Data Processing Agreement
Last updated: 12 June 2026
This Data Processing Agreement ("DPA") sets out the contract that applies when Wodoco B.V. processes personal data on behalf of your organisation. It is the GDPR Article 28 contract required between you (the controller) and us (the processor).
It forms part of our Terms of Service and applies automatically when your organisation accepts those Terms. A counter-signed PDF version is available on request through your organisation's admin panel — see Section 15.
We've tried to keep it short, precise, and readable. Procurement teams will recognise the required Article 28 structure; we just refuse to dress it up in legalese.
1. What this DPA is, and when it applies
This DPA governs how we, Wodoco B.V., process personal data that your organisation puts into Wodo about other people — your colleagues, your customers, your suppliers, anyone whose personal data appears in a Wodo space.
It does not cover personal data we process for our own purposes — your account, your billing, marketing-site visitors, support correspondence. That is the controller relationship, and it is governed by our Privacy Policy.
This DPA applies from the moment your organisation accepts our Terms of Service, and for as long as we hold any personal data on your behalf.
2. Who's who: controller and processor
In this DPA:
- You (the customer organisation, "Customer", "Controller") are the data controller for the personal data you put into Wodo about other people. You decide the purposes of the processing — the why. We provide the technical and operational means of delivering the service, and otherwise process the data on your instructions.
- We (Wodoco B.V., "Wodoco", "Processor") are the data processor for that personal data. We process it on your behalf, only for the purposes you have set out by using Wodo.
For the avoidance of doubt: Wodoco is also a controller for separate data collected for our own purposes (your account information, your billing, our website logs). That role is covered by our Privacy Policy, not this DPA.
3. What we process, why, and for how long
The specifics are in Annex 1 at the end of this document. In short:
- Subject matter: the personal data your organisation puts into Wodo workspaces — items, documents, comments, attachments, and the metadata around them.
- Nature and purpose of processing: enabling you to use Wodo as a project-management tool — storing, syncing, indexing for search, exporting on request, backing up, and sending operational emails.
- Categories of data subjects: the people whose personal data your organisation chooses to put into Wodo — typically colleagues, customers, suppliers, or any third party your work involves.
- Categories of personal data: identifying and contact data (names, email addresses, phone numbers), professional and role information, and the content of items, documents, comments and attachments that your users create. Special-category data (GDPR Article 9) is not intended to be processed in Wodo — see Annex 1.
- Duration: for as long as you have an active Wodo account, plus the transition and export windows after termination and the short backup horizons described in Section 11.
4. Our obligations as processor
These are the obligations GDPR Article 28 requires us to take on. We list them so you can see what we are committing to.
4.1 We process only on your instructions
We process the personal data in your spaces only for the purposes set out in this DPA and the Terms — never for our own purposes, never to train machine-learning models, never to sell or share with anyone outside the subprocessors in Annex 3. The standing instructions you give us are: "Run the service we are paying you for." We follow any further documented instructions you give us by email or in writing, provided they are reasonable and within the scope of the service.
If we ever believe an instruction breaches GDPR or other EU data protection law, we will tell you so before acting on it.
4.2 Confidentiality of staff
Every Wodoco staff member who could ever touch customer personal data is bound by a written confidentiality undertaking, in place as part of their employment contract from day one.
4.3 Security
We apply appropriate technical and organisational measures to protect the personal data we process. These are described in Annex 2 and in customer-friendly form at wodo.co/security.
4.4 Subprocessors
We use the subprocessors listed in Annex 3 to deliver Wodo. They process personal data only as needed for their role, under written contracts that bind them to terms at least as strict as this DPA.
If we want to add or change a subprocessor, we will tell your organisation admins at least 30 days in advance by email. You can object in writing during that period. If we cannot accommodate the objection, you can terminate the affected service without penalty.
4.5 Helping with data subject requests
If a data subject contacts us with a GDPR rights request (access, erasure, etc.) about data you have put into Wodo, we will pass it to your organisation admins promptly — we cannot act on it without your instruction because you are the controller. We give you tooling (export, deletion, audit log) to act on these requests yourselves.
