Data Processing Agreement

Last Updated: December 9, 2024

1. Parties

This Data Processing Agreement ("DPA") is between:

  • Data Controller: Users of wedsite.ai ("Customers")
  • Data Processor: Sitenest Ltd, trading as wedsite.ai ("Provider")

2. Definitions

  • "GDPR" means the General Data Protection Regulation (EU) 2016/679 and the UK GDPR
  • "Personal Data" refers to any information relating to an identified or identifiable natural person
  • "Processing" refers to any operation performed on Personal Data
  • "Guest Data" refers to Personal Data of wedding guests submitted by the Customer

3. Scope of Processing

3.1 Types of Personal Data

The following types of Personal Data will be processed:

  • Customer details (e.g., name, email, phone)
  • Guest details (e.g., names, email addresses, phone numbers)
  • Wedding-specific details (e.g., date, venue, dietary needs)
  • Guest relationships and family connections

3.2 Processing Activities

Processing includes:

  • Secure storage of Personal Data
  • Organising guest details for use
  • Facilitating RSVP communications with guests
  • Publishing approved wedding information on the website

4. Provider Obligations

The Provider shall:

  • Process Personal Data only on documented instructions from the Customer
  • Ensure personnel with access adhere to confidentiality agreements
  • Implement appropriate technical and organizational measures
  • Support Customers in managing data subject requests
  • Assist with data protection impact assessments
  • Delete or return all Personal Data after service completion
  • Share information demonstrating regulatory compliance

5. Security Measures

We implement the following security measures:

  • Data encryption during storage and transmission
  • Routine security evaluations and testing
  • Authentication protocols and access restrictions
  • Regular backups and disaster recovery processes
  • Staff training on data protection
  • Procedures for handling security incidents

6. Sub-processors

We use the following sub-processors:

  • Clerk: For authentication
  • Posthog: For analytics
  • Stripe: For payment processing

Customers will be informed of changes to sub-processors, with the option to raise objections.

7. Data Breaches

In the event of a Personal Data breach, the Provider will:

  • Notify the Customer without undue delay
  • Offer details of the breach and its impacted data
  • Enact remedial actions for addressing breaches
  • Record all breaches and related responses

8. International Transfers

Personal Data is processed in the UK and Germany. Any further international transfers will only occur:

  • Within the framework of UK-EU adequacy decisions
  • Leveraging Standard Contractual Clauses (SCCs)
  • With requisite safeguards in place

9. Customer Obligations

The Customer shall:

  • Verify a lawful basis exists for Guest Data processing
  • Obtain necessary consents from guests
  • Provide accurate and up-to-date information
  • Adhere to applicable data privacy regulations
  • Respond to data subject requests

10. Liability

Each party shall be liable for their respective obligations under the GDPR. The Provider is liable for processing damages only when failing to meet GDPR-specific processor obligations.

11. Term and Termination

This DPA shall remain in effect for the duration of the processing. Upon termination:

  • All Personal Data will be deleted or returned within 30 days
  • All copies will be erased unless legal retention is mandated
  • Instructions will be issued to sub-processors for data deletion
  • Customers can request account deletion through profile settings or email
  • Email deletion requests will be processed within 72 hours
  • Complete data removal includes all backups and associated data

12. Contact Information

For questions about this DPA, contact: