Data Processing Agreement (DPA)
Last updated: 2026-05-11
This DPA applies when a business customer (“Controller”) uses WeGotFiles, operated by Web Design AS (“Processor”), to transmit files that contain personal data of third parties. It is incorporated by reference into the Terms of Service.
1. Subject matter and duration
The Processor processes personal data on behalf of the Controller solely to provide the WeGotFiles service. The DPA lasts as long as the Controller's account is active.
2. Nature and purpose of processing
Receiving, storing, and delivering files uploaded by the Controller to recipients specified by the Controller, and deleting them after the configured expiry.
3. Types of personal data and categories of data subjects
Determined by the Controller. Typically: names, email addresses, and any personal data the Controller chooses to include in transferred files.
4. Processor obligations
- Process personal data only on documented instructions from the Controller.
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (Art. 32 GDPR): encryption in transit (TLS) and at rest, access controls, audit logs, tenant isolation.
- Assist the Controller in responding to data-subject requests.
- Notify the Controller without undue delay (within 48 hours) of any personal-data breach affecting their data.
- At the end of the agreement, return or delete all personal data, at the Controller's choice.
5. Sub-processors
The Controller authorises the Processor to engage the sub-processors listed below. The Processor will give the Controller at least 14 days' notice before adding or replacing any sub-processor, during which the Controller may object and terminate without penalty.
| Sub-processor | Purpose | Region |
|---|---|---|
| Stripe Payments Europe Ltd. | Subscription billing & payment processing | EU/Ireland |
| Email delivery provider | Transactional email delivery (transfer notifications, password resets, billing receipts) | EU |
| Google LLC | Optional OAuth sign-in (only if user chooses) | EU/US (SCC) |
| GitHub Inc. | Optional OAuth sign-in (only if user chooses) | EU/US (SCC) |
| Microsoft Corp. | Optional OAuth sign-in (only if user chooses) | EU/US (SCC) |
6. International transfers
Where sub-processors process data outside the EU/EEA, the Processor uses EU Standard Contractual Clauses (2021) or equivalent safeguards.
7. Audits
The Controller may, with 30 days' written notice and at most once per year, request a written confirmation of the Processor's compliance, including summaries of relevant certifications and a description of the security controls in place.
8. Contact
DPA enquiries: support@wegotfiles.com. For a counter-signed copy, write to support@wegotfiles.com with your company details and we will return a signed PDF.