4.6 Helping with security and breach matters
If something happens that affects the security or privacy of the personal data we process for you, we will tell you without undue delay — we aim to do so within 48 hours, and in any event within 72 hours of becoming aware. The details of how — what we tell you, when, in what form — are in Section 9.
4.7 Return or deletion at end
When your account ends, you can export your data during the transition and retrieval windows described in Section 11 — giving effect to both your right to have data returned and your right to have it deleted under GDPR Article 28(3)(g), unless a longer data retrieval or transition period applies under the Terms of Service pursuant to the Data Act. After that, we delete personal data from active systems; relational-metadata backups are deleted within a further 14 days, and workspace content is not separately backed up (Section 11). We confirm deletion in writing on request.
4.8 Audit support
You can review our compliance with this DPA. We make documentation, security questionnaires, and any third-party certifications we hold available to you on request. On-site or in-depth audits beyond that — see Section 12.
4.9 Helping with impact assessments and prior consultation
We also assist you, taking into account the nature of processing and the information available to us, with data protection impact assessments under GDPR Article 35 and prior consultations with supervisory authorities under Article 36, where reasonably required. We do not charge for reasonable assistance; for substantial or recurring support we may charge our reasonable costs, agreed in advance.
5. Your obligations as controller
You commit to:
- Having a lawful basis under GDPR for the personal data you put into Wodo, including any consents required from the data subjects you are collecting about.
- Giving us accurate and lawful instructions through how you configure and use Wodo.
- Telling us if the nature of your data, your purpose for processing it, or the categories of data subjects changes materially.
- Acting on data subject requests yourself, using the tooling we provide.
These are the controller-side obligations of GDPR Article 24. They are yours; we can help, but we cannot lift them off you.
6. Subprocessors
The current list is in Annex 3 at the end of this DPA.
Adding or changing a subprocessor: we email all organisation admins at least 30 days before the change takes effect. From your admin panel (Settings → Compliance & Legal), you can also opt in to receive these notifications individually rather than relying on the standard admin distribution.
Right to object: if you object in writing during the 30-day notice period, we will try to find an alternative. If we cannot, you can terminate the affected service without penalty and we will refund any prepaid amount for the post-termination period.
7. International transfers — our European default, your per-space choice
By default, all of your data stays in the European Union or in a territory covered by an EU adequacy decision. Currently Canada is the only non-EU region we offer; Canada's EU adequacy decision covers private-sector commercial organisations under PIPEDA, which is the basis on which we operate.
If we ever add a region outside the EU/EEA and outside adequacy, choosing it for a space is an operational step you take; the legal basis for the transfer is the EU Standard Contractual Clauses (Module 2, controller-to-processor) attached as Annex 4, together with a transfer impact assessment and any supplementary measures needed to ensure the destination's law does not undermine them. We do not move your data across the EU border without your active per-space decision and those safeguards in place.
The same applies to any future subprocessor: if we ever add one outside EU/EEA/adequacy territories, we will notify you under the standard subprocessor procedure (Section 6) and the SCCs in Annex 4 (with the assessment above) will govern that transfer.
8. Security measures
The full list of our technical and organisational measures is in Annex 2, and described in customer-friendly form at wodo.co/security. In summary:
- Encryption in transit (TLS 1.3) and at rest.
- Authentication via your chosen identity provider for members; WebAuthn passkeys for invited guests without a supported IdP. No passwords stored.
- Per-organisation tenancy enforced server-side; per-space access control.
- Audit log of administrative actions.
- Per-region data isolation — workspace content stays in the region you chose.
- Operational logs aggregated to a single EU-hosted log management service, with sensitive fields stripped at the application layer.
- All Wodoco staff with potential access to customer data bound by written confidentiality undertakings.
- Documented incident response procedure.
Wodoco does not hold a formal security certification at the time of writing — see security page for details. Our infrastructure providers do hold formal certifications; see Annex 3 for links.
9. Data breaches and how we tell you
If we become aware of a personal data breach affecting personal data we process for you, we will notify your organisation admins without undue delay — we aim to do so within 48 hours, and in any event within 72 hours of becoming aware, by email, with what we know at that point:
- What happened, in plain language.
