Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement (“Agreement”) between us (Twirling Umbrellas Ltd., “Agency”, “we”, “us”, “our”) and you (“Client”, “you”, “your”). It governs the processing of Personal Information by us on your behalf. This DPA is effective as of the Agreement Effective Date and will terminate automatically upon the termination of the Agreement. We may update this DPA from time to time by posting an updated version to this URL.

1. Definitions

• “Controller,” “Processor,” “Data Subject,” and “Personal Information” shall have the meanings ascribed to them in applicable Data Protection Law.
• “Data Protection Law” means all applicable privacy and data protection laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), as applicable to the Services.
• “You” are the Controller of the Personal Information.
• “We” are the Processor of the Personal Information.

2. Processing of Personal Information

2.1. Role of the Parties. We will process Personal Information only on your behalf and in accordance with your documented lawful instructions. The Agreement and any Project Orders shall be your complete and final instructions to us for the processing of Personal Information.

2.2. Purpose. We will process Personal Information solely for the purpose of providing, maintaining, and improving the Services as described in the Agreement. We will not (i) sell or share the Personal Information; (ii) retain, use, or disclose the Personal Information for any purpose other than for the specific purpose of performing the Services.

3. Our Obligations

3.1. Confidentiality. We will ensure that all persons we authorize to process the Personal Information (including our employees, agents, and subcontractors) are bound by a strict duty of confidentiality.

3.2. Security. We will implement and maintain appropriate technical and organizational measures (TOMs) designed to protect the Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures shall include, but are not limited to:

• Using SSL (HTTPS) on websites we host or manage.
• Enforcing strong passwords and, where available, 2-Factor Authentication for systems accessing Personal Information.
• Keeping server and website software and plugins updated as part of our Maintenance services.
• Utilizing hosting providers that encrypt data at rest.

3.3. Sub-processors. You provide general authorization for us to engage the third-party sub-processors listed in Section 4 of this DPA. We will ensure that all sub-processors are bound by data protection terms that are no less protective than those in this DPA.

4. Our Sub-processors

At Twirling Umbrellas, we use third-party services (“Sub-processors”) to provide our digital solutions. We have vetted each service for its security and privacy practices and have signed a Data Processing Addendum (DPA) or equivalent agreement with each one. This list outlines who our sub-processors are, what we use them for, and where you can find their privacy information.

Hosting, Infrastructure & Security

These services provide the core infrastructure, networking, and security for hosting client websites, databases, and applications.

• Service: Pantheon
  • Purpose: Our primary, high-performance hosting platform for client websites.
  • Privacy Policy: Pantheon Privacy Policy
• Service: Google Cloud Platform (GCP)
  • Purpose: A hosting and infrastructure provider for specific client applications and data.
  • Privacy Policy: Google Cloud Privacy
• Service: Canadian Web Hosting
  • Purpose: A hosting platform used for select client websites and services.
  • Privacy Policy: CWH Privacy Policy
• Service: Cloudflare
  • Purpose: Provides a Content Delivery Network (CDN), security (WAF), and DNS services for client websites.
  • Privacy Policy: Cloudflare Privacy Policy
• Service: GitHub
  • Purpose: Provides source code hosting (version control) for client projects.
  • Privacy Policy: GitHub Privacy Statement

Platform & Application Services

These services provide key functionality for client websites, such as e-commerce, content management, translation, and communications.

• Service: Automattic (WooCommerce, Jetpack)
  • Purpose: Provides e-commerce functionality, security, and performance features for WordPress websites.
  • Privacy Policy: Automattic Privacy Policy
• Service: Twilio SendGrid
  • Purpose: Provides transactional email services (e.g., password resets, form notifications) for client websites.
  • Privacy Policy: Twilio Privacy Policy
• Service: Weglot / WPML
  • Purpose: Provides website content translation services.
  • Privacy Policy: Weglot Privacy / OnTheGoSystems Privacy
• Service: Zapier
  • Purpose: Provides data integration and automation workflows (e.g., connecting forms to spreadsheets).
  • Privacy Policy: Zapier Privacy Policy
• Service: OpenAI
  • Purpose: Provides artificial intelligence models used for content generation, summarization, or other features related to client projects.
  • Privacy Policy: OpenAI Privacy Policy

Analytics & Measurement

These services are used, at your direction, to collect and analyze data about website visitors.

• Service: Google Analytics
  • Purpose: To collect and analyze website traffic data on your behalf.
  • Privacy Policy: Google Privacy & Terms
• Service: Lytics
  • Purpose: A Customer Data Platform (CDP) used to collect and analyze user data on your behalf.
  • Privacy Policy: Lytics Privacy Policy

Business & Project Management

These services are used for our internal operations, design, project management, and client communication. They may store client contact information, project files, and design assets.

• Service: Google Workspace (Gmail, Google Drive)
  • Purpose: Our internal email, calendar, and file storage solution for project documents and client communications.
  • Privacy Policy: Google Privacy & Terms
• Service: Productive.io
  • Purpose: Our primary project management and agency operations software. It contains project details, timelines, and client contact information.
  • Privacy Policy: Productive.io Privacy Policy
• Service: Figma
  • Purpose: A collaborative design and prototyping tool used to create and review project designs.
  • Privacy Policy: Figma Privacy Policy
• Service: Markup.io
  • Purpose: A visual collaboration and feedback tool for websites and design mockups.
  • Privacy Policy: Markup.io Privacy Policy

Testing & Quality Assurance

• Service: BrowserStack
  • Purpose: Provides a cross-browser and device testing platform for client websites and applications.
  • Privacy Policy: BrowserStack Privacy Policy

5. Data Governance

5.1. Data Subject Rights. To the extent that a Data Subject makes a request to us to exercise their rights under Data Protection Law (such as access, correction, or deletion), we will promptly forward such request to you. You are responsible for responding to all such requests.

5.2. Data Breach Notification. In the event of an accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Information (a “Security Incident”), we will notify you without undue delay upon becoming aware of the incident.

5.3. Data Deletion. Upon termination of the Agreement, we will, at your instruction, securely delete or return all Personal Information to you, unless retention is required by applicable law.

5.4. Audits & Compliance. We agree to provide you with information reasonably necessary (such as our list of security measures) to demonstrate compliance with the obligations of this DPA.