Last Updated: December 1, 2024
This Data Processing Addendum ("DPA") forms part of and is subject to the Whispie Terms of Service or other written or electronic agreement between Black Eagle Group LLC ("Whispie", "we", "us", or "our") and you ("Customer", "you", or "your") for the purchase of services (the "Agreement").
This DPA reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws and Regulations.
For the purposes of this DPA, the following terms shall have the meanings set out below:
| Term | Definition |
|---|---|
| Data Protection Laws | All applicable data protection and privacy laws including GDPR, UK-GDPR, CCPA/CPRA, KVKK, and other global data protection regulations |
| Personal Data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on Personal Data |
| Data Controller | The entity that determines the purposes and means of Processing |
| Data Processor | The entity that Processes Personal Data on behalf of the Controller |
| Data Subject | The individual to whom Personal Data relates |
| Subprocessor | Third parties engaged by Processor to Process Personal Data |
Whispie acts as a Data Processor when Processing Personal Data on behalf of Customer. Whispie shall:
Customer acts as Data Controller and is responsible for:
The subject matter of Processing involves baby and family data management services. The duration of Processing corresponds to the term of the Agreement.
Processing operations include collection, storage, analysis, and sharing of baby development data, health information, and family management data for the purpose of providing Whispie services.
The Services involve Processing of special categories of data including:
Whispie implements the following security measures:
| Measure Category | Implementation |
|---|---|
| Encryption | Data encrypted in transit (TLS 1.2+) and at rest (AES-256) |
| Access Controls | Role-based access, multi-factor authentication, principle of least privilege |
| Network Security | Firewalls, intrusion detection, DDoS protection, regular security assessments |
| Physical Security | Secure data centers, 24/7 monitoring, access logs |
| Organizational | Employee training, confidentiality agreements, security policies |
Whispie shall provide reasonable assistance to Customer in conducting data protection impact assessments where required by Data Protection Laws.
Customer provides general authorization for Whispie to engage the following Subprocessors:
| Subprocessor | Service | Location | DPA in Place |
|---|---|---|---|
| Supabase | Database & Authentication | United States | Yes |
| Stripe | Payment Processing | United States | Yes |
| Twilio | SMS Verification | United States | Yes |
| Resend | Email Delivery | United States | Available upon request |
| Sentry | Error Monitoring | United States | Yes |
| Cloudflare | DNS & Security | Global | Yes |
Whispie shall:
Customer may object to Whispie's appointment of new Subprocessors on reasonable grounds relating to data protection. Whispie will work with Customer to address concerns.
Where Personal Data is transferred outside the EEA, UK, Switzerland, or other jurisdictions with adequacy requirements, Whispie ensures appropriate safeguards are in place:
Whispie implements supplementary measures including:
Whispie shall, taking into account the nature of Processing, assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligations to respond to Data Subject requests under Data Protection Laws.
Whispie shall:
Whispie shall notify Customer without undue delay after becoming aware of a Personal Data breach. Notifications shall include:
Whispie shall cooperate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data breach.
Customer may audit Whispie's compliance with this DPA up to once per year. Audits shall:
In lieu of an audit, Whispie may provide:
Upon termination of the Agreement, Whispie shall, at Customer's choice, delete or return all Personal Data to Customer, and delete existing copies unless applicable law requires storage of the Personal Data.
Personal Data shall be retained only for as long as necessary to provide the Services and in accordance with the retention periods specified in Annex 1.
| Data Category | Examples | Sensitivity Level |
|---|---|---|
| Identity Data | Names, birth dates, gender | Standard |
| Contact Data | Email, phone numbers, addresses | Standard |
| Health Data | Vaccinations, medical conditions, allergies | Special Category |
| Developmental Data | Growth metrics, milestones, activities | Special Category |
| Family Data | Relationships, permissions, access logs | Standard |
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Account Data | Until account deletion + 6 years | Legal obligation |
| Baby Health Data | 18 years from birth | Legal obligation, consent |
| Payment Data | 10 years | Legal obligation |
| Analytics Data | 2 years (anonymized) | Legitimate interest |
For Personal Data subject to GDPR, the EU Standard Contractual Clauses shall apply and are incorporated by reference.
For Personal Data subject to UK-GDPR, the UK International Data Transfer Addendum shall apply.
For Personal Data subject to KVKK, Whispie shall comply with Data Controller obligations under Law No. 6698 and relevant regulations.
For Personal Data subject to CCPA/CPRA, Whispie shall comply with Service Provider obligations and shall not Sell or Share Personal Data.
Whispie shall comply with data protection laws in all jurisdictions where it operates, including but not limited to:
In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict.
Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability in the Agreement.
This DPA shall be governed by the law of the State of Delaware, without regard to its conflict of laws principles.
This Data Processing Addendum is incorporated into and forms part of the Agreement between the parties.
For Whispie (Data Processor):
Black Eagle Group LLC
30 N Gould St Ste N
Sheridan, WY 82801, USA
Email: [email protected]
For Customer (Data Controller):
By using Whispie services, Customer acknowledges and agrees to the terms of this Data Processing Addendum.
Effective Date: December 1, 2024