Data Processing Agreement

1. Parties

WeProof B.V., a private limited liability company incorporated under the laws of the Netherlands, with its registered office at Voshage 21, 5258 XN Berlicum, the Netherlands, Chamber of Commerce (KvK) number 42031773, and contact email privacy@weproof.studio ("Processor"); and

the customer entity that enters into the WeProof terms and conditions or other master agreement for use of the WeProof platform ("Controller").

This Agreement forms part of and supplements the applicable WeProof Terms and Conditions, Master Services Agreement, order form, or other principal agreement between Controller and Processor (the "Principal Agreement"). In the event of conflict, this Agreement prevails with respect to the processing of personal data.

2. Purpose and Scope

Processor provides WeProof, a business-to-business review and approval platform for creative assets, including PDFs, images, video, audio, comments, annotations, approvals, and related collaboration workflows.

To the extent Processor processes personal data on behalf of Controller in connection with the WeProof services, the parties agree that Processor acts as a processor and Controller acts as a controller within the meaning of the GDPR.

This Agreement sets out the parties' rights and obligations regarding the processing of personal data under Article 28 GDPR.

3. Definitions

Applicable Data Protection Law. the GDPR and any other applicable laws or regulations relating to privacy, data protection, or international data transfers.

Data Subject. an identified or identifiable natural person to whom personal data relates.

GDPR. Regulation (EU) 2016/679.

Personal Data Breach. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Subprocessor. any third party engaged by Processor to process personal data on behalf of Controller.

4. Subject Matter, Duration, Nature, and Purpose of Processing

The subject matter, duration, nature, and purpose of the processing, as well as the types of personal data and categories of data subjects, are described in Annex 1.

Processing under this Agreement will continue for the duration of the Principal Agreement, unless terminated earlier in accordance with the Principal Agreement or this Agreement.

5. Controller Instructions

Processor shall process personal data only on documented instructions from Controller, unless required to do otherwise by Union or Member State law to which Processor is subject.

The Principal Agreement, Controller's configuration and use of the WeProof services, and Controller's support requests or other written directions together constitute Controller's documented instructions for ordinary use of the services.

If Processor believes an instruction infringes Applicable Data Protection Law, Processor shall inform Controller without undue delay.

6. Controller Responsibilities

Controller is responsible for determining the lawful basis for the processing of personal data and for providing any required privacy notices to its users, reviewers, employees, contractors, and other data subjects.

Controller is responsible for the content uploaded to the services and for ensuring that such content may lawfully be processed through WeProof.

The services are not intended for the processing of special categories of personal data under Article 9 GDPR, criminal data, national identification numbers, or other highly sensitive personal data, unless expressly agreed in writing in advance.

Controller shall not instruct Processor to process personal data in a manner that would violate Applicable Data Protection Law.

7. Confidentiality

Processor shall ensure that persons authorized to process personal data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.

Processor shall limit access to personal data to personnel and contractors who require such access for the performance, support, security, or improvement of the services.

8. Technical and Organisational Measures

Processor shall implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

The measures currently implemented, and the roadmap items that are planned but not yet implemented, are described in Annex 2.

Controller acknowledges that Processor operates an evolving platform and that certain security enhancements are planned as set out in Annex 2. Processor shall at all times maintain security measures appropriate to the nature of the service and the risks presented by the processing.

9. Subprocessors

Controller grants Processor a general written authorization to engage Subprocessors for the provision of the services.

Processor shall maintain a current list of Subprocessors, including those listed in Annex 3, and shall make such list available to Controller on request or via a public or customer-facing URL.

Processor shall notify Controller of intended additions or replacements of Subprocessors at least fourteen (14) days in advance, where reasonably practicable.

If Controller has reasonable data protection grounds to object to a new Subprocessor, the parties shall discuss such objection in good faith. If no reasonable solution can be reached, Controller may terminate the affected services in accordance with the Principal Agreement.

Processor shall impose data protection obligations on each Subprocessor that are substantially equivalent to those set out in this Agreement, to the extent applicable to the services provided by that Subprocessor.

