, we act as your sub-processor on the same terms.

We do not sell Personal Data and we do not share it for cross-context behavioral advertising. We do not train shared foundation models on your Customer Data.

3. Processing details

The processing we do for you has these characteristics:

• Purpose: to operate the Services you've subscribed to — running agents, executing the actions you authorize, storing the workspace state, and providing support when you ask.
• Duration: for the term of your subscription, plus the retention and deletion windows in section 13.
• Nature of processing: hosting, transmission, structured storage, retrieval, analysis to operate the product, indexing for search, and any other operation needed to deliver the Services.
• Categories of Personal Data: contact information, employment information, account credentials, communications content (email, chat, voice transcripts), CRM records, calendar entries, and any other Personal Data you choose to put into the Services.
• Categories of data subjects: your employees, contractors, customers, prospects, suppliers, and any individuals whose data you process through the Services.

You should not submit special categories of Personal Data (health, biometrics, sexual orientation, etc.) through the Services unless we've agreed to that in writing.

4. Customer obligations

You are responsible for the lawfulness of the Personal Data you put into the Services. That means:

• Having a lawful basis for the processing under Applicable Data Protection Law.
• Providing the notices and obtaining the consents that your data subjects are entitled to.
• Configuring the Services so they fit your purpose — including access controls, retention windows, and which agents see which data.
• Issuing instructions to us only in writing through the controls inside the product, a written order, or a signed amendment.

5. Wonderful Agent obligations as Processor

When acting as your Processor we will:

• Process Personal Data only on your documented instructions, including with respect to international transfers, unless required to do otherwise by law (in which case we'll tell you, unless the law forbids it).
• Make sure people who process Personal Data on our behalf are subject to a duty of confidentiality.
• Apply the technical and organizational security measures described in section 8.
• Help you respond to requests from data subjects and to consultations with supervisory authorities.
• Tell you promptly if we believe an instruction infringes Applicable Data Protection Law.

6. Subprocessors

We use a small set of vetted third parties to deliver the Services — hosting providers, model providers, communications providers, and the like. The current list is published at wonderfulagent.example/subprocessors. You agree to those Subprocessors as of the effective date of this DPA.

We will give you at least 30 days' notice before adding a new Subprocessor that processes Personal Data, via the subscription form on that page or by email. If you reasonably object on data-protection grounds within that window, we'll work in good faith to find a workable alternative; if we can't, you may terminate the affected portion of the Services for convenience.

We sign written contracts with every Subprocessor that bind them to data-protection obligations no less protective than this DPA. We remain responsible to you for their acts and omissions.

7. International data transfers

Where you are located in the European Economic Area, the United Kingdom, or Switzerland and the Services involve a transfer of Personal Data outside that region to a country without an adequacy decision, the transfer is governed by:

• The Standard Contractual Clauses, with us as data importer and you as data exporter — Module 2 (Controller to Processor) or Module 3 (Processor to Processor), as applicable.
• The UK IDTA or UK Addendum for transfers originating in the United Kingdom.
• The Swiss Federal Data Protection Act amendments for transfers originating in Switzerland.

By entering into this DPA, both parties are deemed to have signed the SCCs and the UK IDTA. Section 8 of this DPA, together with our published security documentation, forms the technical and organizational measures annex.

8. Security measures

We maintain a written information security program designed to protect Personal Data against unauthorized access, loss, alteration, and disclosure. At minimum, the program includes:

• Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
• Strong authentication for our personnel, including hardware security keys for production access.
• Role-based access control with least-privilege defaults and quarterly access reviews.
• Network segmentation, web application firewalls, and DDoS protection.
• Continuous logging, monitoring, and alerting across our production environment.
• Regular vulnerability scanning and at least annual independent penetration testing.
• Secure software development lifecycle, including peer review and automated security testing.
• Background checks and security training for personnel with access to Personal Data.
• A formal incident response plan with on-call coverage.
• Business continuity and disaster recovery procedures, tested at least annually.

We hold a SOC 2 Type II report and ISO 27001 certification; copies of the latest report are available under NDA. Our full security overview is published at wonderfulagent.example/security.

9. Data subject rights assistance

The Services include self-service tools you can use to access, correct, export, and delete Personal Data in your workspace. Where you can complete a data-subject request yourself, we expect you to. Where you need our help — because the request involves data you can't reach through the product, or because you need help interpreting our logs — we will assist at no additional cost, with response times appropriate to the complexity.

If we receive a request directly from one of your data subjects, we will not respond to it ourselves; we'll forward it to your designated contact and ask the data subject to contact you directly.

10. Personal data breach notification

If we become aware of a personal data breach affecting Customer Data, we will notify you without undue delay and in any event within 72 hours of confirming the incident. The notice will include, as available:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
• Likely consequences of the breach.
• Measures we've taken or propose to take to address it and to mitigate its possible adverse effects.
• The name and contact details of our Data Protection Officer for follow-up.

Notification is not an admission of fault or liability. We'll cooperate with you to meet your own notification obligations to data subjects and to supervisory authorities.

11. Data protection impact assessments

If you are required to carry out a data protection impact assessment or to consult a supervisory authority about a planned use of the Services, we'll provide reasonable cooperation — including reference documentation, technical summaries, and answers to written questions. Where the cooperation involves substantial custom work, we may agree to reasonable fees and scope in writing.

12. Audit rights

We will demonstrate compliance with this DPA by making the following available on request:

• The latest SOC 2 Type II report and ISO 27001 certificate.
• Our security and privacy whitepaper, including our list of Subprocessors and current security measures.
• Written answers to a reasonable due-diligence questionnaire, once per year.

If those materials don't satisfy your obligations under Applicable Data Protection Law, you may audit our compliance with this DPA once per year on at least 30 days' written notice, during business hours, subject to confidentiality and our reasonable security and operational restrictions. We may charge our reasonable costs of supporting an on-site audit.

13. Return and deletion of Customer Data

You can export your workspace at any time using the export tools inside the product. On termination or expiry of the subscription, we will, at your choice, return or delete all Customer Data we hold on your behalf within 30 days, except where applicable law requires us to retain it. Backups containing Customer Data are overwritten in the ordinary course within 90 days and remain protected by this DPA until they are.

14. Liability and indemnity

Each party's liability under this DPA is subject to the limitations of liability in the underlying agreement, and any aggregate cap applies in combination. Nothing in this DPA limits liability that can't be limited under Applicable Data Protection Law — including liability to data subjects under the SCCs.

15. Governing law

This DPA is governed by the same law as the underlying agreement, except that the SCCs are governed by the law specified in their Clause 17 (Irish law unless we agree otherwise in writing), and the UK IDTA is governed by the laws of England and Wales. If there's a conflict between this DPA and the underlying agreement on a data-protection matter, this DPA wins.