Data Processing Agreement & GDPR Compliance
Last updated: July 11, 2025
1. Introduction
This Data Processing Agreement (DPA) forms part of our Terms of Service and applies to the processing of personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws. This agreement outlines our commitments as a data processor and your rights as a data controller.
Important: If you are an enterprise customer processing personal data through our service, this DPA governs how we handle that data on your behalf.
2. Definitions
3. Scope of Processing
Nature and Purpose of Processing
Wryto processes personal data to provide AI-powered content generation services, including content creation, storage, template management, and analytics as directed by the Data Controller.
Categories of Personal Data
- Contact information (names, email addresses)
- Account and authentication data
- Content data and user-generated content
- Usage and analytics data
- Billing and payment information
Categories of Data Subjects
- End users of the Data Controller's organization
- Employees and contractors of the Data Controller
- Customers and prospects of the Data Controller
4. Data Controller Obligations
As the Data Controller, you warrant that:
- You have the legal basis for processing the personal data
- You have obtained necessary consents from data subjects
- You have provided appropriate privacy notices
- You will comply with all applicable data protection laws
- You will promptly notify us of any data subject requests or regulatory inquiries
- You will only transfer personal data that is necessary for our services
5. Data Processor Obligations
As the Data Processor, Wryto commits to:
- Process personal data only on documented instructions from you
- Ensure personnel processing data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist with data subject rights requests
- Notify you of any personal data breaches within 72 hours
- Conduct data protection impact assessments when required
- Delete or return personal data upon termination of services
- Make available information necessary to demonstrate compliance
6. Security Measures
Wryto implements state-of-the-art technical and organizational measures to ensure the security of personal data:
Technical Safeguards
- End-to-end encryption of data in transit and at rest
- Multi-factor authentication and access controls
- Regular security audits and penetration testing
- Automated backup and disaster recovery systems
- Network security monitoring and intrusion detection
Organizational Safeguards
- Employee training on data protection best practices
- Background checks for personnel with data access
- Incident response and breach notification procedures
- Regular compliance assessments and audits
- Vendor management and due diligence programs
7. Sub-processors
Wryto may engage sub-processors to assist in providing services. We maintain a list of approved sub-processors and ensure they provide adequate data protection guarantees.
Current Sub-processors
Location: United States | Purpose: Database hosting and management
Location: United States | Purpose: AI content generation
Location: United States | Purpose: Payment processing and billing
We will provide 30 days' notice before adding new sub-processors. You may object to new sub-processors if you have legitimate concerns about data protection compliance.
8. International Data Transfers
When transferring personal data outside the European Economic Area (EEA), we ensure appropriate safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions for transfers to countries with adequate protection
- Additional security measures for transfers to third countries
- Regular assessment of transfer impact assessments (TIAs)
US Data Processing: Our primary data processing occurs in the United States. We have implemented SCCs and additional security measures to ensure GDPR compliance.
9. Data Subject Rights
We assist Data Controllers in responding to data subject requests, including:
We will respond to data subject requests within 30 days and provide technical assistance to help you fulfill your obligations as Data Controller.
10. Data Breach Procedures
In the event of a personal data breach, Wryto will:
- Notify you without undue delay, no later than 72 hours after becoming aware
- Provide details of the breach, including categories and approximate number of data subjects affected
- Describe likely consequences and measures taken to address the breach
- Assist with notifications to supervisory authorities and data subjects as required
- Implement additional security measures to prevent future breaches
- Conduct post-incident reviews and update security procedures
Emergency Contact: For urgent security incidents, contact our security team immediately at security@wryto.ai or call our 24/7 incident response line.
11. Audits and Compliance
To ensure ongoing compliance with data protection requirements:
- We maintain records of all processing activities
- We conduct annual security and compliance audits
- We provide compliance documentation upon request
- We allow for reasonable audits by Data Controllers or their representatives
- We maintain relevant certifications and accreditations
Certifications: Wryto maintains SOC 2 Type II certification and complies with ISO 27001 information security standards.
12. Term and Termination
This DPA remains in effect for the duration of our service agreement. Upon termination:
- We will delete or return all personal data within 30 days
- We will provide confirmation of data deletion upon request
- We may retain data longer if required by law or for legitimate business purposes
- Backup data will be securely deleted according to our retention schedule
13. Contact Information
For questions about this DPA or GDPR compliance, please contact:
Data Protection Officer
Email: dpo@wryto.ai
Subject: DPA/GDPR Inquiry
Legal Team
Email: legal@wryto.ai
Subject: Data Processing Agreement