Data Processing Agreement

Last updated: March 18, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Wrapd ("Processor", "we", "us") and you ("Controller", "you") and governs the processing of personal data by Wrapd on your behalf.

This DPA applies where and only to the extent that Wrapd processes personal data on your behalf in the course of providing the Service, and such personal data is subject to data protection laws of the European Union, the European Economic Area, the United Kingdom, Switzerland, or any other jurisdiction requiring a data processing agreement.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Wrapd in connection with the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, transmission, deletion, or any other use.
  • "Data Protection Laws" means the GDPR (Regulation 2016/679), the UK GDPR, the Swiss Federal Act on Data Protection, and any other applicable data protection legislation.
  • "Subprocessor" means any third party engaged by Wrapd to process Personal Data on behalf of the Controller.

2. Scope of Processing

Wrapd processes Personal Data solely for the purpose of providing the Service as described in our Terms of Service. The categories of Personal Data processed include:

  • Account data: email addresses, usernames
  • Authentication data: hashed API keys and agent tokens, session tokens
  • Usage metadata: execution logs (exit codes, duration, timestamps), IP addresses
  • Configuration data: endpoint definitions, pipeline definitions, alert rules
  • Integration data: encrypted Slack OAuth tokens, SAML assertions

The categories of data subjects include your employees, contractors, and any individuals whose data may be contained in command parameters or webhook payloads sent through the Service.

3. Obligations of the Processor

Wrapd shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by applicable law.
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: encryption of data in transit (TLS 1.2+) and at rest (AES-256-GCM for secrets), access controls, and regular security reviews.
  • Respect the conditions for engaging Subprocessors as set out in Section 5.
  • Assist the Controller, taking into account the nature of the processing, in responding to requests from data subjects exercising their rights under Data Protection Laws.
  • Assist the Controller in ensuring compliance with obligations relating to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultations with supervisory authorities.
  • At the choice of the Controller, delete or return all Personal Data after the end of the provision of the Service, and delete existing copies unless applicable law requires storage.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.

4. Data Breach Notification

Wrapd shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Controller's Personal Data. The notification shall include:

  • A description of the nature of the breach, including categories and approximate number of data subjects and records concerned.
  • The name and contact details of the point of contact for further information.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

5. Subprocessors

The Controller grants Wrapd general authorization to engage Subprocessors. The current list of Subprocessors is available at /legal/subprocessors.

Wrapd shall:

  • Notify the Controller of any intended changes to Subprocessors by updating the Subprocessor list at least 14 days before the change takes effect.
  • Impose data protection obligations no less protective than those in this DPA on each Subprocessor by way of a contract.
  • Remain fully liable for the acts and omissions of its Subprocessors.

If the Controller objects to a new Subprocessor, the Controller may terminate the affected Service by providing written notice within 14 days of notification.

6. International Transfers

Wrapd's infrastructure is located in the United States. Where Personal Data is transferred from the EEA, UK, or Switzerland to the United States, such transfers are made in reliance on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914), which are hereby incorporated by reference.

For UK transfers, the UK International Data Transfer Addendum to the EU SCCs applies. For Swiss transfers, the SCCs apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner.

7. Data Subject Rights

Wrapd shall assist the Controller in fulfilling data subject requests under Data Protection Laws, including requests for access, rectification, erasure, restriction, portability, and objection. Wrapd provides:

  • Data export: API endpoint to export all account data, endpoint configurations, and pipeline definitions in machine-readable JSON format.
  • Account deletion: Complete deletion of all Personal Data associated with the Controller's account.

8. Duration and Termination

This DPA shall remain in effect for the duration of Wrapd's processing of Personal Data on behalf of the Controller. Upon termination of the Service, Wrapd shall delete all Personal Data within 30 days, except where retention is required by applicable law. Managed secrets are deleted immediately upon account termination.

9. Governing Law

This DPA shall be governed by the laws specified in the Terms of Service, except where Data Protection Laws require otherwise.

10. Contact

For questions about this DPA or to request a signed copy, contact privacy@wrapd.sh.