Compliance

Data Processing Agreement

This is the canonical Data Processing Agreement (“DPA”) between Wenlar LLC (Processor) and the customer (Controller). It consolidates GDPR Article 28 processor obligations, CCPA / CPRA service-provider terms, the sub-processor list, and the Standard Contractual Clauses into one signable PDF — superseding any prior data-protection terms summarised elsewhere on this site. Last updated 2026-04-25.

Get a counter-party-ready PDF in 30 seconds. Fill in your details below and we generate a fully populated DPA you can sign and email back to [email protected]. We counter-sign and return the executed copy for your records.

Download your DPA

View sub-processors →

Submitting only generates the PDF — it does not yet bind either party. The DPA takes effect when both parties countersign and the executed copy is on file with us. We log the request (legal name, email, IP, timestamp) for audit purposes.

What’s in the PDF

The downloadable PDF contains, in one document:

  • Cover page with both parties identified and the effective date.
  • Recitals + 14 numbered clauses covering the GDPR Article 28 obligations, CCPA / CPRA service-provider terms, sub-processors, return and deletion, international transfers, and governing law.
  • Annex A — Technical and organisational measures.
  • Annex B — Sub-processors list.
  • Annex C — Standard Contractual Clauses (Module 2) and UK IDTA reference.
  • Signature page for both Processor and Controller.

Summary of clauses

For reference, the key terms in the PDF are summarised below. The PDF is the source of truth; this summary is informational.

Definitions

Capitalised terms not defined here have the meaning given in the GDPR or CCPA, as applicable.

Subject matter and duration

The Processor processes Personal Data on the Controller’s behalf for the duration of the subscription, plus a 30-day wind-down period.

Processor obligations

  • Process Personal Data only on documented Controller instructions.
  • Confidentiality undertakings for personnel.
  • Implement the technical and organisational measures in Annex A.
  • Engage sub-processors only on equivalent terms; 30 days’ advance notice for changes.
  • Assist with data-subject and CCPA consumer requests.
  • Notify the Controller of a Personal Data Breach within 72 hours.
  • Allow audits on reasonable notice.
  • Return or delete Personal Data on termination.
  • Not sell or share Personal Data within the meaning of the CCPA.
  • Not retain, use or disclose Personal Data outside the direct business relationship.
  • Not combine Personal Data with data from other businesses except as the CCPA permits.
  • Notify the Controller within 5 business days if it can no longer meet CCPA obligations.

Sub-processors

Authorised list at /sub-processors. Material changes require 30 days’ notice; the Controller may object during the notice window.

International transfers

EU SCCs (Module 2) and UK IDTA are incorporated by reference for transfers outside the EEA / UK.

Governing law

Wyoming, United States, except where the SCCs / UK IDTA select a different forum.

Annex A — Technical and organisational measures

  • TLS 1.2+ in transit; AES-256 at rest for files in Cloudflare R2.
  • Per-tenant logical isolation; per-branch role-based access control.
  • Bcrypt-hashed passwords, optional TOTP 2FA, JWT sessions with 30-minute idle timeout.
  • Immutable audit log of consent, refund, discount, role/permission, finance approval and GDPR/CCPA actions.
  • Encrypted backups with a 30-day rolling window.
  • Confidentiality undertakings, security training, dependency patching, vendor review.

Contact

Wenlar LLC
30 N Gould St, STE R
Sheridan, WY 82801, United States
Data protection contact: [email protected]