Data Processing Agreement

For personal data WebDevAuto processes on the Customer’s behalf through the Services, the Customer is the Controller and WebDevAuto is the Processor. Where WebDevAuto determines the purposes and means of processing (e.g. its own billing and account records), WebDevAuto acts as an independent Controller.

WebDevAuto processes personal data only on the Customer’s documented instructions, including the configuration of the Services, and as required by applicable law. The subject matter is the provision of the Services; the duration is the term of the agreement; the nature and purpose are website, CRM, communications, and AI-agent operations; the data subjects are the Customer’s leads, contacts, and end customers.

WebDevAuto ensures that personnel authorized to process personal data are bound by confidentiality obligations and process data only on a least-privilege, need-to-know basis.

WebDevAuto maintains technical and organizational measures appropriate to the risk, including encryption in transit (TLS) and at rest, role-based access controls, audit logging of administrative actions, and least-privilege service accounts, consistent with the practices described at /trust.

The Customer authorizes WebDevAuto to engage the subprocessors published at /subprocessors.html. WebDevAuto imposes data-protection terms on each subprocessor no less protective than this DPA and remains liable for their performance. WebDevAuto gives at least fifteen (15) days’ notice of a new or replacement subprocessor; the Customer may object on reasonable data-protection grounds.

WebDevAuto notifies the Customer without undue delay and within seventy-two (72) hours of confirming a personal-data breach affecting the Customer’s data, with the information reasonably available to assist the Customer’s own notification obligations.

Taking into account the nature of the processing, WebDevAuto assists the Customer with appropriate measures to fulfill the Customer’s obligation to respond to data-subject requests (access, correction, deletion, portability, objection, restriction). Where WebDevAuto receives a request directly, it forwards it to the Customer rather than responding itself, unless legally required.

On termination or the Customer’s request, WebDevAuto returns or deletes the Customer’s personal data (the Customer’s choice), except where retention is required by law. Full export of CRM data is available at any time during the term.

WebDevAuto makes available information reasonably necessary to demonstrate compliance with this DPA, including a completed security questionnaire, and allows for and contributes to audits on reasonable prior notice, subject to confidentiality.

Personal data is processed in the United States. Where the Customer is subject to GDPR or UK GDPR, the parties incorporate the applicable Standard Contractual Clauses (and UK Addendum) by reference, with WebDevAuto as data importer.