Data Processing Agreement

For business customers whose use of SailWP involves processing personal data on behalf of third parties (e.g. their site visitors or end users). Forms part of the SailWP Terms of Service under GDPR Art. 28.

The short version

If you use SailWP in the course of business and your site processes personal data of third parties (visitors, leads, customers), you are the data controller and SailWP is your processor under GDPR Art. 28. This page is the binding processor agreement.

It describes what we process, how, the security we apply, our sub-processors, our breach-notification commitment, and your audit rights. By using the SailWP Service in a business context you accept this DPA.

1. Parties 2. Scope 3. Instructions 4. Data & data subjects 5. Sub-processors 6. Security 7. Breach notification 8. Assistance to controller 9. Audit rights 10. International transfers 11. Duration & termination 12. Liability 13. Governing law

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Controller — you, the SailWP customer using the Service in the course of trade, business, or profession;
Processor — SailWP, a product of 31 Ventures (a sole proprietorship registered in the Netherlands; KvK 81019556; BTW NL003518091B91; owner: Joost Boer; address available on request from KvK; contact: [email protected]).

This DPA forms an integral part of the Terms of Service. In case of conflict between this DPA and the Terms of Service regarding processing of personal data, this DPA prevails.

Once SailWP transfers operations to a holding/BV (in formation), this DPA will be assigned to that entity in accordance with Section 16.4 of the Terms of Service. The processor obligations under GDPR Art. 28 will continue without interruption.

2. Scope & subject matter

This DPA applies to processing of personal data by SailWP on behalf of the Controller in connection with the Service (theme, plugin, cloud dashboard, AI Co-pilot, sailwp.com, app.sailwp.com).

It does not apply to processing where SailWP acts as a controller in its own right (e.g. account-holder data covered by the Privacy Policy).

3. Processing instructions

SailWP will process personal data only on the documented instructions of the Controller, except where required to do so by EU or Member-State law. The instructions are:

Documented in this DPA;
Documented in the Terms of Service;
Issued via the configuration and use of the Service interfaces (e.g. plugin settings, dashboard actions, API requests).

If SailWP believes an instruction violates GDPR or other applicable data-protection law, we will notify the Controller without undue delay.

4. Categories of data & data subjects

4.1 Subject matter and nature of processing

Storage, transmission, AI-assisted analysis and editing of WordPress page content; transactional emailing; backup; sub-processor hand-off (e.g. to AI providers).

4.2 Duration

For the duration of the Service contract plus retention periods set out in the Privacy Policy.

4.3 Categories of data subjects

Controller's employees and team members invited to the workspace;
Visitors of Controller's WordPress site whose personal data appears in pages the Controller asks the AI to edit (rare; only when Controller's content includes such data);
End users (customers, leads, members) of Controller's site, where Controller's content includes their data.

4.4 Categories of personal data

Identification data: name, email address, license key;
Page content: any personal data the Controller chooses to include in pages submitted to the AI (e.g. testimonials, member lists, contact details);
Communication data: chat messages with the AI;
Technical data: IP address (for security), site URL, theme/plugin/WordPress version.

4.5 Special-category data

Controller agrees not to upload, paste, or otherwise transmit special-category data (Art. 9 GDPR — health, political opinions, biometric, religious beliefs, sexual orientation, etc.) through the Service. SailWP is not configured to process such categories with the elevated safeguards required by Art. 9.

5. Sub-processors

The Controller authorises SailWP to engage the following sub-processors in connection with the Service:

Sub-processor	Purpose	Location
Anthropic, PBC	AI model inference	USA
Stripe Payments Europe Ltd.	Payment, invoicing, VAT	Ireland (EEA) + USA
Resend, Inc.	Transactional email	USA
mijn.host (Hostnet B.V.)	VPS hosting (database + servers)	Netherlands (EEA)
Cloudflare, Inc.	DNS, edge proxy, DDoS protection	USA HQ / global edge
Google LLC (Nano Banana Pro)	AI image generation	USA

SailWP has data-processing agreements in place with each sub-processor that incorporate GDPR Art. 28 obligations and, where applicable, the EU Standard Contractual Clauses for international transfers.

New sub-processors: SailWP will publish a notice on this page at least 30 days before adding or replacing a sub-processor that processes personal data. The Controller may object to the change within 30 days of the notice. If a reasonable objection cannot be resolved, the Controller may terminate the affected portion of the Service with prorated refund of any unused prepaid period.

