Last updated: June 4, 2026 — Version: 1.0
This Data Processing Agreement is a schedule to the Master Services Agreement (MSA) and applies when The Web Cooperative processes personal data on behalf of the Client in the course of providing services.
1. Definitions
| Term | Meaning |
|---|
| Personal data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on personal data (collection, storage, use, deletion) |
| Data controller | The entity that determines the purposes and means of processing personal data |
| Data processor | The entity that processes personal data on behalf of the controller |
| Sub-processor | A third party engaged by the processor to assist in processing |
The Client is the data controller. The Web Cooperative is the data processor.
2. Scope
This DPA applies when the Provider processes personal data on behalf of the Client in connection with services including but not limited to:
- Managing the Client's Google Business Profile (customer reviews, business information)
- Setting up or managing the Client's CRM or lead tracking systems
- Building or maintaining the Client's website (if it collects customer data)
- Managing email marketing or customer communication lists
- Configuring analytics or tracking tools for the Client
- Any other service where we handle your customers' or clients' personal data
This DPA does not apply to data the Client provides about their own business (company name, address, contact information) — that is covered by the MSA's confidentiality terms.
3. Data Processing Details
| Field | Detail |
|---|
| Categories of data subjects | Client's customers, leads, website visitors, or clients |
| Types of personal data | Name, email address, phone number, business name, communication history, and any other data the Client chooses to share with us for service delivery |
| Processing purposes | Providing the services described in the applicable Service Agreement (SEO, ad management, CRM setup, website maintenance, marketing automation) |
| Processing duration | The term of the applicable Service Agreement, plus up to 90 days for orderly transition or deletion |
4. Obligations of the Client (Controller)
The Client agrees to:
- Ensure lawful basis — The Client is responsible for having a legal basis (consent, legitimate interest, contract necessity) for collecting the personal data they share with us.
- Provide clear notice — The Client must have a privacy policy that informs their customers/subjects about data collection and processing.
- Respond to data subject requests — The Client is responsible for responding to access, deletion, or correction requests from their customers.
- Not share unnecessary data — The Client should only share personal data that is necessary for the services.
5. Obligations of the Provider (Processor)
The Provider agrees to:
- Process only as instructed — We will only process personal data as documented in this DPA or as instructed by the Client in writing.
- Maintain confidentiality — We will ensure any personnel processing personal data are bound by confidentiality obligations.
- Implement security measures — We maintain appropriate technical and organizational security measures (see Section 7).
- Assist with data subject rights — We will assist the Client in responding to data subject access, correction, deletion, and portability requests.
- Notify of breaches — We will notify the Client within 48 hours of becoming aware of a personal data breach affecting the Client's data.
- Delete or return data — Upon termination, we will delete or return personal data as instructed by the Client.
6. Sub-Processors
The Provider may engage sub-processors to assist in delivering services. Current sub-processors:
| Sub-Processor | Service | Jurisdiction |
|---|
| Coolify | Website hosting (self-hosted) | USA |
| moose.mxrouting.net | Email communications | USA |
| Google (Analytics) | Website analytics | USA |
| EspoCRM | Customer relationship management (self-hosted) | USA |
| DeepSeek | AI/LLM-powered tools | China |
The Client authorizes the use of these sub-processors. The Provider will:
- Notify the Client 30 days before adding or replacing a sub-processor
- Enter into written agreements with sub-processors that impose data protection obligations at least equivalent to those in this DPA
- Remain fully liable for sub-processor compliance
7. Security Measures
The Provider maintains the following technical and organizational security measures:
Technical Measures
- Encryption — All data in transit is encrypted via TLS/HTTPS. Data at rest is encrypted using industry-standard encryption.
- Access control — Access to client data is limited to authorized personnel on a need-to-know basis.
- Authentication — Strong passwords, two-factor authentication, and single sign-on where available.
- Backups — Regular automated backups with encrypted storage.
- Monitoring — Basic intrusion detection and system monitoring.
Organizational Measures
- Personnel training — Team members are trained on data handling and privacy practices.
- Access reviews — Access permissions are reviewed quarterly.
- Incident response — Documented breach notification and incident response procedures.
8. Data Transfers
If personal data is transferred to a jurisdiction outside the European Economic Area (EEA) or the United Kingdom, the Provider will ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) adopted by the European Commission, or
- An adequacy decision by the applicable regulatory authority
9. Liability
The liability of each party under this DPA is subject to the limitations set forth in the MSA (Section 7 — Limitation of Liability). Each party's liability for claims arising under this DPA shall be limited as set forth in the MSA.
10. Term & Termination
This DPA takes effect when the Client signs the MSA or any Service Agreement and continues until:
- The MSA is terminated, and all personal data has been returned or deleted, or
- The parties mutually agree to replace or terminate this DPA