Data Processing Agreement (DPA)

This Data Processing Agreement (DPA) applies when WellStreak processes personal data on behalf of a customer in connection with the WellStreak AI workforce platform.

This DPA supplements the main service agreement and applies to personal data processed through account management, AI operations, integrations, analytics, support, and billing workflows.

Customer acts as the data controller for personal data submitted to or generated within its workspace. WellStreak acts as a data processor for service delivery and support activities.

Where WellStreak determines purposes and means for independent legal obligations (for example, financial compliance records), WellStreak may act as an independent controller for that specific processing scope.

WellStreak processes personal data only on documented customer instructions, as reflected in product configuration, support requests, and contractual requirements.

If WellStreak believes an instruction violates applicable law, WellStreak may notify the customer and pause related processing until the issue is resolved.

Data categories may include account identifiers, contact details, communication logs, support records, payment metadata, integration events, and AI training inputs.

Data subjects may include customer representatives, employees, leads, prospects, candidates, end users, and authorized integration participants.

WellStreak implements technical and organizational security controls appropriate to risk, including authentication safeguards, workspace-level access controls, rate limiting, audit logging, and encrypted handling of sensitive integration credentials.

Security controls are reviewed and updated over time to address evolving product architecture, infrastructure, and threat patterns.

WellStreak may engage subprocessors to provide infrastructure, model inference, communication channels, and payments. Examples include Supabase, OpenAI, Anthropic, Google Gemini, Groq, Meta, and Razorpay.

Subprocessors are engaged under contractual obligations requiring confidentiality and appropriate security standards for the services performed.

When personal data is transferred across jurisdictions through subprocessors or infrastructure, WellStreak applies safeguards appropriate to legal and contractual requirements.

Customers remain responsible for determining whether additional region-specific controls are needed for their compliance obligations.

WellStreak provides commercially reasonable assistance to help customers respond to lawful requests related to access, correction, deletion, restriction, and portability.

Customers should submit such requests through support channels with sufficient details to validate authority and scope.

WellStreak maintains incident response procedures to investigate and contain potential security events involving customer data.

Where legally required, WellStreak will notify affected customers without undue delay after confirming a reportable incident involving personal data processing under this DPA.

Upon service termination, customers may request export or deletion of relevant workspace data, subject to legal retention requirements, fraud prevention obligations, and security logging necessities.

Deletion requests are processed according to platform capabilities and applicable contractual timelines.