Data Processing Addendum

This Data Processing Agreement ("DPA") forms part of the Agreement for Services (the "Principal Agreement") between:

  • Webstudio, Inc. ("Processor"), a C-Corporation organized under the laws of the State of Oregon, USA, with registered office at 9450 SW Gemini Dr PMB 38725, Beaverton, OR 97008-7105
  • Controller ("Controller"): the party receiving the Services under the Principal Agreement; details (name, legal form, registration number, and address) to be specified in that Agreement.

(Together, the “Parties”.)

1. Definitions

  1. Applicable Law Any data protection or privacy law applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 ("GDPR").
  2. Data Protection Laws All applicable laws relating to the processing of Personal Data and privacy, including, but not limited to, the GDPR.
  3. Personal Data Any information relating to an identified or identifiable natural person, processed by the Processor on behalf of the Controller under this DPA.
  4. Processing Any operation or set of operations on Personal Data as defined in Article 4(2) GDPR.
  5. Sub-processor Any third party appointed by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only for the purpose of providing the Services described in the Principal Agreement, with the following details:

  • Subject Matter: Website building, hosting, maintenance, and support
  • Duration: Term of the Principal Agreement (unless earlier terminated)
  • Nature & Purpose: Hosting, storing, transmitting, and managing website content and data
  • Types of Personal Data: Names; email addresses; contact details; payment information; technical logs; customer end‑user data
  • Categories of Data Subjects: Controller’s employees; customers; end‑users; website visitors

3. Processor Obligations

The Processor shall:

  1. Process on Instructions. Only process Personal Data on documented instructions from the Controller, unless required otherwise by Applicable Law.

  2. Confidentiality. Ensure all personnel with access to Personal Data are under confidentiality obligations.

  3. Security Measures. Implement appropriate technical and organizational measures, including:

    • Pseudonymization and encryption of Personal Data.
    • Ensuring ongoing confidentiality, integrity, availability, and resilience of systems.
    • Ability to restore access and availability after incidents.
    • Regular testing and evaluation of security measures.

  4. Data Subject Rights. Assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) within legal timelines.

  5. Breach Notification. Notify the Controller without undue delay upon becoming aware of a Personal Data breach.

  6. Audits & Inspections. Provide information and allow audits to demonstrate compliance with this DPA.

4. Sub-processing

The details of current Sub-processors are specified in Annex 1 below:

  1. The Controller authorizes the Processor to appoint Sub-processors as listed in Annex 1.
  2. The Processor will inform the Controller in writing at least thirty (30) days prior to any intended changes (additions or replacements) to the Sub-processor list and provide details of the new Sub-processor. The Controller may object to a proposed Sub-processor within fifteen (15) days of receiving notice, specifying reasonable grounds for objection. If the Controller objects, the Parties shall discuss in good faith to resolve the concern.
  3. All Sub-processors will be bound by data protection obligations no less stringent than those in this DPA.
  4. The Processor shall require each Sub-processor to indemnify and hold harmless the Processor against any claims, losses, or liabilities arising from the Sub-processor’s breach of its data protection obligations.
  5. Limitation of Sub-processor Liability. Notwithstanding any other provision, the Processor’s liability to the Controller for acts or omissions of its Sub-processors shall be limited to the amounts that the Processor actually recovers from such Sub-processors, and in any event shall be subject to the overall liability cap and limitations set forth in Section 7 of this DPA.

5. International Data Transfers

  1. Permitted Transfers. The Processor may transfer Personal Data outside the European Economic Area (EEA) only under GDPR‑compliant mechanisms, including the EU–U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules.

  2. Invalidation of Transfer Mechanisms. If any such mechanism is invalidated, the Processor shall: a. Immediately cease transfers under the invalidated mechanism. b. Notify the Controller in writing within five (5) business days of the invalidation, including details of the affected data categories and recipients. c. Cooperate with the Controller to implement an alternative lawful transfer mechanism within thirty (30) days.

  3. Allocation of Liability. The Processor shall not be liable for any unauthorized transfers performed in compliance with this Section 5, provided that: a. Transfers were conducted under a valid GDPR‑compliant mechanism at the time of transfer. b. The Processor complied with its obligations in paragraphs 2.a and 2.b. c. The Controller did not explicitly instruct the Processor to continue transfers under an invalidated mechanism.

    The Processor shall be liable for unauthorized transfers only if it:

    • Continued transfers after notice of invalidation without following the steps in paragraph 2; or
    • Willfully refused to cooperate in implementing an alternative mechanism.

