LEGAL

Data Processing Agreement (DPA)

This DPA outlines WellStreak’s processing commitments for customer data used in platform delivery.

Last updated: February 18, 2026

1. Purpose and Scope

This Data Processing Agreement (DPA) applies when WellStreak processes personal data on behalf of a customer in connection with the WellStreak AI workforce platform.

This DPA supplements the main service agreement and applies to personal data processed through account management, AI operations, integrations, analytics, support, and billing workflows.

2. Roles of the Parties

Customer acts as the data controller for personal data submitted to or generated within its workspace. WellStreak acts as a data processor for service delivery and support activities.

Where WellStreak determines purposes and means for independent legal obligations (for example, financial compliance records), WellStreak may act as an independent controller for that specific processing scope.

3. Processing Instructions

WellStreak processes personal data only on documented customer instructions, as reflected in product configuration, support requests, and contractual requirements.

If WellStreak believes an instruction violates applicable law, WellStreak may notify the customer and pause related processing until the issue is resolved.

4. Categories of Data and Data Subjects

Data categories may include account identifiers, contact details, communication logs, support records, payment metadata, integration events, and AI training inputs.

Data subjects may include customer representatives, employees, leads, prospects, candidates, end users, and authorized integration participants.

5. Security Measures

WellStreak implements technical and organizational security controls appropriate to risk, including authentication safeguards, workspace-level access controls, rate limiting, audit logging, and encrypted handling of sensitive integration credentials.

Security controls are reviewed and updated over time to address evolving product architecture, infrastructure, and threat patterns.

6. Subprocessors

WellStreak may engage subprocessors to provide infrastructure, model inference, communication channels, and payments. Examples include Supabase, OpenAI, Anthropic, Google Gemini, Groq, Meta, and Razorpay.

Subprocessors are engaged under contractual obligations requiring confidentiality and appropriate security standards for the services performed.

7. International Transfers

When personal data is transferred across jurisdictions through subprocessors or infrastructure, WellStreak applies safeguards appropriate to legal and contractual requirements.

Customers remain responsible for determining whether additional region-specific controls are needed for their compliance obligations.

8. Assistance with Data Subject Requests

WellStreak provides commercially reasonable assistance to help customers respond to lawful requests related to access, correction, deletion, restriction, and portability.

Customers should submit such requests through support channels with sufficient details to validate authority and scope.

9. Incident Response

WellStreak maintains incident response procedures to investigate and contain potential security events involving customer data.

Where legally required, WellStreak will notify affected customers without undue delay after confirming a reportable incident involving personal data processing under this DPA.

10. Return and Deletion

Upon service termination, customers may request export or deletion of relevant workspace data, subject to legal retention requirements, fraud prevention obligations, and security logging necessities.

Deletion requests are processed according to platform capabilities and applicable contractual timelines.