10. International Transfers

To the extent personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, Processor shall ensure that such transfers are subject to a lawful transfer mechanism under Applicable Data Protection Law, including the European Commission's Standard Contractual Clauses where required.

Controller acknowledges that some current or planned service providers may process personal data outside the EEA or without a guaranteed EU-only hosting region, as described in Annex 3.

Processor shall use commercially reasonable efforts to reduce unnecessary international transfers and has implemented regional hosting controls where supported by the relevant provider, including EU-region pinning of application compute (Frankfurt), EU-hosted database infrastructure (Ireland), and EU-jurisdiction file storage on Cloudflare R2, as further described in Annex 3.

11. Assistance with Data Subject Requests

Taking into account the nature of the processing, Processor shall provide reasonable assistance to Controller, insofar as possible, to enable Controller to respond to requests from data subjects exercising their rights under Applicable Data Protection Law.

Where a data subject contacts Processor directly regarding personal data processed on behalf of Controller, Processor shall, unless prohibited by law, refer the request to Controller and shall not respond except on Controller's documented instructions.

12. Assistance with Compliance

Taking into account the nature of processing and the information available to Processor, Processor shall provide reasonable assistance to Controller with respect to security of processing, personal data breach notifications, data protection impact assessments, and prior consultation obligations, where applicable.

Such assistance shall be limited to the information and support reasonably available to Processor and may be subject to reimbursement of reasonable costs where the request exceeds ordinary operational support.

13. Personal Data Breaches

Processor shall notify Controller without undue delay and, where feasible, no later than twenty-four (24) hours after Processor has confirmed a Personal Data Breach affecting personal data processed under this Agreement.

Such notice shall include, to the extent known at the time: the nature of the incident, the categories of personal data affected, the likely consequences, and the measures taken or proposed by Processor to address the incident.

Processor may provide information in phases where not all details are immediately available.

14. Deletion and Return of Personal Data

Upon termination or expiry of the Principal Agreement, Processor shall, at Controller's choice and subject to the functionality of the services, delete or return personal data processed on behalf of Controller, unless Union or Member State law requires storage of the personal data.

Unless otherwise agreed in writing, Processor may retain data for up to thirty (30) days after account termination or service cancellation for recovery, export support, billing reconciliation, fraud prevention, or technical wind-down purposes.

Backup systems may retain deleted data until overwritten in the ordinary course of Processor's backup rotation cycle. The current target and open implementation item is overwrite within sixty (60) days, subject to confirmation and technical implementation.

More detailed retention and deletion assumptions, including free-tier inactivity and post-cancellation handling, are set out in Annex 2.

15. Audit and Information Rights

Processor shall make available to Controller all information reasonably necessary to demonstrate compliance with this Agreement and Article 28 GDPR.

The parties agree that compliance information shall primarily be provided through written documentation, security descriptions, responses to reasonable questionnaires, and similar materials.

Where Controller has a reasonable and documented basis to require further verification that cannot be satisfied through documentation, Controller may request an audit no more than once per calendar year, on at least thirty (30) days' prior written notice, during normal business hours, in a manner that does not unreasonably interfere with Processor's business operations, confidentiality obligations, or security.

Controller shall bear its own costs and Processor's reasonable external and internal costs associated with such audit, unless the audit reveals a material breach by Processor of this Agreement.

16. Liability

Each party remains liable for its own compliance with Applicable Data Protection Law.

Any liability arising under this Agreement shall, to the extent permitted by law, be subject to the exclusions and limitations of liability set out in the Principal Agreement, unless such limitation is prohibited by Applicable Data Protection Law.

17. Governing Law and Jurisdiction

This Agreement is governed by the laws of the Netherlands.

The competent court in the judicial district of the Netherlands in which Processor has its registered office shall have exclusive jurisdiction, except where mandatory law provides otherwise.

18. Order of Precedence and Final Provisions

If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

This Agreement may be executed electronically and may be incorporated by reference into the Principal Agreement.

This Agreement may be updated from time to time where required by law, by changes to the services, or by changes to subprocessors, provided that any material reduction in data protection commitments requires notice to Controller.