6. Term and Termination.

  • Effective Date: Date of the Principal Agreement.
  • Term: Until all Personal Data processing ceases.
  • Post-Termination: Upon termination, the Processor shall, at the Controller’s choice, delete or return all Personal Data, unless retention is legally required.

7. Liability and Indemnity

  1. Limitation of Liability. Except for liability arising from Processor’s willful misconduct or gross negligence, the Processor’s total aggregate liability under this DPA shall not exceed the lesser of: (a) the fees paid by the Controller to the Processor under the Principal Agreement during the twelve (12) months preceding the event giving rise to the claim; or (b) USD $500.

  2. Exclusion of Damages. In no event shall the Processor be liable for any indirect, incidental, consequential, special, punitive, or exemplary damages, including lost profits, even if advised of the possibility of such damages.

  3. Indemnity. Subject to the Limitation of Liability (7.1) and Exclusion of Damages (7.2), the Processor shall indemnify and hold harmless the Controller against direct third-party claims arising solely from the Processor’s material breach of this DPA, provided that:

    • The Controller gives the Processor written notice of the claim within thirty (30) days of becoming aware of it, including sufficient details to enable evaluation.
    • The Controller has not contributed to the breach through its actions or omissions.
    • The Processor has the exclusive right to control the defense and any settlement, and the Controller cooperates fully.

  4. Insurance. The Processor shall maintain commercially reasonable insurance coverage, including cyber insurance, to cover the liabilities specified in this Section 7.

8. Miscellaneous

  1. Force Majeure. Neither Party shall be liable for any delay or failure to perform its obligations under this DPA (excluding payment obligations) if such delay or failure is caused by events beyond its reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, pandemics, cyber attacks, strikes, or government actions. The affected Party shall notify the other Party in writing of the force majeure event and its expected duration and shall use reasonable efforts to resume performance promptly.
  2. Controller Cooperation. The Controller shall provide timely instructions and necessary assistance to the Processor; failure to do so shall relieve the Processor of related liabilities.
  3. Non-Waiver. Failure by either Party to enforce any provision of this DPA shall not constitute a waiver of future enforcement of that or any other provision.
  4. Entire Agreement. This DPA, together with the Principal Agreement, constitutes the entire understanding between the Parties with respect to data processing and supersedes all prior agreements or understandings, whether written or oral.
  5. Amendments. Any changes to this DPA must be in writing and signed by both Parties.
  6. Severability. If any provision of this DPA is held invalid or unenforceable, that provision shall be severed, and the remaining provisions shall remain in full force and effect.
  7. Governing Law & Jurisdiction. This DPA is governed by the laws of the State of Oregon, USA. Disputes shall be subject to the exclusive jurisdiction of its courts.

Annex 1: Sub-processors

The following Sub-processors are engaged by the Processor to assist in providing the Services:

  • Cloudflare, Inc. (United States): CDN, DDoS protection, DNS
  • n8n GmbH (Germany): Workflow automation, data integrations
  • Mailgun, Inc. (United States): Email delivery and transactional emails
  • Supabase, Inc. (United States): Database hosting, authentication, storage, real‑time APIs
  • Vercel, Inc. (United States): Deployment platform, edge functions, hosting
  • GitHub, Inc. (United States): Source code hosting, CI/CD, repository management
  • GoHighLevel, Inc. (United States): Marketing automation, CRM, email/SMS campaigns
  • Stripe, Inc. (United States): Payment processing, billing, invoicing
  • OpenAI, Inc. (United States): AI services and APIs for natural language processing
  • Anthropic PBC (United States): AI models and safety‑focused language model services
  • Upstash, Inc. (United States): Database as a service (Redis), caching, serverless storage
  • Grafana Labs, Inc. (United States): Monitoring, metrics visualization, observability dashboards
  • Together.ai, Inc. (United States): AI‑powered collaborative design and workflow tools
  • Google LLC (United States): Cloud infrastructure, hosting, storage, compute services
  • PostHog, Ltd. (United Kingdom): Product analytics, event tracking, and user behavior monitoring

Additional Sub-processors may be added by the Processor in accordance with Section 4 of this DPA.

Last 30 days

Cloudflare logo
309.2M
Requests
Cloudflare logo
6.86 TB
Data served
Github logo
11
Issues closed
Github logo
30
Merged PRs

Built to scale

Total

Webstudio logo
141.5K
Projects
Github star
7.3K
GitHub stars
Discord logo
4.9K
Discord members
Webstudio logo
82.6K
Users
globe