Data Processing Agreement (DPA)

1.1 Subject Matter and Duration

Subject Matter: Provision of Waymaker platform services including document management, task boards, strategic planning tools, AI-powered features, and collaboration capabilities.

Duration: This DPA remains in effect for the duration of the Master Subscription Agreement and until all Personal Data is deleted or returned.

1.2 Types of Personal Data

Waymaker may process the following categories of Personal Data on behalf of Customer:

• •Account and Profile Data: Names, email addresses, phone numbers, job titles, roles, profile photos
• •User-Generated Content: Documents, plans, strategic frameworks, tasks, projects, comments, files
• •Usage and Activity Data: Platform usage patterns, feature interaction data, IP addresses
• •Communication Data: In-platform messages, support tickets, feedback

1.3 Categories of Data Subjects

Personal Data may relate to:

• •Customer's employees, contractors, and consultants
• •Customer's clients and business partners
• •External collaborators and guests

2.1 Customer as Controller

Customer is the Controller for all Personal Data processed by Waymaker. As Controller, Customer is responsible for:

• •Determining purposes and means of processing
• •Ensuring lawful basis for processing exists
• •Providing privacy notices to Data Subjects
• •Complying with all Applicable Data Protection Law

2.2 Waymaker as Processor

Waymaker is the Processor. As Processor, Waymaker will:

• •Process Personal Data only on documented instructions from Customer
• •Ensure persons authorized to process Personal Data are bound by confidentiality
• •Implement appropriate technical and organizational security measures
• •Engage Subprocessors only with Customer's authorization
• •Delete or return Personal Data upon termination

2.3 Prohibited Processing

3.1 Technical Security

Waymaker implements appropriate technical security measures including:

• •Encryption of Personal Data in transit (TLS 1.3)
• •Encryption of Personal Data at rest (AES-256)
• •Network security (firewalls, intrusion detection, DDoS protection)
• •Multi-factor authentication capabilities
• •Regular security testing and vulnerability assessments

3.2 Organizational Security

Organizational measures include:

• •Confidentiality agreements for personnel with access to Personal Data
• •Role-based access controls (principle of least privilege)
• •Regular security awareness training
• •Incident response procedures and plans

3.3 Security Standards

Waymaker maintains security practices consistent with ISO/IEC 27001, ISO/IEC 27018, and SOC 2 Type II (in progress, expected Q2 2025).

4.1 Current Subprocessors

Waymaker currently engages the following Subprocessors:

Complete List: Available at waymaker.io/legal/subprocessors (updated quarterly)

4.2 New Subprocessor Notification

Before engaging a new Subprocessor, Waymaker will:

• •Provide at least 30 days' advance notice via email and/or platform notification
• •Update the public Subprocessor list
• •Customer may object on reasonable data protection grounds within 30 days

5.1 Assistance with Requests

Waymaker will provide reasonable assistance to Customer in responding to Data Subject requests to exercise rights under Applicable Data Protection Law, including:

• •Right of access to Personal Data
• •Right to rectification of inaccurate data
• •Right to erasure ("right to be forgotten")
• •Right to data portability

5.2 Platform Tools

Waymaker provides the following tools to facilitate Data Subject rights:

• •User profile self-service (access and correction)
• •Data export functionality (portability)
• •Account deletion capabilities

6.1 Breach Notification Obligation

6.2 Breach Notification Content

Notification will include, to the extent known:

• •Description of the incident and categories of Data Subjects affected
• •Contact details (security@waymaker.io)
• •Likely consequences and potential risks to Data Subjects
• •Mitigation measures taken and recommended

7.1 Data Storage Locations

Personal Data is primarily stored in:

• •Australia: Primary database hosting (Supabase Sydney region)
• •United States: Secondary infrastructure (Supabase, AWS, Vercel)
• •Global: CDN edge locations (Cloudflare)

7.2 Transfers Outside EEA

For transfers of Personal Data from the EEA to countries not recognized by the European Commission as providing adequate protection, Waymaker relies on:

• •Standard Contractual Clauses (SCCs): EU Standard Contractual Clauses (2021/914 Module Two: Controller-to-Processor)
• •UK Transfers: UK International Data Transfer Addendum applies
• •Swiss Transfers: Swiss-approved SCCs apply

7.3 Supplementary Measures

Additional safeguards include:

• •Encryption in transit and at rest
• •Access controls and confidentiality agreements
• •Subprocessor agreements with equivalent protections

8.1 Customer Audit Rights

Customer may audit Waymaker's compliance with this DPA subject to:

• •Not more than once per 12-month period (except following a Personal Data Breach)
• •At least 30 days' advance written notice
• •During normal business hours, minimizing disruption
• •Auditors must execute appropriate confidentiality agreements

8.2 Certifications and Reports

Waymaker will provide:

• •SOC 2 Type II report (upon completion, expected Q2 2025)
• •ISO 27001 certification (when obtained)
• •Annual security summaries
• •Subprocessor certifications upon request

9.1 Termination Procedures

9.2 Backup Retention

Deleted Personal Data may persist in encrypted backups according to this schedule:

• •Daily backups: Retained 30 days
• •Monthly backups: Retained 12 months
• •Annual backups: Retained 7 years (financial compliance requirement)

Backup data is encrypted, access-controlled, and not actively processed or accessible.

9.3 Legal Retention

Waymaker may retain Personal Data to the extent required by Australian tax and financial record-keeping laws (7 years), legal holds, litigation, or regulatory investigations. When legal retention applies, processing is limited to the minimum necessary.

10.1 Liability Under GDPR

Each party's liability under this DPA is subject to the liability provisions of the Master Subscription Agreement, except as required by GDPR Article 82. Each party shall be liable for damages caused by processing that violates GDPR.

10.2 Indemnification

Waymaker will indemnify Customer against claims arising from Waymaker's breach of this DPA or Applicable Data Protection Law.

Customer will indemnify Waymaker against claims arising from Customer's processing instructions violating Applicable Data Protection Law or failure to obtain necessary consents.

10.3 Limitation of Liability

Notwithstanding any limitations in the Master Subscription Agreement, liability caps do not apply to violations of data protection law where prohibited by law.

11.1 Term

This DPA takes effect on the Effective Date and continues until the earlier of termination or expiration of the Master Subscription Agreement, or deletion of all Personal Data.

11.2 Survival

The following provisions survive termination:

• •Security Measures - for retained data
• •Data Breach Notification - for ongoing incidents
• •Data Deletion - until completion
• •Liability and Indemnification