Data Processing Agreement (DPA)

Last Updated: 1st March, 2025
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Master Subscription Agreement ("Agreement") between WaveQuery Ltd ("WaveQuery") and the Customer ("Customer") to comply with data protection laws, including UK GDPR, EU GDPR, CCPA, and international data transfer regulations.

2. Roles & Responsibilities
Customer as Data Controller: Customer determines what data is processed via WaveQuery and is responsible for compliance with all applicable data protection laws.
WaveQuery as Data Processor: WaveQuery processes data only as instructed by the Customer and does not store customer query results.
Third-Party Subprocessors: WaveQuery engages trusted subprocessors for service functionality (listed in Section 4).

3. Data Processed by WaveQuery


3.1 Data We Process

Account Data: Name, email, authentication details.
Query Metadata: Query execution logs, IP addresses, and usage timestamps (retained for 90 days).
Third-Party LLM Data: Query contents processed by the selected AI provider (e.g., OpenAI, Anthropic, Google Gemini, self-hosted Llama).
Customer Communications: Support interactions via Linear (ticketing) and Productlane (changelog and roadmap feedback).

3.2 Special Categories of Data

WaveQuery does not require or intentionally process sensitive categories of personal data (e.g., health, biometric, financial information). Customers remain responsible for ensuring compliance if they choose to process such data via their queries.

4. Approved Subprocessors
Service Provider Purpose
Payment Processing Stripe Subscription payments
Ticketing System Linear Customer support requests
Changelog & Roadmap Productlane Feature tracking & updates
DNS & Security Cloudflare DDoS protection & security
Analytics Posthog, Google Analytics Product usage insights
Email & Calendar Google Email, document storage
Transactional Email Resend Service notifications
Marketing Email Brevo Customer marketing emails
Client Email Management Superhuman Business email tracking
Error Monitoring Sentry Application logging
AI Processing OpenAI, Anthropic, Google Gemini, Llama (self-hosted) AI-powered query generation

5. Security & Compliance

Data Encryption: TLS 1.2+ encryption for data in transit.
Access Controls: Role-based permissions and multi-factor authentication (MFA).
Security Monitoring: Regular penetration testing and real-time monitoring via Sentry.
Incident Response: WaveQuery will notify the Customer within 48 hours of any detected data breach impacting Customer data.

6. Data Retention & Deletion

Query Logs: Retained for 90 days and automatically purged unless legally required.
Customer Data Deletion: Upon termination, account data is erased unless needed for compliance.

7. International Data Transfers

WaveQuery complies with Standard Contractual Clauses (SCCs) for data transfers outside the UK & EU.

8. Liability & Indemnification
The Customer agrees to indemnify WaveQuery against any regulatory actions, fines, or claims resulting from the Customer's misuse of the Services.
WaveQuery's total liability for any data processing-related claims is limited to the total fees paid by the Customer in the preceding 12 months.

9. Contact Information
For data protection inquiries, contact privacy@wavequery.com.