Data Processing Agreement
AI Wave's processor commitments under GDPR.
This Data Processing Agreement applies when a customer uses AI Wave to process personal data for its own business purposes and AI Wave acts as a processor on that customer's behalf. It forms part of the contract between the customer and AI Wave for the relevant services.
It covers the subject matter and duration of processing, categories of data and data subjects, customer instructions, AI Wave's security and confidentiality obligations, sub-processors, transfers, deletion, audit cooperation, and breach notification.
For signature workflows or enterprise contracting, contact contact@ai-wave.co.
1. Parties and scope
This DPA is entered into between the Customer identified in the applicable AI Wave subscription, order form, or accepted Terms of Service, acting as controller or, where applicable, processor, and AI WAVE DEV SL, acting as processor or sub-processor, as applicable.
This DPA applies only to the processing of personal data that is subject to the GDPR, the LOPDGDD, or another applicable data protection law and that AI Wave processes on behalf of the Customer in connection with the service.
2. Definitions
The terms "personal data", "data subject", "processing", "controller", "processor", "sub-processor", "supervisory authority", and "personal data breach" have the meanings given to them in the GDPR. "Customer Data" means the personal data processed by AI Wave on behalf of the Customer through the service.
3. Subject matter and duration
The subject matter of the processing is the provision of AI Wave's marketing orchestration service, including strategy generation, content generation, asset workflows, integrations, analytics retrieval, publishing preparation and approved execution, support, and related technical operations.
Processing continues for the duration of the Customer's use of the service and any agreed retention or transition period, after which Customer Data is returned or deleted in accordance with this DPA and applicable law.
4. Nature and purpose of processing
AI Wave may process Customer Data to:
- Host and organize campaigns, prompts, content drafts, and analytics.
- Generate strategy, copy, asset briefs, and reports using AI systems.
- Connect and synchronize third-party marketing, CRM, analytics, and automation tools.
- Prepare or execute customer-approved publishing, email, or advertising actions.
- Store, retrieve, search, secure, back up, and delete workspace data.
- Provide support, troubleshooting, and abuse prevention.
5. Types of personal data
Depending on the Customer's use of the service, Customer Data may include:
- Business contact details such as name, business email, phone number, role, and company.
- Campaign audience data, lists, segmentation rules, and CRM attributes.
- Marketing content that contains personal data, including email copy, landing-page text, ads, comments, and reports.
- Connected-platform identifiers and metadata, such as account IDs, page IDs, campaign IDs, analytics dimensions, and event attributes.
- Usage and activity logs, approval records, and audit metadata linked to identified or identifiable users.
6. Categories of data subjects
- Customer personnel and authorized users.
- Customer prospects, leads, subscribers, and business contacts.
- Contacts or audiences stored in connected CRMs, email tools, and analytics systems.
- Website visitors or end users whose data the Customer chooses to process through connected analytics or campaign tools.
7. Customer instructions
AI Wave will process Customer Data only on documented instructions from the Customer, including instructions reflected in the Customer's configuration, API requests, workspace actions, and use of the service under the contract. AI Wave may refuse instructions that violate applicable law.
8. AI Wave obligations as processor
- Process Customer Data only on documented instructions from the Customer unless required by law.
- Ensure persons authorized to process Customer Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures under Article 32 GDPR.
- Assist the Customer with data subject requests where reasonably possible.
- Assist with security incident response, DPIAs, and supervisory authority cooperation where required and reasonably possible.
- Delete or return Customer Data at the end of services, subject to legal retention duties.
- Make available information reasonably necessary to demonstrate compliance with this DPA.
9. Customer obligations as controller
- Determine that its instructions and processing activities are lawful.
- Provide required notices and obtain any consents or other lawful bases needed for Customer Data.
- Use the service in accordance with applicable marketing, advertising, privacy, and platform rules.
- Ensure Customer Data is accurate, relevant, and limited to what is necessary for the intended purpose.
- Review and approve content and external actions before publication or launch.
- Not submit special category data or children's data unless explicitly agreed in writing and supported by a lawful basis.
10. Confidentiality
AI Wave ensures that personnel with access to Customer Data are subject to confidentiality obligations and access limitations appropriate to their role.
11. Security measures
AI Wave's current documented measures include, among others:
- Clerk-based authentication, MFA support, and role-aware session controls.
- Tenant isolation using Supabase row-level security and organization-scoped authorization claims.
- AES-256 encryption for stored integration credentials.
