whitelabel.dev

/ trust / dpa

data processing addendum

published may 20, 2026 · summary for procurement (executed terms on order form)

tl;dr — this page summarises the customer DPA template: who is controller vs processor, which data and data subjects are in scope, the technical and organisational measures we apply, how standard contractual clauses fit cross-border transfers, and how term aligns with your main agreement. it is not a substitute for a countersigned schedule; use the PDF and legal channel when you need an executable artefact.

actions download PDF (v1) sign this DPA

PDF v1 will be hosted at the path above when final; until then, email legal for a distributable copy or to start signature.

/01 controller & processor roles

for personal data you supply or that is generated through your use of whitelabel.dev workspaces, you (the customer entity on the order form) act as the controller and instruct us on lawful purposes. whitelabel.dev acts as a processor, processing that data only on documented instructions, to provide and support the subscribed services, and to meet legal obligations that apply directly to us as operator.

where applicable privacy law treats us as an independent controller for limited purposes (for example account billing with our own vendors, security telemetry we generate for platform integrity, or aggregated statistics that do not identify individuals), those activities are described in our privacy notice and are outside the processing mandate covered by your executed DPA schedule unless expressly included there.

/02 data categories

subject to your configuration and product use, categories commonly in scope include:

  • account & workspace metadata — organisation name, subscription tier, identifiers we assign to tenants and users, audit timestamps;
  • identity & access — names, email addresses, profile attributes, authentication factors or tokens as needed to operate login;
  • content you store — text, files, prompts, and application data you place in whitelabel.dev-managed storage;
  • usage & diagnostics — request metadata, error traces (minimised where feasible), and operational logs tied to service delivery;
  • support & commercial — correspondence you send to success or security inboxes, and billing contacts where they are natural persons.

the authoritative vendor-level breakdown for subprocessors, regions, and contract references is the subprocessor register, which mirrors annex-style tables in the full DPA.

/03 data subject categories

categories typically include: your employees and contractors who administer or use the product; end users of customer-facing experiences you build on whitelabel.dev; and, where you route consumer traffic through the service, those individuals interacting with your deployments. the precise set depends on how you deploy the platform—your privacy disclosures to those individuals remain your responsibility as controller.

/04 annex II — technical & organisational measures

we implement a baseline of technical and organisational measures appropriate to risk, including:

  • encryption — TLS for data in transit; encryption for persisted data where supported by underlying infrastructure;
  • access control — role-based access, least-privilege operational accounts, and authentication for production systems;
  • logging & monitoring — centralised logging, alerting, and error tracking with vendor-side scrubbing rules to reduce unnecessary personal data in diagnostics;
  • subprocessor governance — diligence, contracts with flow-down obligations, and public disclosure via the subprocessor register;
  • incident response — documented handling, customer notification where required by law or contract, and cooperation on supervisory enquiries;
  • availability & recovery — backups and redundancy aligned to published SLA tiers.

the executed DPA annex expands these bullets into the table your security reviewers expect; this page stays aligned with that annex at a summary level.

/05 standard contractual clauses (SCCs)

where personal data protected under EU/EEA, UK, or Swiss regimes is transferred to countries not covered by an adequacy decision, we rely on appropriate safeguards—typically the EU Commission standard contractual clauses (current module set for controller-to-processor relationships, as updated from time to time) and, where required, the UK international data transfer addendum or Swiss adaptations. subprocessors engaged in those transfers are bound by terms that require equivalent protection.

your executed order form or DPA incorporates the SCCs by reference as in force on signature unless a different transfer mechanism (for example binding corporate rules) is expressly stated.

/06 term & termination

the DPA term tracks the term of the underlying subscription or master agreement. on expiry or termination, we stop processing except where law requires retention, and—within the window stated in the executed schedule—delete or return customer personal data according to your reasonable instructions and product capabilities (export tools, api deletion, or secure wipe of tenant partitions).

certificates of deletion or similar attestations are available on request where contractually committed. subprocessors are instructed to parallel these obligations to the extent they hold customer data.

related trust pages: trust hub · subprocessors · sla