- What categories of personal data were affected.
- What we have done to contain it.
- What you may need to do.
- A contact for follow-up.
A more detailed follow-up normally follows within 72 hours of the first notification, with root-cause analysis and remediation status.
Our incident response procedure is documented internally; we share the relevant parts with you on request.
10. Helping you with data subject requests
People whose personal data is in your Wodo workspaces have rights under GDPR — access, rectification, erasure, restriction, portability, objection.
You are the controller, so you are the addressee of these requests. We help by:
- Giving your admins export tooling that produces structured, machine-readable copies of workspace content at any time.
- Giving your admins deletion tooling in the application for workspaces and accounts.
- Forwarding promptly any rights request that reaches us directly (for example, via security@wodo.co), so you can respond.
If you need help responding that goes beyond what the tooling provides, write to privacy@wodo.co. We do not charge for reasonable requests.
11. When and how data goes away
When your account or contract ends:
- For a transition period of up to 30 days, your account stays active and the application's export tooling remains available, so you can wind down or switch to another provider.
- For another 30 days, the export tooling remains available so you can retrieve your data. These periods reflect your switching and data-retrieval rights under the EU Data Act; where it grants a longer period, that longer period applies.
- After that, we delete personal data from active systems — databases, object storage, search indexes.
- Relational-metadata backups held by our managed database are deleted within a further 14 days as part of standard backup retention.
- Workspace content held in object storage is replicated within your chosen region but not separately snapshotted, so there is no separate backup horizon to wait out.
We confirm deletion in writing on request.
If your contract ends because we believe in good faith that you have committed fraud or seriously breached our Terms, we may delete sooner where a law requires us to. Conversely, where a law requires us to retain certain data (for example for a fraud investigation or a statutory retention obligation), we keep it for as long as required and isolate it from active processing.
12. Audits and how to ask for one
You have the right to verify our compliance with this DPA. In practice, this works as follows:
First: we provide documentation. Security questionnaire responses, our written policies (incident response, access control, etc.), our subprocessor list, our infrastructure providers' compliance materials, and any third-party certifications we hold. Most procurement teams can finish their review at this stage.
On reasonable cause: an on-site audit. If documentation is not enough — for example, after a security incident or where you have a specific, documented concern — you (or an independent auditor you nominate) can audit our processing of your data, once per calendar year, with at least 30 days' written notice. You bear the reasonable costs of an audit you initiate; if it reveals a material failure on our part to comply with this DPA, we bear them instead.
Limits: audits are limited to what is reasonably necessary to verify compliance with this DPA, and must not unduly disrupt our operations or the security of other customers' data. They must respect Wodoco's confidentiality and the confidentiality of other customers' data, and we may decline a competitor as the auditor. Where an audit identifies a shortcoming, the parties will discuss it in good faith and we will be given a reasonable period to remedy it before further steps are taken.
13. Liability under this DPA
The liability cap in our Terms of Service applies to this DPA too — our total liability to you in any rolling 12-month period is limited as set out there.
That cap does not apply to damages caused by intent (opzet) or gross negligence (bewuste roekeloosheid), or to death or personal injury caused by us.
Where a supervisory authority imposes an administrative fine under Article 83 GDPR, or a data subject claims compensation under Article 82 GDPR, each party bears that liability to the extent of its own responsibility under those articles (Article 82(5)). As between us, any contractual claim to recover such amounts remains subject to the cap above, except where it results from our intent or gross negligence.
Nothing in this DPA limits or reduces either party's statutory liability under GDPR.
14. Changes to this DPA
We may update this DPA from time to time. If we make a material change, we will notify your organisation admins at least 30 days in advance by email. You can terminate without penalty before the change takes effect; continuing to use Wodo after that counts as acceptance.
For minor clarifications, formatting fixes, and editorial improvements that do not change your rights or obligations, we may update without prior notice — but we will keep older versions available.
15. Dutch law, Dutch courts
This DPA is governed by Dutch law. Disputes go before the Rechtbank Amsterdam, the district court for Wodoco B.V.'s registered office.
