Data Processing Agreement

This Data Processing Agreement (DPA) supplements the Master Subscription Agreement, Order Form, or other written or electronic agreement between WAVE Online, LLC (Processor) and Customer (Controller) where WAVE processes Personal Data on Customer's behalf.

Documents incorporated

• EU Standard Contractual Clauses (Commission Decision 2021/914) — Module 2 (Controller to Processor)
• UK International Data Transfer Addendum (B.1.0)
• Annex 1: Description of processing
• Annex 2: Technical and organizational measures
• Annex 3: List of subprocessors (see wave.online/subprocessors)

Key terms

• Roles: Customer is the Controller; WAVE is the Processor. Where Customer is itself a Processor, WAVE is the Sub-Processor.
• Subject matter:Provision of WAVE's streaming, API, and ancillary platform services as described in the underlying agreement.
• Duration: Term of the underlying agreement plus the retention periods described in our Privacy Policy.
• Categories of data subjects:Customer's end users, employees, contractors, and contacts as configured by Customer.
• Categories of personal data: Identity (name, email, phone), authentication (hashed credentials, session tokens), profile, content metadata, viewer behavior (engagement events), payment metadata (no PAN), and as further described in the underlying agreement.
• Sensitive data: Processed only where Customer has lawful basis. Health data triggers a separate Business Associate Agreement.

Processor obligations (GDPR Article 28(3))

• Process Personal Data only on Controller's documented instructions
• Ensure persons authorized to process are bound by confidentiality
• Implement appropriate technical and organizational measures (Annex 2)
• Engage Sub-Processors only with Controller's general written authorization (see Subprocessors page) and on terms no less protective than this DPA
• Assist Controller with data subject requests, security incidents, DPIAs, and prior consultations
• Delete or return Personal Data at end of services, subject to retention obligations
• Make available all information necessary to demonstrate compliance, including audit cooperation

International transfers

For transfers from the EEA, UK, or Switzerland to recipients in jurisdictions without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2) and, for UK transfers, the UK IDTA. WAVE conducts and updates a Transfer Impact Assessment per Schrems II and the EDPB Recommendations.

CCPA / CPRA — Service Provider terms

For California Personal Information, WAVE acts as a “Service Provider” under the CCPA/CPRA. WAVE will not (i) sell or share Personal Information; (ii) retain, use, or disclose Personal Information outside the direct business relationship or for any purpose other than the specific business purpose of providing the services; or (iii) combine Personal Information received from Customer with information from other sources except as permitted by 11 CCR § 7050(b).

Security incidents

WAVE notifies Customer without undue delay (and in any event within 48 hours of confirmed determination) of any Personal Data breach affecting Customer Personal Data. See our Trust Center for response procedures.

Annex 2 — Technical and organizational measures (summary)

• Encryption: TLS 1.3 in transit; AES-256-GCM at rest
• Authentication: WebAuthn + TOTP MFA available; mandatory for admin roles
• Authorization: RBAC at API layer + Row Level Security at database layer
• Audit logging: append-only, retained per policy in our Privacy Policy
• Backup and DR: daily automated backups + 30-day point-in-time recovery
• Vendor management: SOC 2 Type II or equivalent for all Tier 1 vendors
• Workforce: background checks for personnel with PII access; mandatory annual security training

Counterpart and execution

Customers under an existing Master Subscription Agreement or Order Form may execute this DPA by countersigning the version available from legal@wave.online, or by accepting the DPA via clickwrap during onboarding. No separate signature is required for Customers whose Order Form references this DPA by URL.