Data Processing Agreement

The Processor processes Personal Data on the Controller’s documented instructions, for the purpose of providing the WerOrg platform. The DPA runs for the duration of the underlying subscription. On termination, the Processor deletes Controller data within 30 days subject to legal retention requirements.

Operating a multi-tenant SaaS that lets the Controller accept buyback offers from end users (“Data Subjects”), compute prices, generate shipping labels, send transactional email, and manage the Controller’s subscription and billing.

• Data Subjects: end users (Sellers) submitting buyback offers on the Controller’s storefront, plus Controller’s own administrative users.
• Personal Data: name, email, phone, mailing/shipping address, ZIP, IMEI/serial number (encrypted at rest), payout-method account identifier (PayPal email, Cash App tag, ACH bank/routing, etc., encrypted at rest), device condition declarations, IP address, and audit metadata.
• Special category data: none. The platform doesn’t collect or process special-category data under GDPR Art. 9.

• Process Personal Data only on documented instructions from the Controller.
• Ensure that personnel with access are bound by confidentiality.
• Implement appropriate technical and organizational measures (Section 5).
• Assist the Controller with Data Subject requests, security incidents, and DPIAs — reasonable assistance is included in the subscription fee.
• Make audit information available on reasonable request, including a SOC 2 Type II report once issued.

• IMEIs and payout details encrypted at rest with PostgreSQL pgcrypto; encryption keys stored separately from the database.
• Per-tenant Postgres Row Level Security policies on every table holding Personal Data, with FORCE ROW LEVEL SECURITY.
• Service-role database access wrapped in an audited helper that records reason and timestamp.
• Application logs scrub 14–16 digit numeric strings to prevent IMEI leakage.
• Automatic 12-month purge of IMEIs and payout details after quote creation.
• TLS 1.2+ for all transport; HTTP traffic redirected to HTTPS at the edge.
• Magic-link authentication for Operator dashboard (no stored passwords).
• Daily encrypted backups with point-in-time recovery; 7-day retention.
• Incident response runbook with 72-hour breach-notification commitment.

The Controller authorizes the use of the sub-processors listed at /gdpr. We notify Operators by email at least 30 days before adding a new sub-processor; the Controller may terminate the agreement without penalty before the change takes effect if they object.

Each sub-processor is contractually bound to data protection obligations equivalent to this DPA. The Processor remains liable to the Controller for sub-processor performance.

Where Personal Data of EU/UK Data Subjects is transferred to the United States, the Processor relies on the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK ICO addendum, which are deemed incorporated into this DPA. Encryption at rest, per-tenant RLS, and the 12-month auto-purge serve as supplementary measures.

The platform provides built-in tooling for the Controller to fulfill access, rectification, and deletion requests:

• Per-Seller data export from the Customers tab.
• One-click “Delete seller data” action in the Operator dashboard (RTBF).
• Audit log of every IMEI reveal.

The Processor notifies the Controller within 72 hours of confirming a security incident affecting Controller data, including the scope, impact, mitigations taken, and the contact point for follow-up. The Controller remains responsible for notifying its own Data Subjects and supervisory authority where applicable.

On termination of the underlying subscription, the Controller can export their data via the dashboard for 30 days. After that window, the Processor deletes Controller data from production systems within 30 days and from backups within 90 days, except records the Processor is legally required to retain.

Liability under this DPA is subject to the limitation of liability set out in the Terms of Service.