Data Processing Addendum
Last Updated August 25, 2022
1. Introduction and Purpose and Nature of Processing
By using our Services, the Client (the “Controller”) acknowledges and agrees that WP Minder (the “Processor”) will process end user personal data of customers and visitors to Client Websites as necessary to provide the Services.
The processing activities that the Processor shall carry out are strictly limited to those necessary to fulfil the scope of Services requested by the Client, generally limited to passive hosting and maintenance of Client Websites and related support.
The Client’s transfer of end user personal data to WP Minder in connection with the Services is determined and controlled solely by the Client.
WP Minder may process the following types of end user personal information: any personal information collected, used or otherwise processed from end users of Client Websites.
The Client shall comply with the Data Protection Laws and provide all required Privacy notices. The Client shall have sole responsibility for the accuracy, quality and legality of any end user personal data and the bases for its collection.
2. Data Transfer Abroad
The Processor undertakes not to transfer any personal data abroad (i.e. outside the United States) without the prior written authorization of the Controller. Any data transfer abroad, and processing activities thereof, will be carried out in strict compliance with the Controller’s documented and specific instructions.
Both parties mutually acknowledge and agree that the data processing activities under this agreement will not take place outside of the U.S.
The Client authorizes WP Minder to engage third-party subcontractors that may process end user personal data for the purpose of providing the Services.
The list of Sub-processors in Appendix A may change from time to time without notice. The Client is responsible for regularly reviewing the Sub-processor list and lodging any objections in writing within 21 (twenty-one) days of the addition of a new Sub-processor to the list. WP Minder will attempt to locate an alternate provider but if not feasible, the sole remedy is termination of the subscription with the Client.
WP Minder will hold sub-processors to a similar level of obligations regarding processing of end user personal data to those set forth in this DPA.
4. Technical and Security Measures
WP Minder shall ensure that its personnel are subject to binding obligations of confidentiality concerning end user personal data.
WP Minder shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk involved with processing personal data. These measures are subject to change with progress and development due to a changing technological environment.
In the event of a discovered data breach regarding end user personal data, WP Minder will notify the Client promptly.
5. Data Subject Requests
WP Minder shall provide full cooperation and assistance, as it may be reasonably possible, in order to assist the Client in replying to data subjects’ requests for exercising their rights.
WP Minder will immediately communicate to the Client any request received by data subjects of the Client Website.
While the Client is responsible for responding to the requests of data subjects, WP Minder may accept to participate in the fulfillment of some specific requests as long as the Client provides detailed instructions in writing and the amount of time and resources needed to do so is not disproportionate for the Processor.
6. Deletion or Return of End User Personal Data
WP Minder shall not create copies or duplicates of the data without the Controller’s knowledge and consent, except for backup copies, unless they are necessary for ensuring that data is processed correctly, and where the retention of such data is required by law.
Upon proper termination of the Client’s subscription and notification by the Client, WP Minder will take reasonable measures to delete end user personal data or provide copies of the personal data to the Client. WP Minder may retain information necessary to demonstrate compliance but is relieved from any obligation to keep such documentation upon termination of the Client’s agreement.
Each party to this DPA commits to indemnify the other party for damages or expenses resulting from its own culpable infringement of this DPA, including any culpable infringement committed by its legal representative, subcontractors, employees or any other agents.
Furthermore, each party commits to indemnify the other party against any claim exerted by third parties due to, or in connection with, any culpable infringement by the respectively other party.
Current List of Sub-processors
- ManageWP: We use ManageWP to provide information about needed updates, security issues, backups, and website uptime.
- Liquid Web: We use Liquid Web for Managed WordPress Hosting.
- Slack: We use Slack for internal communication.
- Nifty: We use Nifty for internal communication and task management.
- Airtable: We use Airtable for tracking Client Website information and WP Minder assets.
- Hexowatch: We use Hexowatch to monitor Client Websites for site defacement or other visual signs of malware.