Data Processing Agreement
Last updated on March 13, 2026
Introduction
This Data Processing Agreement ("Agreement" or "DPA") is entered into between the subscriber of woku's services ("Client", "You") and woku SpA ("woku", "Data Processor"), and governs the processing of personal data that woku performs on behalf of the Client in the context of the contracted services.
This Agreement complies with Law No. 19,628 of Chile, Regulation (EU) 2016/679 (GDPR), and other applicable data protection regulations. In the event of a conflict between this Agreement and the main services contract (including woku's Terms and Conditions), the provisions of this DPA shall prevail on matters of data protection.
1. Definitions
"Personal Data": any information that identifies or allows the identification of a natural person.
"Processing": any operation performed on Personal Data (collection, storage, use, transmission, deletion, among others).
"Data Controller": the Client, who determines the purposes and means of the processing of Personal Data.
"Data Processor": woku, who processes Personal Data on behalf of the Client.
"Sub-processor": a third party engaged by woku to carry out processing activities on behalf of the Client.
"Security Breach": incident causing unauthorized access, loss, alteration, or destruction of Personal Data.
"Package" and "Validity": shall have the meaning assigned in woku's Terms and Conditions.
2. Subject Matter and Scope of Processing
woku will process the Personal Data that the Client makes available exclusively to provide the contracted services. The processing will include:
- Categories of data: names, email addresses, phone numbers, ratings, comments, form responses, and any other personal data that the Client uploads or generates through the woku platform.
- Categories of data subjects: the Client's end customers, employees, or collaborators of the Client designated as Users of the platform.
- Processing purposes: provision of the services of collection, analysis, and visualization of customer feedback, as well as sending notifications and communications enabled by the Client, according to the contracted Package.
- Duration: during the Validity of the contracted Package(s) and while the Client maintains active Credits, or according to the Client's documented instructions.
woku will not process Personal Data for any purpose other than the Client's documented instructions, except when required by law.
3. Obligations of woku as Data Processor
woku commits to:
a) Process Personal Data solely according to the Client's documented instructions.
b) Inform the Client if it considers that any instruction violates applicable regulations.
c) Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
d) Implement the security measures described in Section 6.
e) Assist the Client in fulfilling their obligations to data subjects (access, rectification, deletion, portability, restriction, and objection).
f) Assist the Client in carrying out Data Protection Impact Assessments (DPIA) when applicable.
g) Notify the Client of any Security Breach within the timeframes established in Section 7.
h) At the Client's choice, delete or return all Personal Data at the end of the contract, in accordance with Section 11.
4. Client Instructions
The Client is the Data Controller and determines the purposes and means of the processing of Personal Data. This Agreement, together with the services contract and the configurations applied on the platform, constitute the Client's documented instructions. Any additional instructions must be provided in writing; email is accepted as a valid medium.
5. Sub-processors
5.1 General authorization
The Client authorizes woku to engage Sub-processors to provide the services, subject to the conditions of this Agreement.
5.2 List of current Sub-processors
woku maintains an up-to-date list of Sub-processors available upon request at [email protected]. Current Sub-processors include, among others:
| Sub-processor | Service | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | U.S. / multiple regions |
| Google Cloud Platform | Complementary services | U.S. / multiple regions |
| Paddle (Paddle.com Market Limited) | Payment processing (Merchant of Record) | United Kingdom |
| Transactional email provider (SendGrid or equivalent) | Transactional email delivery | U.S. |
5.3 Changes to Sub-processors
woku will notify the Client at least 30 days in advance of any addition or replacement of Sub-processors. The Client will have the right to reasonably object to such change within 15 days of the notification. If the objection cannot be resolved by mutual agreement, the Client may terminate the contract without penalty, in accordance with Section 6 of the Terms and Conditions.
5.4 Obligations with Sub-processors
woku will impose on each Sub-processor, through written contracts, obligations equivalent to those of this Agreement regarding data protection. woku will be liable to the Client for compliance with such obligations.
6. Security Measures
woku implements and maintains technical and organizational measures appropriate to the level of risk, including:
- Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
- Two-factor authentication (2FA) for administrative access.
- Role-based access control and principle of least privilege.
- Regular backups and disaster recovery procedures.
- Penetration testing and periodic security reviews.
- Patch and vulnerability management.
- Logging and monitoring of access to systems containing Personal Data.
- Documented incident response plan.
7. Security Breach Notification
In the event of detecting a Security Breach affecting Personal Data processed on behalf of the Client, woku will:
a) Notify the Client within 72 hours of becoming aware of the breach, using the Client's registered email address.
b) Include in the notification: description of the incident, categories and approximate number of affected data subjects, potential consequences, and measures taken or proposed to mitigate the impact.
c) When complete information is not available within 72 hours, send an initial notification with the available data, to be supplemented as soon as reasonably possible.
d) Collaborate with the Client in the investigation, documentation of the incident, and notification to competent authorities when applicable.
8. Data Subject Rights
woku will assist the Client, to the extent technically possible, so that the Client can respond to requests from data subjects exercising their rights (access, rectification, deletion, portability, restriction, objection). This assistance will include:
- Tools on the platform to export or delete end-user data.
- Response to ad hoc requests within a maximum period of 10 business days.
When a request is received directly by woku, it will be redirected to the Client for handling, unless expressly instructed otherwise.
9. Audit Rights
The Client will have the right to verify woku's compliance with this Agreement. To this end:
a) woku will provide, upon the Client's request, relevant documentation on its security and data protection practices (policies, certifications, and available audit reports).
b) The Client may request an independent audit with a mutually agreed reputable auditor, with at least 30 days' prior notice and a maximum frequency of once per calendar year, except for justified cause (for example, following a Security Breach).
c) The audit costs will be borne by the Client, unless the results reveal material non-compliance with this Agreement by woku.
d) The auditor must sign a confidentiality agreement before accessing any woku information.
10. International Data Transfers
When processing involves transfers of Personal Data outside of Chile or the European Economic Area (EEA), woku will ensure that such transfers have adequate safeguards in place, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Transfers to countries recognized as having an adequate level of protection.
- Other safeguards permitted by applicable regulations.
woku will inform the Client about international transfers made by its Sub-processors and the safeguards applied.
11. Data Retention and Deletion at End of Contract
Upon termination of the contractual relationship, woku will:
a) At the Client's instruction, securely delete or return all Personal Data within 30 days of the request.
b) Issue a deletion certification upon the Client's request.
c) Retain data for a longer period only when required by law, informing the Client of such circumstance and limiting processing to what is strictly necessary to comply with such obligation.
12. Liability
Each party will be liable to the other for direct damages caused by breach of this Agreement. woku's liability as Data Processor is limited to direct damages caused by actions outside the Client's documented instructions or by breach of the security obligations established herein, without prejudice to the liability limits set forth in the Terms and Conditions.
13. Modifications to the Agreement
woku may update this Agreement to reflect legal, operational, or processing-practice changes. Substantial modifications will be notified to the Client at least 30 days before they take effect. Continued use of the services after such period will imply acceptance of the modifications.
14. Applicable Law and Jurisdiction
This Agreement is governed by the laws of the Republic of Chile. For Clients established in the European Union, the provisions of the GDPR will also apply. Disputes arising from this Agreement will be submitted to the competent courts of Santiago de Chile, without prejudice to the rights of data subjects to file claims with the data protection authorities of their country of residence.
15. Contact
woku SpA
Calle 120 39 Dp 14 B, Hualpén, Chile 4600150
General email: [email protected]
Data protection contact: [email protected]
Website: woku.app