Data Processing Agreement

Effective Date: January 1, 2025 Last Updated: March 15, 2025 Version: 2.1

1. Parties & Definitions

This Data Processing Agreement ("Agreement") is entered into by and between:

  • "Controller": The client or entity that determines the purposes and means of processing personal data, engaging Wp Admin for WordPress administration services.
  • "Processor": Wp Admin, the entity that processes personal data on behalf of the Controller in accordance with this Agreement.

This Agreement incorporates by reference the terms of the Wp Admin Terms of Service and Privacy Policy. In the event of a conflict, this Agreement shall prevail regarding data processing obligations.

2. Subject Matter, Nature, and Duration of Processing

The Processor shall provide WordPress website administration, maintenance, security monitoring, performance optimization, and related technical services ("Services"). Processing of personal data is performed strictly as necessary to deliver these Services.

The duration of processing shall correspond to the active term of the Service Agreement, unless otherwise specified in writing. Upon termination, all personal data shall be securely deleted or returned as instructed by the Controller.

3. Categories of Data Subjects and Types of Data

The Processor may incidentally process personal data belonging to the following categories of data subjects:

  • Website visitors and users
  • Registered users and subscribers
  • Customer support contacts
  • Employees or contractors of the Controller

Data types may include names, email addresses, IP addresses, browser/device information, form submissions, and support ticket communications. Processing is limited to technical administration, security monitoring, backup, and performance optimization.

4. Processing Operations

The Processor shall perform processing operations strictly in accordance with the Controller’s documented instructions. Standard processing activities include:

  • Automated system updates, backups, and security patching
  • Server log analysis and performance monitoring
  • Malware scanning and threat mitigation
  • Cache management and CDN configuration
  • Database optimization and content migration assistance

Any processing outside the scope of these instructions requires prior written authorization from the Controller.

5. Security & Confidentiality

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access control and multi-factor authentication for administrative systems
  • Regular vulnerability assessments and penetration testing
  • Secure development practices and automated patch management
  • Strict confidentiality obligations imposed on all personnel with access

Security measures are reviewed and updated quarterly to align with industry standards and regulatory requirements.

6. Sub-processors

The Processor may engage specific sub-processors to perform certain processing activities. The Controller grants prior written consent to the following:

Sub-processorProcessing ActivityLocation
Cloud Hosting ProviderInfrastructure & storageUS/EU
CDN Service ProviderContent delivery & cachingGlobal
Backup & Disaster RecoveryAutomated backupsUS/EU
Security Scanning ServiceMalware & threat detectionUS

The Processor remains fully liable for the acts and omissions of its sub-processors and ensures equivalent data protection obligations are contractually binding.

7. Assistance with Data Subject Rights

The Processor shall assist the Controller in fulfilling obligations to respond to data subject requests, including rights to access, rectification, erasure, restriction, portability, and objection.

Upon receiving a direct request from a data subject, the Processor shall promptly forward the request to the Controller within 48 hours and refrain from processing the data until further instructions are provided.

8. International Data Transfers

Personal data may be transferred to and processed in jurisdictions outside the European Economic Area. Where applicable, such transfers shall be governed by standard contractual clauses, adequacy decisions, or other recognized transfer mechanisms in compliance with GDPR and applicable data protection laws.

9. Audit & Compliance

The Controller retains the right to audit the Processor’s compliance with this Agreement, including the right to conduct or commission independent audits upon reasonable notice. The Processor shall maintain detailed records of processing activities and make them available to supervisory authorities upon request.

10. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay, and in any case within 24 hours of becoming aware of the incident. The notification shall include the nature of the breach, categories of affected data, potential consequences, and measures taken to mitigate risk.

11. Liability & Indemnification

The Processor shall indemnify and hold harmless the Controller against claims, damages, or regulatory fines arising directly from the Processor’s breach of this Agreement, negligence, or unauthorized processing. Liability limitations set forth in the main Service Agreement shall not apply to data protection violations or confidentiality breaches.

12. Term & Termination

This Agreement remains in effect for the duration of the Service Agreement. Upon termination or expiration, the Processor shall securely delete or return all personal data as directed by the Controller and provide written certification of destruction within 30 days.

13. Contact Information

For inquiries regarding this Data Processing Agreement or data protection matters, please contact:

Wp Admin Data Protection Officer
Email: privacy@wpadmin.com
Address: 123 Tech Avenue, Suite 400, San Francisco, CA 94105
Phone: +1 (555) 019-2834