Signature block

Annex 1 – Details of Processing

Nature of the service. WeProof is a B2B review and approval platform for creative assets, including PDFs, images, videos, audio files, comments, annotations, approvals, versioning, project workflows, and related notifications.

Duration. For the term of the Principal Agreement, plus any agreed post-termination retention period and any technically necessary backup retention period.

Purpose of processing. Account management, authentication, role-based access control, reviewer invitation handling, collaboration and review workflows, file storage and display, version management, thumbnail generation, notifications, usage analytics within the platform, subscription administration, support, and security.

Categories of data subjects

• Controller's internal users and team members
• External reviewers invited by Controller
• Representatives of Controller and its affiliates
• Individuals whose personal data may be contained in uploaded files or related metadata, where such files are uploaded by Controller

Categories of personal data

• Internal user account data: full name, email address, hashed password, role
• Reviewer data: name, email address, review decision status
• Organisation data: organisation name, organisation logo
• Asset and metadata: uploaded files, file name, type, size, version number, upload timestamp, stream identifiers and processing status for video
• Feedback data: comments, threaded replies, timestamps, authorship, visual annotations, pin coordinates, video or audio timestamps, approve or request-changes decisions
• Usage and activity data: review page visits, daily activity counts, analytics dashboard metrics, project status changes and timestamps
• Subscription data: current plan, subscription status, trial end date, future Stripe customer ID and billing-related metadata
• Administrative support data: internal admin notes relating to organisations

Special category data

The services are not intended for the processing of special categories of personal data, criminal data, government identification numbers, or other highly sensitive data. Controller shall not upload such data unless expressly agreed in writing in advance.

Annex 2 – Technical and Organisational Measures

Currently implemented measures

• Encryption in transit via HTTPS on Vercel and Cloudflare endpoints
• Encryption at rest through supplier-managed encryption for Supabase and Cloudflare R2
• Password hashing using bcrypt
• Role-based access control for OWNER, ADMIN, and MEMBER roles, with centralised permission logic
• Server-side access checks for project mutations and plan-limit enforcement
• Database row-level security enabled in addition to application-layer authorisation
• Centralised server-side reviewer authorisation on all invite-token endpoints, with phase isolation between internal and client review
• Session invalidation on password reset and on organisation suspension
• EU regional hosting controls: application compute pinned to the EU (Frankfurt), database hosted in the EU (Ireland), and file storage on Cloudflare R2 with EU jurisdiction
• Unique personal reviewer invite links rather than generic shared review links
• Token-based email verification during sign-up
• Separation between internal comments and annotations versus client-visible review feedback

Measures likely present but to be confirmed

• Automated database backups by Supabase, depending on the active plan
• Vercel request and access logging, including retention and monitoring configuration
• Supabase backup retention configuration and retention period

Planned measures and open action items

• Implement rate limiting and further security header hardening
• Implement signed playback URLs and invite-token expiry for review links
• Assess and document Cloudflare Stream's international transfer posture and include contract safeguards where needed
• Adopt an incident response procedure and internal breach-response playbook
• Implement or document monitoring and alerting, for example through an error logging or incident tool
• Assess whether admin or owner MFA should be added for production launch or higher-tier accounts
• Confirm and document backup retention and overwrite timing
• Implement and document a post-cancellation deletion workflow, including read-only grace period and deletion timing
• Implement and document free-tier inactivity deletion workflow, including prior warning email
• Add a data export process, initially manual and potentially self-service later
• Publish and maintain a subprocessor list
• Publish a privacy notice covering website visitors, registered users, and reviewers
• Add a privacy notice link to reviewer invitation emails and invitation pages
• Assess whether security headers, rate limiting, and further hardening should be implemented before general availability
• Assess whether later-stage assurance such as SOC 2 or ISO 27001 is commercially desirable for enterprise customers

This annex distinguishes between measures already implemented and measures planned or to be confirmed. Planned measures are not represented as already in place.

Annex 3 – Subprocessors and Data Location Notes

WeProof – Data Processing Agreement | Version 1.0 | Effective 12 June 2026