- TLS 1.3 in the current deployment target for data in transit.
- Secret management through Infisical and restricted environment-variable handling.
- Cloudflare WAF, HSTS, rate limiting, and abuse protections.
- Audit logs, observability, vulnerability scanning, and backup controls.
- Human approval gates for high-risk external side effects such as ad spend and bulk sending.
12. Sub-processors
The Customer authorizes AI Wave to use sub-processors needed to operate the service. AI Wave will impose data protection obligations on sub-processors that are materially protective of Customer Data. Some connected platforms may also receive Customer Data directly on the Customer's instruction through the Customer's own account relationship with that platform. Current categories of sub-processors and customer-authorized recipients used by AI Wave, or enabled for particular customer workspaces and features, may include:
| Provider / recipient | Purpose | Typical data involved | Region note |
|---|---|---|---|
| Clerk | Authentication and session management | Account identity and login metadata | May involve international processing |
| Supabase | Database, storage, realtime infrastructure | Workspace, campaign, content, and analytics data | EU-first configuration |
| Vercel | Application hosting and serverless execution | Request and processing metadata | EU-preferred configuration with global delivery layers |
| Cloudflare | CDN, WAF, DNS, edge delivery | IP addresses and request metadata | Global edge network |
| Upstash | Cache, rate limiting, transient state | Cache keys and usage metadata | EU multi-zone target |
| Inngest | Durable execution and scheduling | Workflow state and job metadata | May involve international processing |
| Infisical | Secret management | Service secrets and access controls | EU configuration targeted |
| Stripe | Billing, checkout, invoicing, fraud controls | Billing and payment metadata | May involve international processing |
| Resend | Email delivery | Email content, recipient details, delivery events | May involve international processing |
| OpenAI, Anthropic, Google model services, Voyage AI, Cohere, Fal.ai | Inference, embeddings, reranking, or media generation where configured in the platform stack | Prompts, contextual content, limited output metadata | May involve international processing |
| Composio and connected APIs | OAuth-managed integrations and tool execution | Connection metadata, token references, API call context | May involve international processing |
| LinkedIn, Meta, Google Ads, TikTok, X, YouTube, HubSpot, Salesforce, Mixpanel, SEMrush, Ahrefs, and similar customer-authorized platforms | Execution or retrieval on customer instruction | Customer-authorized campaign, analytics, and account data | Third-party platform regions vary |
| Langfuse, Sentry, Better Stack, PostHog | Observability, error tracking, and analytics where enabled | Trace metadata, logs, and technical diagnostics | May involve international processing |
13. International transfers
Where Customer Data is transferred outside the EEA or another jurisdiction requiring a transfer safeguard, AI Wave will rely on an approved transfer mechanism such as Standard Contractual Clauses, adequacy regulations, or another lawful safeguard, together with supplementary measures appropriate to the risk.
14. Personal data breaches
AI Wave will notify the Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Data processed under this DPA. The notice will include available information reasonably necessary for the Customer to meet its own notification duties, taking into account the information AI Wave can reasonably provide at the time.
15. Assistance with data subject requests and compliance
Taking into account the nature of the processing, AI Wave will provide reasonable assistance to help the Customer respond to data subject requests and meet obligations relating to security, impact assessments, and supervisory authority consultation, to the extent required by Articles 28 and 32 to 36 GDPR.
16. Audit and information rights
AI Wave will make available information reasonably necessary to demonstrate compliance with this DPA. Where the Customer has a reasonable and documented basis to believe AI Wave is in material breach of this DPA, the parties may agree on a proportionate audit process, subject to confidentiality, security, scope, and frequency limitations and without unreasonable disruption to AI Wave or other customers.
17. Return and deletion of data
Upon termination of the services, AI Wave will, at the Customer's choice and subject to legal obligations, delete or return Customer Data. AI Wave may retain limited data where required by law, for security logging, or to establish, exercise, or defend legal claims. Backup media may be overwritten in the ordinary rotation cycle, provided retained data remains protected.
18. Liability
Liability under this DPA is subject to the allocation of responsibility and limits set out in the applicable Terms of Service or commercial agreement, except to the extent a mandatory provision of data protection law requires otherwise.
19. Term and termination
This DPA takes effect when Customer Data is first processed by AI Wave on the Customer's behalf and remains in force for as long as AI Wave processes Customer Data under the relevant service contract.
20. Contact
Legal and DPA matters: contact@ai-wave.co
Privacy matters: contact@ai-wave.co