Legal · DPA

Data Processing Agreement

The contractual terms under which CloudWeld LLC processes personal data on behalf of customers as a processor under GDPR, UK GDPR, and comparable laws.

Last updated: 2026-04-24
Need a signed DPA? This page is the public version of our DPA. For a countersigned PDF, email hello@ooky.ai with your legal entity name and jurisdiction. We return executed copies within 3 business days.

1. Parties and application

This Data Processing Agreement ("DPA") forms part of the Terms of Service between CloudWeld LLC ("Processor") and the customer entity that accepted the Terms ("Controller"). It applies whenever Processor processes Personal Data on behalf of Controller.

In the event of conflict between this DPA and the Terms on a matter of data protection, this DPA prevails.

2. Definitions

Capitalized terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679) or the UK GDPR. "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject", and "Supervisory Authority" are used as defined there.

"Services" means the Ooky platform and related offerings as described in the Terms.

3. Scope and roles

Controller determines the purposes and means of Processing and instructs Processor to Process Personal Data solely to deliver the Services. Controller's documented instructions are set out in the Terms, the product configuration, and this DPA (including Annex I).

Processor acts only on Controller's documented instructions and will promptly inform Controller if an instruction, in Processor's view, violates applicable data-protection law.

4. Processor obligations

Processor will:

  • Process Personal Data only to deliver the Services, comply with law, or follow Controller's written instructions.
  • Ensure personnel with access to Personal Data are bound by confidentiality obligations.
  • Implement the technical and organizational measures set out in Annex II.
  • Assist Controller, at Controller's cost for work beyond what is built into the Services, in meeting its obligations under Articles 32–36 GDPR.
  • Make available information reasonably necessary to demonstrate compliance with this DPA.

5. Sub-processors

Controller grants a general authorization for Processor to engage sub-processors listed in /subprocessors and Annex III. Processor will:

  • Impose on each sub-processor data-protection obligations no less protective than those in this DPA.
  • Give Controller at least 30 days' prior notice of any proposed change to the sub-processor list.
  • Give Controller a right to object on reasonable data-protection grounds. If the parties cannot agree a resolution, Controller may terminate the affected Services for convenience.
  • Remain liable to Controller for the performance of each sub-processor's obligations under this DPA.

6. International transfers

Where Processing of EEA, UK, or Swiss Personal Data involves a transfer to a country not covered by an adequacy decision, the parties rely on:

  • The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller → processor) or Module Three (processor → sub-processor), as applicable, which are hereby incorporated by reference.
  • The UK International Data Transfer Addendum (version B1.0) for UK personal data.
  • The EU-US Data Privacy Framework where Processor or a sub-processor is self-certified under it.

7. Security

Processor maintains the technical and organizational measures described in Annex II. These measures are subject to improvement over time; Processor will not materially decrease their overall level of protection.

8. Data subject rights

Processor provides tools within the Services to let Controller fulfill Data Subject requests for access, rectification, erasure, restriction, portability, and objection. Where a Data Subject contacts Processor directly, Processor will promptly refer them to Controller unless otherwise legally required.

9. Incident response

Processor will notify Controller without undue delay, and in any case within 72 hours of becoming aware, of any Personal Data Breach involving Controller's Personal Data. Notification will include the information reasonably available at the time and will be updated as the investigation progresses.

10. Audit rights

Processor will make available to Controller:

  • Current security certifications and reports (e.g. SOC 2 Type II when available) under NDA.
  • Responses to reasonable written security questionnaires, no more than once per year.
  • Support for on-site audits, at Controller's expense, on at least 30 days' notice and subject to confidentiality and operational-security controls. For Controllers that are themselves processors, a shared audit may be coordinated.

11. Termination — return or deletion

On termination of the Services, Processor will, at Controller's option, delete or return all Personal Data within 90 days, unless retention is required by applicable law. Backups are purged on their natural cycle.

12. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Terms. Nothing in this DPA limits either party's liability to Data Subjects under applicable data-protection law.

Annex I — Details of processing

A. List of parties

Data exporter (Controller): the customer entity as set out in its Ooky account.
Data importer (Processor): CloudWeld LLC, acting through its service Ooky.

B. Description of the transfer

  • Categories of data subjects: Controller's employees, customers, users, and visitors to Controller's public web properties.
  • Categories of personal data: account identifiers (name, email), organization membership, crawl data from public pages, and bot-session metadata (user agent, hashed IP prefix, timestamp, path served).
  • Special categories: none processed, unless voluntarily submitted by Controller inside its own content.
  • Frequency: continuous, for the duration of the Services.
  • Nature and purpose of Processing: hosting, serving structured brand intelligence to AI crawlers, generating analytics, and providing the Services.
  • Retention: as described in the Privacy Policy.

C. Competent supervisory authority

For EEA Controllers, the supervisory authority of the Member State in which Controller is established. For UK Controllers, the Information Commissioner's Office (ICO).

Annex II — Technical and organizational security measures

Access control

  • SSO + MFA required for all production access.
  • Least-privilege role-based access, reviewed quarterly.
  • All administrative actions logged and retained for at least 12 months.

Encryption

  • TLS 1.2+ for all data in transit.
  • Data at rest encrypted with provider-managed keys (GCP CMEK, Cloudflare R2 SSE).
  • Payment data never stored by Processor — tokenized via Stripe.

Application security

  • Dependency scanning and SCA on every build.
  • SAST / code review required before merge to main.
  • WAF and bot protection (Cloudflare) in front of all public endpoints.
  • Form abuse protection via Cloudflare Turnstile.

Operational security

  • Centralized logging and alerting on anomalous patterns.
  • Documented incident-response playbooks with 72-hour customer notification target.
  • Regular backup and restore testing of critical data stores.

People

  • Background checks for employees handling production data.
  • Mandatory annual security and privacy training.
  • Confidentiality obligations in every employee and contractor agreement.

Annex III — Authorized sub-processors

The authorized sub-processors at the date of this DPA are listed at ooky.ai/subprocessors. That page is the authoritative, continuously updated list.