Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Data Controller (Customer) and WEBSOMNIA Juliusz Michajłow as Data Processor for the wingman.pm platform services, ensuring compliance with Regulation (EU) 2016/679 (GDPR). This DPA becomes effective upon Customer's acceptance of the Terms of Service or creation of an account on the wingman.pm platform.

§1 Definitions

• Data Controller - the Customer who determines the purposes and means of processing Personal Data.
• Data Processor - WEBSOMNIA Juliusz Michajłow, providing AI-assisted product management services through wingman.pm.
• Personal Data - any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.
• GDPR - Regulation (EU) 2016/679 on the protection of personal data.
• Sub-processor - any third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.
• Data Subject - an identified or identifiable natural person whose Personal Data is processed under this Agreement.

§2 Subject Matter and Scope of Processing

Purpose of Processing: Providing AI-assisted product management services through wingman.pm, including feedback analysis, prioritization, and document generation.

Categories of Personal Data:

• Contact information: names, email addresses, phone numbers
• Business information: company details, job titles, department information
• Feedback data: product feedback, survey responses, communication records
• Usage data: platform interactions, integration configurations, activity logs
• Technical data: IP addresses, browser information, device identifiers

Categories of Data Subjects:

• Controller's employees and authorized users
• Controller's customers and end-users
• Third parties whose feedback is processed through the platform

Processing Operations: Collection, recording, organization, storage, retrieval, use, disclosure, restriction, erasure, and destruction of Personal Data.

Processing Locations: Personal Data may be processed in the EU and the United States. For transfers outside the EU/EEA, safeguards described in §9 apply.

§3 Data Processor Obligations

• Process Personal Data only on documented instructions from the Data Controller, unless required by law.
• Ensure authorized persons are bound by confidentiality and receive appropriate training.
• Implement appropriate technical and organizational measures pursuant to Article 32 GDPR.
• General authorization for Sub-processors listed in §5; remain liable for their performance.
• Assist the Data Controller in fulfilling obligations to respond to Data Subject requests and comply with GDPR.
• Upon termination, delete or return all Personal Data unless retention is required by law.

§4 Data Security

• Encryption: TLS 1.2+ in transit; AES-256 or equivalent at rest.
• Access Controls: Role-based access controls and least privilege.
• Network Security: Firewalls, intrusion detection, and segmentation.
• Security Assessments: Regular assessments, vulnerability scans, and penetration testing.
• Incident Response: Documented procedures with 24-hour notification for breaches affecting Personal Data.
• Backup and Recovery: Regular backups with tested disaster recovery procedures.

§5 Sub-processors

The Data Controller provides general authorization for the engagement of Sub-processors. For a complete and current list of Sub-processors, including their locations and purposes, please visit: wingman.pm/legal/subprocessors.

The Data Processor shall provide 14 days' written notice of intended changes to Sub-processors. The Data Controller may object within the notice period.

Sub-processors are bound by data protection obligations equivalent to those in this Agreement. Use of Personal Data by AI service providers for model training is governed by provider terms; details at wingman.pm/legal/ai-models.

§6 Data Subject Rights

The Data Processor shall assist the Data Controller in responding to Data Subject requests concerning:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object (Article 21 GDPR)

Assistance provided within 7 business days of receiving a request from the Data Controller.

§7 Security Incidents

The Data Processor shall notify the Data Controller within 24 hours (or without undue delay) of becoming aware of any Personal Data breach affecting the Controller's data.

Notification shall include the nature of the breach, affected Data Subjects and records, likely consequences, and measures taken or proposed.

The Data Processor shall cooperate with investigations and provide reasonable assistance in breach response activities.

§8 Audit and Inspection

The Data Controller may conduct audits of the Data Processor's compliance with this Agreement upon 30 days' written notice, typically not more than once per calendar year unless a breach has occurred.

The Data Processor shall provide access to relevant documentation and personnel necessary to demonstrate compliance. Audit participants are bound by confidentiality.

§9 International Data Transfers

Personal Data may be transferred to and processed in the EU/EEA and the United States as necessary for service provision.

For transfers to countries without an adequacy decision, the Data Processor implements Standard Contractual Clauses or other valid transfer mechanisms and additional safeguards.

The Data Processor shall notify the Data Controller of any legally binding request for disclosure of Personal Data by law enforcement authorities.

§10 Liability

Each party's liability for damages caused by processing Personal Data is determined according to Article 82 GDPR.

Where both parties are involved in the same processing operation causing damage, they shall be jointly and severally liable.

Each party shall indemnify the other against claims, damages, and costs arising from that party's breach of this Agreement or applicable data protection laws.

§11 Term and Termination

This Agreement remains in effect for the duration of the service relationship under the Terms of Service.

Upon termination of services, the Data Processor shall delete or return all Personal Data within 30 days unless retention is required by law or a longer period is agreed for data return.

Written certification of data deletion or return is available upon request. Provisions relating to confidentiality, liability, and governing law survive termination.

§12 Final Provisions

This Agreement is governed by Polish law and disputes are subject to the exclusive jurisdiction of Warsaw courts.

Amendments must be made in writing. If any provision is held invalid or unenforceable, the remainder remains in full force.

This Agreement, together with the Terms of Service, constitutes the entire agreement regarding data processing.

Contact Information: WEBSOMNIA Juliusz Michajłow, Data Protection Contact: Juliusz Michajłow, Email: hello@wingman.pm, Address: ul. Jana Kazimierza 60/69, 01-248 Warszawa, Poland.