Data Processing Addendum

This DPA forms part of the customer agreement for WaverSec Protect where WaverSec processes personal data on behalf of the customer in connection with the service.

For customer-controlled message data and related operational records processed on behalf of the customer, the customer acts as controller or business and WaverSec acts as processor or service provider, unless the parties expressly agree otherwise.

WaverSec will process personal data only on documented instructions from the customer, including instructions reflected in the service configuration, APIs, support requests, and the customer agreement, unless law requires otherwise.

If WaverSec believes an instruction violates applicable data protection law, WaverSec may suspend the relevant processing and notify the customer.

The subject matter of processing is delivery of WaverSec Protect, including email anomaly detection, policy enforcement, DLP checks, optional intelligence analysis, product administration, support, and associated security operations.

The duration of processing is the period during which WaverSec provides the service to the customer and any limited post-termination period reasonably required for secure deletion, backup expiry, dispute handling, or legal compliance.

Depending on the customer deployment, data subjects may include customer employees, contractors, administrators, correspondents, recipients, and other people whose data appears in messages or account records processed through the service.

WaverSec will ensure that people authorized to process personal data are bound by confidentiality obligations and receive appropriate instructions about data handling.

Access to personal data will be limited to people and subprocessors who need that access to provide or secure the service.

WaverSec will implement technical and organizational measures appropriate to the risk, taking into account the nature of the service and the current product architecture.

The customer gives WaverSec general written authorization to use subprocessors that are reasonably necessary to operate the service, including providers for hosting, edge delivery, managed database infrastructure, identity, analytics, support, and optional AI features enabled by the customer.

WaverSec will impose data protection obligations on subprocessors that are materially protective of personal data and will remain responsible for subprocessors to the extent required by law.

Before a new subprocessor or a material replacement subprocessor begins processing customer personal data, WaverSec will provide notice where reasonably practicable. The customer may object on reasonable data protection grounds by written notice within 15 days after that notice. The parties will work in good faith on a reasonable alternative. If no reasonable solution is available, either party may terminate the affected processing or the affected portion of the service on written notice.

Taking into account the nature of processing, WaverSec will provide reasonable assistance to help the customer respond to data subject requests and meet obligations relating to security, breach notification, impact assessments, and prior consultation, to the extent required by law and reasonably possible in light of the service.

The customer remains responsible for evaluating whether its use of WaverSec Protect is lawful and for responding to data subject or regulator requests directed to the customer.

WaverSec will notify the customer without undue delay after becoming aware of a confirmed security incident affecting customer personal data processed by WaverSec as processor, and will provide information reasonably available to WaverSec to help the customer assess and respond to the incident.

Notification may be delayed only to the extent necessary to determine scope, restore integrity, or comply with law enforcement or legal restrictions.

Where personal data subject to GDPR or a similar regime is transferred outside the EEA, UK, or Switzerland, WaverSec will use the transfer mechanism that is appropriate for the specific transfer, such as adequacy decisions, Standard Contractual Clauses, or the UK addendum where applicable.

At the end of the applicable service relationship, WaverSec will delete or return customer personal data in its possession as processor, unless retention is required by law, necessary for security logs, backup expiry cycles, fraud prevention, dispute handling, or another documented legitimate purpose permitted by law.

Because WaverSec Protect is designed not to retain message bodies, recipient lists, or attachment files in its application databases as normal service records, post-termination deletion obligations focus primarily on operational records and customer-configured data that remain in WaverSec systems.

WaverSec will make available information reasonably necessary to demonstrate compliance with this DPA. If further verification is legally required, the parties will work in good faith to agree on a proportionate audit mechanism that protects the confidentiality and security of other customers and WaverSec systems.

Any audit must be limited in scope, conducted during normal business hours, avoid operational disruption, and be subject to reasonable confidentiality and cost-allocation protections.

If this DPA conflicts with another part of the customer agreement on data protection matters, this DPA controls for those matters unless a negotiated enterprise addendum expressly states otherwise.