Data Processing Agreement
Effective date: February 27, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Wolfgang Solutions, LLC ("Processor," "we," "us," or "our") and you ("Controller," "Customer," or "you") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the allmymeetings service ("Service").
This DPA applies to the extent that the Processor processes personal data on behalf of the Controller that is subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), or other applicable data protection laws that require a data processing agreement.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that the Processor processes on behalf of the Controller in connection with the Service.
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Sub-Processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data approved by the European Commission.
2. Scope and Purpose of Processing
2.1 Subject Matter
The Processor processes Personal Data to provide the Service as described in the Agreement, including calendar synchronization, scheduling page functionality, AI scheduling assistance, and related features.
2.2 Categories of Data Subjects
- Controller's employees and representatives who use the Service
- Individuals whose calendar events are synchronized through the Service (attendees, organizers)
- Individuals who book meetings through the Controller's scheduling pages (invitees)
- Individuals who participate in email conversations processed by the AI scheduling assistant
2.3 Types of Personal Data
- Names and email addresses
- Calendar event data (titles, descriptions, locations, times, attendees)
- Scheduling booking data (invitee name, email, notes, selected times)
- Email content and conversation data (AI assistant)
- Account credentials and OAuth tokens (encrypted)
2.4 Duration
Processing continues for the duration of the Agreement. Upon termination, the Processor will delete or return Personal Data in accordance with Section 10.
3. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data outside the EEA, UK, or Switzerland, unless required to do so by applicable law.
- Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7.
- Not engage a Sub-Processor without the conditions set out in Section 5.
- Assist the Controller in fulfilling its obligations to respond to Data Subject requests, as described in Section 6.
- Assist the Controller in ensuring compliance with its obligations related to security, breach notification, data protection impact assessments, and prior consultation.
- At the Controller's choice, delete or return all Personal Data upon termination of the Agreement, and delete existing copies unless storage is required by applicable law.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA.
4. Controller Obligations
The Controller shall:
- Ensure that it has a lawful basis for the processing of Personal Data and has provided appropriate notices to Data Subjects.
- Provide documented processing instructions to the Processor.
- Ensure compliance with applicable data protection laws regarding the Personal Data it provides to the Processor.
5. Sub-Processors
5.1 Authorized Sub-Processors
The Controller provides general written authorization for the Processor to engage the following Sub-Processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google LLC | Calendar synchronization (Google Calendar API), website analytics (Google Analytics), advertising measurement (Google Ads) | United States |
| Microsoft Corporation | Calendar synchronization (Microsoft Graph API) | United States |
| Apple Inc. | Calendar synchronization (iCloud CalDAV) | United States |
| Stripe, Inc. | Payment processing and subscription management | United States |
| OpenAI, L.L.C. | AI scheduling assistant (natural language processing) | United States |
| PostHog, Inc. | Product analytics (server-side event tracking) | United States |
5.2 New Sub-Processors
The Processor will notify the Controller at least 30 days before engaging a new Sub-Processor by updating this page and notifying affected Customers by email. The Controller may object to the new Sub-Processor by notifying the Processor within 14 days of receiving notice. If the Processor cannot reasonably accommodate the objection, either party may terminate the affected portion of the Service.
5.3 Sub-Processor Obligations
The Processor shall impose data protection obligations on each Sub-Processor that are no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-Processor's obligations.
6. Data Subject Rights
The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection.
If the Processor receives a request from a Data Subject directly, it will promptly notify the Controller and will not respond to the request without the Controller's instructions, unless legally required to do so.
7. Security Measures
The Processor implements and maintains the following technical and organizational security measures:
- Encryption at rest — OAuth tokens, calendar account credentials, and two-factor authentication secrets are encrypted using AES-256.
- Encryption in transit — all data transmitted between the Service, users, and third-party APIs is encrypted using TLS 1.2 or higher.
- Password security — user passwords are hashed using bcrypt and are never stored in plaintext.
- Access control — database access is restricted to authorized application processes. Administrative access requires multi-factor authentication.
- Session management — database-backed sessions with automatic expiration and HTTP-only, secure cookies.
- CSRF protection — all state-changing requests are protected against cross-site request forgery.
- Monitoring — server-side logging and analytics to detect anomalous activity.
- Backups — regular automated database backups with encryption.
8. Personal Data Breach Notification
In the event of a Personal Data Breach, the Processor shall:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
- Provide the Controller with sufficient information to enable it to meet any obligations to report or inform Data Subjects of the breach under applicable data protection laws.
- Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
The notification shall include, to the extent known:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
- The name and contact details of a contact point for further information
9. Audits
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Audits shall be conducted with reasonable prior written notice (at least 30 days), during normal business hours, and in a manner that minimizes disruption to the Processor's operations. The Controller shall bear the costs of any audit it initiates. Audits shall not occur more than once per 12-month period unless required by a supervisory authority or following a Personal Data Breach.
10. Term and Termination
This DPA takes effect on the date you accept the Terms of Service and remains in effect for the duration of the Agreement.
Upon termination of the Agreement:
- The Processor shall, at the Controller's choice, delete or return all Personal Data within 30 days, except to the extent that applicable law requires continued storage.
- The Processor shall provide written confirmation of deletion upon the Controller's request.
- Sections of this DPA that by their nature should survive termination (including confidentiality, liability, and audit provisions) shall continue in effect.
11. International Data Transfers
To the extent that the processing of Personal Data involves a transfer from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, the parties agree to enter into the Standard Contractual Clauses (Module Two: Controller to Processor) as approved by the European Commission, which are hereby incorporated by reference.
For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the EU SCCs shall apply. For transfers subject to the Swiss FADP, the SCCs shall apply with the modifications required by Swiss law.
12. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement. This DPA does not limit either party's liability for claims by Data Subjects or supervisory authorities to the extent that such limitation is not permitted by applicable data protection law.
13. Conflict
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
14. Contact Us
For questions about this Data Processing Agreement, please contact us at:
Wolfgang Solutions, LLC
Attn: Data Protection
Email: [email protected]