Data Processing Addendum

Last Updated: December 1, 2024

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of and is subject to the Whispie Terms of Service or other written or electronic agreement between Black Eagle Group LLC ("Whispie", "we", "us", or "our") and you ("Customer", "you", or "your") for the purchase of services (the "Agreement").

This DPA reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws and Regulations.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:

Term Definition
Data Protection Laws All applicable data protection and privacy laws including GDPR, UK-GDPR, CCPA/CPRA, KVKK, and other global data protection regulations
Personal Data Any information relating to an identified or identifiable natural person
Processing Any operation performed on Personal Data
Data Controller The entity that determines the purposes and means of Processing
Data Processor The entity that Processes Personal Data on behalf of the Controller
Data Subject The individual to whom Personal Data relates
Subprocessor Third parties engaged by Processor to Process Personal Data

2. Roles and Responsibilities

2.1 Whispie as Data Processor

Whispie acts as a Data Processor when Processing Personal Data on behalf of Customer. Whispie shall:

2.2 Customer as Data Controller

Customer acts as Data Controller and is responsible for:

3. Processing Details

3.1 Subject Matter and Duration

The subject matter of Processing involves baby and family data management services. The duration of Processing corresponds to the term of the Agreement.

3.2 Nature and Purpose

Processing operations include collection, storage, analysis, and sharing of baby development data, health information, and family management data for the purpose of providing Whispie services.

3.3 Categories of Data Subjects

3.4 Types of Personal Data

3.5 Special Categories of Data

The Services involve Processing of special categories of data including:

4. Technical and Organizational Measures

4.1 Security Measures

Whispie implements the following security measures:

Measure Category Implementation
Encryption Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access Controls Role-based access, multi-factor authentication, principle of least privilege
Network Security Firewalls, intrusion detection, DDoS protection, regular security assessments
Physical Security Secure data centers, 24/7 monitoring, access logs
Organizational Employee training, confidentiality agreements, security policies

4.2 Data Protection Impact Assessments

Whispie shall provide reasonable assistance to Customer in conducting data protection impact assessments where required by Data Protection Laws.

5. Subprocessing

5.1 Authorized Subprocessors

Customer provides general authorization for Whispie to engage the following Subprocessors:

Subprocessor Service Location DPA in Place
Supabase Database & Authentication United States Yes
Stripe Payment Processing United States Yes
Twilio SMS Verification United States Yes
Resend Email Delivery United States Available upon request
Sentry Error Monitoring United States Yes
Cloudflare DNS & Security Global Yes

5.2 Subprocessor Obligations

Whispie shall:

5.3 Objection Right

Customer may object to Whispie's appointment of new Subprocessors on reasonable grounds relating to data protection. Whispie will work with Customer to address concerns.

6. International Data Transfers

6.1 Transfer Mechanisms

Where Personal Data is transferred outside the EEA, UK, Switzerland, or other jurisdictions with adequacy requirements, Whispie ensures appropriate safeguards are in place:

6.2 Supplementary Measures

Whispie implements supplementary measures including:

7. Data Subject Rights

7.1 Assistance Obligations

Whispie shall, taking into account the nature of Processing, assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligations to respond to Data Subject requests under Data Protection Laws.

7.2 Request Handling

Whispie shall:

8. Security Incident Management

8.1 Incident Notification

Whispie shall notify Customer without undue delay after becoming aware of a Personal Data breach. Notifications shall include:

8.2 Cooperation

Whispie shall cooperate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data breach.

9. Audit Rights

9.1 Audit Procedures

Customer may audit Whispie's compliance with this DPA up to once per year. Audits shall:

9.2 Alternative Evidence

In lieu of an audit, Whispie may provide:

10. Data Return and Deletion

10.1 Return or Deletion

Upon termination of the Agreement, Whispie shall, at Customer's choice, delete or return all Personal Data to Customer, and delete existing copies unless applicable law requires storage of the Personal Data.

10.2 Retention Periods

Personal Data shall be retained only for as long as necessary to provide the Services and in accordance with the retention periods specified in Annex 1.

ANNEX 1: DETAILS OF PROCESSING

A. Categories of Data Subjects

B. Types of Personal Data

Data Category Examples Sensitivity Level
Identity Data Names, birth dates, gender Standard
Contact Data Email, phone numbers, addresses Standard
Health Data Vaccinations, medical conditions, allergies Special Category
Developmental Data Growth metrics, milestones, activities Special Category
Family Data Relationships, permissions, access logs Standard

C. Processing Operations

D. Retention Periods

Data Type Retention Period Legal Basis
Account Data Until account deletion + 6 years Legal obligation
Baby Health Data 18 years from birth Legal obligation, consent
Payment Data 10 years Legal obligation
Analytics Data 2 years (anonymized) Legitimate interest

ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES

A. Physical Access Control

B. System Access Control

C. Data Access Control

D. Organizational Measures

11. Regional Specific Provisions

11.1 European Economic Area

For Personal Data subject to GDPR, the EU Standard Contractual Clauses shall apply and are incorporated by reference.

11.2 United Kingdom

For Personal Data subject to UK-GDPR, the UK International Data Transfer Addendum shall apply.

11.3 Turkey

For Personal Data subject to KVKK, Whispie shall comply with Data Controller obligations under Law No. 6698 and relevant regulations.

11.4 United States - California

For Personal Data subject to CCPA/CPRA, Whispie shall comply with Service Provider obligations and shall not Sell or Share Personal Data.

11.5 Other Regions

Whispie shall comply with data protection laws in all jurisdictions where it operates, including but not limited to:

12. General Provisions

12.1 Order of Precedence

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict.

12.2 Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability in the Agreement.

12.3 Governing Law

This DPA shall be governed by the law of the State of Delaware, without regard to its conflict of laws principles.

ACCEPTANCE AND EXECUTION

This Data Processing Addendum is incorporated into and forms part of the Agreement between the parties.

For Whispie (Data Processor):

Black Eagle Group LLC
30 N Gould St Ste N
Sheridan, WY 82801, USA
Email: [email protected]

For Customer (Data Controller):

By using Whispie services, Customer acknowledges and agrees to the terms of this Data Processing Addendum.

Effective Date: December 1, 2024