6. Technical and organisational measures

SailWP implements appropriate measures pursuant to GDPR Art. 32, including:

Encryption — TLS 1.2+ for all data in transit; encryption at rest for backups (AES-256).
Authentication — magic-link sign-in (no passwords stored); HMAC-signed session tokens (HS256, 256-bit secret); SSH key-only access to the VPS.
Access control — least-privilege OS users; per-workspace data isolation in the database; license-key + workspace-scoped REST API auth.
Cookies — HTTP-only, Secure, SameSite=Lax for session cookies.
Resilience — encrypted nightly database snapshots retained 14 days; PM2 process supervision; Cloudflare DDoS protection.
Logging & monitoring — structured access logs retained ≤30 days; Stripe webhook signature verification; rate-limiting on AI endpoints.
Confidentiality — all personnel with access to personal data are bound by written confidentiality obligations (currently: sole proprietor, no employees).
Incident response — internal procedure for detection, containment, and notification of personal-data breaches (see Section 7).

Measures are reviewed periodically and updated to reflect best practices and the state of the art at proportionate cost.

7. Personal-data breach notification

If SailWP becomes aware of a personal-data breach affecting Controller data, SailWP will:

Notify the Controller without undue delay and in any event within 72 hours of becoming aware, by email to the Controller's account email;
Provide, to the extent then known: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach (Art. 33(3) GDPR);
Update the Controller as more information becomes available;
Cooperate reasonably with the Controller in fulfilling the Controller's notification obligations to the supervisory authority and to data subjects.

The notification by SailWP does not constitute an admission of fault or liability.

8. Assistance to the Controller

Taking into account the nature of processing and the information available, SailWP will assist the Controller in fulfilling obligations under GDPR Art. 32–36 and in responding to data-subject requests (Art. 12–22).

Data-subject requests: SailWP will forward requests received directly from data subjects to the Controller without responding substantively, unless legally obligated otherwise. Where the Controller asks SailWP to assist with access, rectification, erasure, restriction, portability, or objection, SailWP will provide reasonable assistance through the Service interfaces or, where not available, on request.
DPIA: on request, SailWP will provide reasonable information necessary for the Controller to perform a Data-Protection Impact Assessment regarding the use of the Service.
Costs: SailWP may charge reasonable costs for assistance that goes substantially beyond the Service's standard interfaces.

9. Audit rights

To enable the Controller to verify compliance with this DPA, SailWP will:

Make available all information necessary to demonstrate compliance with Art. 28 GDPR;
Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

The Controller will give SailWP at least 30 days' prior written notice of an audit, except in the case of a confirmed breach. Audits will take place during normal business hours, will not unreasonably interfere with SailWP's operations, will be conducted under reasonable confidentiality obligations, and will not exceed once per calendar year unless required by law or following a confirmed breach.

The Controller bears its own audit costs and SailWP's reasonable costs for participation. SailWP may offer to satisfy audit obligations by providing third-party audit reports, security questionnaires, or written attestations where these reasonably address the Controller's audit objectives.

10. International transfers

Where personal data is transferred to a country outside the EEA that does not benefit from an adequacy decision under Art. 45 GDPR, SailWP and the relevant sub-processor have entered into the EU Standard Contractual Clauses per Commission Implementing Decision 2021/914, including the supplementary measures (where applicable) required by the Schrems II ruling and EDPB Recommendations 01/2020.

For transfers to the United States, SailWP relies on the SCCs as the primary transfer mechanism. Where the recipient has self-certified under the EU-U.S. Data Privacy Framework (Art. 45 adequacy decision of 10 July 2023), SailWP relies on that framework as an additional safeguard.

The Controller mandates SailWP to enter into the SCCs on the Controller's behalf with sub-processors as needed to enable lawful transfers.

11. Duration, return & deletion

This DPA enters into force when the Controller starts using the Service in a business context and remains in force for the duration of the Service contract.

On termination of the Service contract, SailWP will, at the Controller's choice:

Return all personal data processed on the Controller's behalf in a structured, commonly used, machine-readable format; or
Delete all personal data processed on the Controller's behalf within 30 days of termination,

except where retention is required by Union or Member-State law (e.g. tax records under Dutch law). Sub-processor data is deleted in accordance with the sub-processor's own retention schedule, set out in their respective DPAs.

Backups containing personal data are deleted on the rolling 14-day backup cycle following termination.

12. Liability

The liability cap and exclusions of damages set out in Sections 10 and 11 of the Terms of Service apply to claims arising under this DPA, except to the extent that such limitations are not permitted under Art. 82 GDPR.

Each party is responsible for paying any administrative fine imposed on it by a supervisory authority, unless and to the extent the fine results from the other party's breach of this DPA, in which case the other party indemnifies the affected party for the fine, subject to the cap referenced above.

13. Governing law & jurisdiction

This DPA is governed by the laws of the Netherlands. Disputes are subject to the exclusive jurisdiction of the competent court in Rotterdam, the Netherlands, except where mandatory consumer or data-protection rules give a party a different right.

Last updated: 30 April 2026 · Version 1.0 · Operated by 31 Ventures (KvK 81019556) · Privacy · Terms