Cookies Policy

Wolfmates LLC

Data Processing Agreement, last updated September 19, 2025.

Data Processing Agreement (DPA)

Last Updated: [Month Day, Year]

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between Wolfmates (“Processor”) and the customer subscribing to Wolfmates services (“Controller”). This DPA governs how Wolfmates processes personal data on behalf of the Controller when delivering the Services.

1. Definitions

  • “Data Protection Laws” – all applicable privacy and data protection laws, including the EU GDPR, UK GDPR, and U.S. state privacy laws (e.g., CCPA, CPRA, VCDPA, CPA, CTDPA, UCPA).

  • “Personal Data” – any information relating to an identified or identifiable natural person processed under the Agreement.

  • “Processing” – any operation performed on Personal Data as defined by Data Protection Laws.

  • “Sub-Processor” – any third party engaged by Wolfmates to process Personal Data.

  • “Data Subject” – the natural person to whom Personal Data relates.

  • “Data Security Incident” – a breach of security leading to unauthorized disclosure, access, loss, or alteration of Personal Data.

2. Roles of the Parties

  • Controller – determines the purposes and means of processing Personal Data.

  • Processor (Wolfmates) – processes Personal Data on behalf of the Controller only as documented in the Agreement and this DPA.

3. Processor Obligations

Wolfmates shall:

  1. Process Personal Data solely in accordance with documented instructions of the Controller.

  2. Ensure persons authorized to process Personal Data are bound by confidentiality obligations.

  3. Implement and maintain appropriate technical and organizational security measures (see Schedule B).

  4. Notify Controller without undue delay and no later than 72 hours after becoming aware of a Data Security Incident.

  5. Assist Controller in meeting obligations regarding Data Subject rights, DPIAs, and regulatory inquiries.

  6. Delete or return Personal Data at termination of Services, unless retention is required by law.

4. Sub-Processors

  • Wolfmates may engage Sub-Processors to support Services. Current Sub-Processors are listed in Schedule C.

  • Wolfmates will notify Controller of any intended changes. Controller may reasonably object within 10 days.

  • Wolfmates remains liable for all Sub-Processors.

5. Cross-Border Transfers

  • Wolfmates is headquartered in the United States and uses Amazon Web Services (AWS, U.S. and EEA regions).

  • Transfers outside of the EEA, UK, or other jurisdictions will rely on an appropriate safeguard, such as Standard Contractual Clauses (SCCs), UK Addendum, or adequacy decisions.

  • See Schedule D for transfer details.

6. Security Measures

Wolfmates maintains industry-standard measures including but not limited to:

  • Data encryption (TLS 1.2/1.3 in transit, AES-256 at rest).

  • Access controls with MFA and role-based permissions.

  • Regular vulnerability scanning, logging, and monitoring.

  • Backup and disaster recovery protocols.

  • Employee security training and confidentiality agreements.

(See Schedule B for detailed measures.)

7. Data Subject Rights

Wolfmates shall promptly forward to Controller any request received directly from a Data Subject (e.g., access, rectification, deletion, portability). Wolfmates shall not respond except on Controller’s documented instructions.

8. Audit & Compliance

  • Wolfmates shall maintain records of processing.

  • Controller (or independent auditors) may request audit information up to once annually.

  • To reduce disruption, audits may first rely on third-party certifications or reports (e.g., SOC 2, penetration testing).

9. Term & Termination

This DPA remains in effect for the duration of the Agreement. Upon termination, Wolfmates shall delete or return all Personal Data (unless legally required to retain it) within 90 days.

10. Governing Law

This DPA is governed by the laws of the State of Pennsylvania, USA, unless overridden by mandatory Data Protection Laws.

Schedule A – Data Categories & Processing Details

  • Subjects: End users, family members/authorized users, organization admins, support contacts

  • Categories: Identifiers (name, email, phone), account data, usage metadata, preference settings; optional wellness logs/check-in notes uploaded by customer; support tickets; billing contact (no PAN stored by Wolfmates).

  • Special/Sensitive: Not intended; customer controls input. If provided, processed only on instructions, not for inference.

  • Purpose: Provide/maintain Services, support, security, fraud prevention, analytics, billing, notifications.

  • Duration: Term of Agreement + up to 90 days for return/deletion (unless law requires longer).

  • Location: Primary hosting in AWS [region(s), e.g., us-east-1]. Backups in same or paired region.

Schedule B – Technical & Organizational Measures (TOMs)

  • Governance: Security policies, least-privilege RBAC, MFA/SSO, employee NDAs & annual training.

  • App/SDLC: Code review, SAST/DAST, dependency/CVE scanning, secrets management, IaC reviews.

  • Infra: AWS VPC isolation, SGs, WAF, hardened AMIs, patching, time-synced logs, CloudTrail/CloudWatch.

  • Crypto: TLS 1.2/1.3 in transit; AES-256 at rest (DB, object storage, backups); KMS key mgmt.

  • Data mgmt: Tenant logical separation; signed URLs; file AV scanning; least-scope API tokens.

  • Monitoring: Centralized logs, anomaly alerts, SIEM rules; access reviews at least quarterly.

  • Resilience: Multi-AZ for critical services; backups (e.g., hourly incrementals + daily fulls); tested restores; target RPO ≤ 12h / RTO ≤ 24h.

  • IR: Playbooks (detect/contain/eradicate/recover/post-mortem), on-call rotation, customer comms.

  • Vendor risk: Due diligence, DPAs/SCCs where required; annual review of critical vendors.

Schedule C – Approved Sub-Processors

Schedule D – International Transfers

  • EEA/UK/CH: Where Wolfmates (or a sub-processor) is outside an adequate country, transfers are governed by:

    • EU SCCs (2021/C(2021)3701) – Module 2 (C→P) and Module 3 (P→P) as applicable.

    • UK Addendum to the EU SCCs (ICO, March 2022).

    • Swiss addendum alignment to FDPIC guidance.

  • TOMs + TIA: Wolfmates conducts transfer impact assessments and applies supplementary measures as needed.

Schedule E – U.S. State Privacy Addendum

Wolfmates acts as a Processor/Service Provider. Wolfmates shall:

  • Process only on documented instructions; no sale/share of personal information; no targeted advertising; no profiling beyond Controller’s instructions.

  • Assist with consumer requests (access, delete, correct, portability) and downstream flow-downs.

  • Require sub-processors to meet equivalent obligations.

  • Provide data return/deletion at termination (subject to legal retention).

Schedule F – Security Incident & Audit Protocol

  • Notification: Without undue delay and no later than 72 hours after confirming a breach impacting Customer Data. Notice includes nature, scope, affected data/subjects (if known), likely consequences, and measures taken/proposed.

  • Cooperation: Wolfmates will assist investigations, regulator notices, and data subject communications.

  • Audits (tiered):

    1. Provide security whitepaper, SOC 2 (if available), pen-test summary, and responses to a reasonable SIG/CAIQ.

    2. If insufficient, a remote audit (once/12 months) during business hours.

    3. On-site audit only if required by law/regulator or following material findings; reasonable limits and confidentiality apply.