This Data Processing Agreement (the “DPA”) forms part of the agreement between Watasu LTD (“Watasu”, “Processor”) and the customer identified in the order form, signup record, or as otherwise agreed in writing (“Customer”, “Controller”) governing access to and use of the Watasu platform (the “Principal Agreement”).
This DPA reflects the parties’ agreement on the processing of Personal Data by Watasu on behalf of Customer in connection with the Principal Agreement, and is intended to comply with Article 28 of the UK GDPR and the EU GDPR.
In the event of conflict between this DPA and the Principal Agreement, this DPA prevails as to the subject matter of data protection.
1. Definitions
Capitalised terms not defined here have the meaning given in the Principal Agreement or, failing that, in UK GDPR.
“Applicable Data Protection Law” means: (a) the UK GDPR and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025; (b) the EU GDPR (Regulation (EU) 2016/679); and (c) any other data protection law applicable to the processing.
“Customer Personal Data” means Personal Data processed by Watasu on behalf of Customer in connection with the Principal Agreement.
“Data Subject” has the meaning given in UK GDPR.
“EU SCCs” means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914.
“Personal Data Breach” has the meaning given in UK GDPR.
“Subprocessor” means any third party engaged by Watasu to process Customer Personal Data.
“UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the ICO under section 119A of the Data Protection Act 2018.
2. Roles and scope
2.1 The parties acknowledge that, with respect to Customer Personal Data, Customer is the Controller and Watasu is the Processor. Where Customer is itself a processor for an upstream controller, Watasu is the subprocessor, and Customer warrants it has authority to engage Watasu on those terms.
2.2 The subject matter, duration, nature, purpose, categories of data, and categories of Data Subjects are set out in Annex I.
3. Watasu’s processing obligations
3.1 Documented instructions. Watasu will process Customer Personal Data only on Customer’s documented instructions, including with regard to international transfers. The Principal Agreement, this DPA, the Documentation, and Customer’s configuration of the Service constitute Customer’s instructions. Watasu will inform Customer if it considers an instruction to infringe Applicable Data Protection Law.
3.2 Confidentiality. Watasu will ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.
3.3 Security. Watasu will implement and maintain the technical and organisational measures set out in Annex II to ensure a level of security appropriate to the risk.
3.4 Cooperation with Data Subject rights. Taking into account the nature of the processing, Watasu will provide reasonable assistance to Customer, by appropriate technical and organisational measures, in fulfilling Customer’s obligation to respond to Data Subject requests under Articles 15-22 UK GDPR. Customer is responsible for responding to such requests; Watasu will not respond directly except on Customer’s instruction or where legally compelled.
3.5 Assistance with Articles 32-36. Watasu will provide reasonable assistance to Customer with security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of the processing and the information available to Watasu.
3.6 Personal Data Breach notification. Watasu will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address it. Watasu will provide further information as it becomes available.
3.7 Deletion or return. On termination of the Principal Agreement, Watasu will, at Customer’s choice, delete or return all Customer Personal Data, in each case within 60 days of the end of the export window described in the Principal Agreement, save where retention is required by law.
3.8 Records. Watasu maintains records of processing activities as required by Article 30(2) UK GDPR.
3.9 Audits. Watasu will make available to Customer the information necessary to demonstrate compliance with Article 28 UK GDPR. Customer may, on at least 30 days’ written notice and not more than once per 12-month period (except following a Personal Data Breach or as required by a supervisory authority), conduct an audit, which will be: (a) conducted during business hours; (b) subject to confidentiality; (c) limited to the information reasonably required to verify compliance; and (d) carried out at Customer’s cost. Watasu may satisfy audit requests by providing recent independent third-party audit reports or attestations covering the relevant controls.
4. Subprocessors
4.1 General authorisation. Customer grants Watasu general authorisation to engage Subprocessors, subject to this Section 4.
4.2 Current list. A current list of Subprocessors is maintained at watasu.io/subprocessors. The list at the date of this DPA is reproduced in Annex III.
4.3 Notice and objection. Watasu will provide Customer with at least 30 days’ notice of any intended addition or replacement of a Subprocessor (including by means of subscription to updates from the Subprocessors page). Customer may object on reasonable data protection grounds within 15 days of notice. The parties will work in good faith to address the objection. If no resolution is reached, Customer may terminate the affected Service component on written notice and receive a pro-rata refund of any unused prepaid Credits attributable to that component.
4.4 Flow-down. Watasu will impose data protection obligations on each Subprocessor that are no less protective than those in this DPA, and remains liable to Customer for the acts and omissions of its Subprocessors as for its own.
5. International transfers
5.1 Customer Personal Data hosted on the Watasu platform is stored within the European Economic Area, in Hetzner Online GmbH data centres located in Germany and Finland. The European Commission has determined that the United Kingdom provides an adequate level of data protection for transfers from the EEA (Implementing Decision (EU) 2025 renewing Decision (EU) 2021/1772, valid until 27 December 2031), and the UK has determined that the EEA provides an adequate level of data protection. No additional safeguards under Chapter V UK GDPR or Chapter V EU GDPR are required for transfers between the UK (Watasu) and the EEA (Hetzner, Stripe Europe affiliate processing).
5.2 Where Watasu (or a Subprocessor) transfers Customer Personal Data from the UK or EEA to a country not benefiting from an adequacy decision, the parties agree that the EU SCCs (Module Two: Controller-to-Processor, or Module Three: Processor-to-Processor as applicable) and the UK Addendum are incorporated into this DPA by reference and will apply to the transfer. The selections required by the SCCs and UK Addendum are completed in Annex IV.