Annex 1 — Description of processing
| Subject matter | Personal data your organisation puts into Wodo workspaces. |
| Nature of processing | Storage, real-time synchronisation, indexing for search, exporting on request, backup, sending operational emails on your behalf where configured. |
| Purpose | Enabling your organisation to use Wodo as a project management and contextual-knowledge tool. |
| Duration | Active account plus 30-day export window plus the backup horizons described in Section 11. |
| Categories of data subjects | People whose personal data your organisation chooses to put into Wodo — typically colleagues, customers, suppliers, or any third party your work involves. |
| Categories of personal data | Identifying and contact data (names, email addresses, phone numbers), professional and role information, and the content of items, documents, comments and attachments that your users create. |
| Special categories of personal data | Wodo is not designed for processing GDPR Article 9 special-category data (health, biometrics, race, religion, etc.). Customers should not put such data into Wodo without explicit prior discussion with us about whether the architecture is suitable. |
Annex 2 — Technical and organisational measures (TOMs)
| Area | Measures |
|---|---|
| Encryption in transit | TLS 1.3 with HSTS for all client–server traffic. HTTP-only, secure cookies. |
| Encryption at rest | Workspace content and database backups encrypted on disk by the underlying infrastructure provider. |
| Authentication | Federated sign-in via the customer's chosen identity provider (OAuth / OIDC) for members; WebAuthn passkeys for invited guests without a supported IdP; no password storage. |
| Access control | Per-organisation tenancy enforced server-side; per-space membership; admin and member roles; append-only audit log of administrative actions and sign-in events (retained 12 months). |
| Data isolation | Per-region collaboration servers; no cross-region replication of workspace content; per-organisation data scoping. |
| Backups | Encrypted relational metadata backups retained 14 days. Workspace object storage replicated within the chosen region; no separate point-in-time snapshots. |
| Logging | Single EU-hosted log management service; sensitive fields stripped at the application layer. |
| Confidentiality of personnel | Written confidentiality undertaking part of all employment contracts. |
| Patch management | Automated dependency vulnerability scans on every change; prompt patching of critical advisories. |
| Incident response | Documented procedure (ISMS-POL-05) maintained in our Information Security Management System, mapped to ISO/IEC 27001:2022 Annex A.5.24–A.5.28; reviewed at least annually; annual tabletop exercise. Customer-facing breach notification commitments are in Section 9 of this DPA. |
| Certification | Wodoco holds no formal security certification at the time of writing. |
Annex 3 — Subprocessors
| Subprocessor | Role | Location | Compliance materials |
|---|---|---|---|
| OVH SAS (OVHcloud) | Hosting — object storage, compute, relational metadata DB, log aggregation | France | Certifications and audits |
| BunnyWay d.o.o. (bunny.net) | Content delivery network | Slovenia | Trust Center |
| Lettermint B.V. | Transactional email | Netherlands | Trust Center |
| Mollie B.V. | Payment processing | Netherlands | Security & compliance |
Annex 4 — Standard Contractual Clauses
This Annex applies only if you choose a storage region for a space that is outside the EU/EEA and outside an EU adequacy decision. As of the date of this DPA, no such region is offered.
If and when that changes, we adopt the European Commission's Standard Contractual Clauses (Module 2, controller-to-processor) as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
The SCCs alone are not sufficient: before any such transfer we also carry out a transfer impact assessment of the destination country's law and put in place any supplementary technical or organisational measures needed to ensure the SCCs' protection is not undermined.
The clauses are incorporated by reference. Where the SCCs require specific information to be filled in:
- Module: Module 2 (controller-to-processor)
- Docking clause: applicable
- Data exporter: the customer organisation (controller)
- Data importer: Wodoco B.V. (processor)
- Categories of data subjects, categories of personal data, purpose: as set out in Annex 1 of this DPA
- Technical and organisational measures: as set out in Annex 2 of this DPA
- Governing law (Clause 17): Dutch law
- Forum (Clause 18(b)): Rechtbank Amsterdam
Selecting a non-adequacy region for a space is the operational step that records your acceptance of these SCCs; the SCCs and the assessment above — not the selection itself — are the legal basis for the transfer.
If you have questions about this DPA, please write to legal@wodo.co.