5.3 Where a recipient is certified under the EU-US Data Privacy Framework or the UK Extension to the EU-US Data Privacy Framework and the transfer falls within the scope of that certification, the certification will serve as the primary transfer mechanism, with the SCCs/UK Addendum applying as a backstop in the event of withdrawal, lapse, or invalidation of the certification.
6. Liability
The liability of each party under or in connection with this DPA is subject to the limitations and exclusions set out in the Principal Agreement.
7. General
7.1 Governing law. This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, except that the EU SCCs and UK Addendum, where they apply, are governed by the law specified in their own terms.
7.2 Order of precedence. In the event of conflict, the order is: (1) the EU SCCs and UK Addendum (where applicable); (2) this DPA; (3) the Principal Agreement.
7.3 Severability. If any provision is invalid or unenforceable, the remainder continues in effect.
Annex I — Description of processing
Subject matter. Provision of the Watasu platform-as-a-service to Customer.
Duration. The term of the Principal Agreement, plus any post-termination retention period set out in the Principal Agreement and this DPA.
Nature and purpose. Hosting, storage, transmission, computation, backup, and operational support of Customer’s applications, data, and end-user interactions, in accordance with Customer’s configuration of the Service.
Categories of Personal Data. Determined by Customer. Typically includes contact details, authentication credentials, identifiers, IP addresses, device and usage data, and any other Personal Data Customer chooses to process through the Service.
Categories of Data Subjects. Determined by Customer. Typically includes Customer’s employees, contractors, end users, and other individuals interacting with Customer’s applications.
Special category data. None expected. Customer is responsible for any decision to process special category data and the additional safeguards required.
Frequency of transfers. Continuous, for the duration of the Principal Agreement.
Retention. As specified in the Principal Agreement and configured by Customer.
Annex II — Technical and organisational measures
Watasu maintains the following measures, reviewed periodically and updated as appropriate:
Access control. Role-based access control for production systems; multi-factor authentication required for administrative access; principle of least privilege; documented joiner/mover/leaver process.
Network security. Private networking between platform components via WireGuard mesh; segregation between control plane and customer workloads; firewall rules denying by default; DDoS mitigation at the edge.
Encryption. TLS 1.2+ for data in transit on public networks; encryption at rest for backups and persistent volumes where supported by the underlying storage; customer-controllable secrets stored in encrypted form.
Logging and monitoring. Centralised audit logging of administrative actions; security event monitoring; log retention of 90 days.
Vulnerability management. Patching of operating systems and platform components on a defined cadence; tracking of CVEs affecting the stack; periodic penetration testing.
Software development. Change management with peer code review; separation of staging and production environments; protection of source code repositories.
Personnel. Confidentiality undertakings; security awareness obligations; background checks where lawful and appropriate to the role.
Subprocessor management. Written agreements imposing equivalent data protection terms; periodic review of subprocessor security posture.
Incident response. Documented incident response process; on-call rotation; post-incident review.
Business continuity. Operational backups across multiple Hetzner data centres (Nuremberg, Falkenstein, and Helsinki) for platform infrastructure; documented recovery procedures.
Physical security. Provided by Hetzner data centre operations, certified to ISO 27001.
Annex III — List of Subprocessors at the date of this DPA
| Subprocessor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Hosting infrastructure | Germany & Finland (EEA) | Adequacy (UK→EEA, EEA→UK) |
| Stripe Payments UK Limited | Payment processing — UK merchant entity | United Kingdom (with affiliate Stripe Payments Europe Ltd processing in Ireland for EU card scheme routing) | UK-domestic for SPUKL; UK→EEA adequacy for affiliate routing |
| Twilio Inc. (operating SendGrid) | Transactional email delivery | United States | EU-US Data Privacy Framework + UK Extension to the EU-US DPF (primary); EU SCCs + UK International Data Transfer Addendum (backstop) |
Annex IV — Cross-border transfer specifications
Where the EU SCCs and/or UK Addendum apply under Section 5:
Module. Module Two (Controller-to-Processor) where Customer is a Controller; Module Three (Processor-to-Processor) where Customer is a Processor for an upstream controller.
Clause 7 (Docking). Optional clause does not apply.
Clause 9 (Subprocessors). Option 2 (general written authorisation) with a notice period of 30 days, consistent with Section 4.3 of this DPA.
Clause 11 (Independent dispute resolution). Optional clause does not apply.
Clause 17 (Governing law). The law of Ireland, as a member state allowing third-party beneficiary rights.
Clause 18 (Forum and jurisdiction). The courts of Ireland.
Annex I.A (Parties). Customer (data exporter) and Watasu LTD (data importer), as identified in the Principal Agreement.
Annex I.B (Description of transfer). As set out in Annex I above.
Annex I.C (Competent supervisory authority). The Irish Data Protection Commission, or such other authority as is competent under Clause 13.
Annex II (Technical and organisational measures). As set out in Annex II above.
Annex III (List of sub-processors). As set out in Annex III above.
UK Addendum. Table 1 (parties): as in Annex I.A. Table 2 (Addendum EU SCCs): the EU SCCs incorporated by Section 5.2. Table 3 (Appendix Information): as set out in Annexes I-III above. Table 4 (ending the Addendum): neither party may end the Addendum when the Approved Addendum changes.
This DPA is accepted by Customer’s acceptance of the Principal Agreement, including by clicking through at signup, executing an order form, or by use of the Service.