Waveguide

Last updated July 5, 2026

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Adwave (“Processor”) and the Customer (“Controller”) and applies where Waveguide processes personal data on the Customer’s behalf subject to the GDPR, UK GDPR, CCPA, or similar laws (“Data Protection Laws”).

1. Roles and scope

For personal data contained in Customer Data — such as your leads’ and customers’ names, contact details, communications, and commercial history — the Customer is the controller and Adwave is the processor. For account-holder data (your email, billing identity), Adwave is an independent controller as described in the Privacy Policy.

2. Details of processing

  • Subject matter: operation of an AI agent performing marketing and growth work for the Customer.
  • Duration: the term of the agreement plus the 30-day post-termination export window.
  • Nature and purpose: collection, storage, organization, analysis, and communication of growth-loop data (leads, campaigns, messages, payments) as directed by the Customer’s configuration and approvals.
  • Categories of data subjects: the Customer’s leads, customers, and business contacts.
  • Categories of personal data: contact details, communication content and metadata, commercial and transaction history, advertising interaction data. No special categories are intended to be processed; the Customer agrees not to direct such processing.

3. Processor obligations

Adwave will: (a) process personal data only on the Customer’s documented instructions — given through the Service’s configuration, connections, policies, and approvals — unless required by law; (b) ensure persons authorized to process personal data are bound by confidentiality; (c) implement the technical and organizational measures described in Annex 1; (d) assist the Customer, taking into account the nature of processing, with data-subject requests and with obligations under Articles 32–36 GDPR; (e) notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data; (f) at the Customer’s choice, delete or return personal data at end of service (both available self-serve); and (g) make available information reasonably necessary to demonstrate compliance, and allow for audits not more than annually on 30 days’ notice, subject to confidentiality.

4. Subprocessors

The Customer provides general authorization for the subprocessors listed in the Privacy Policy. Adwave will provide at least 14 days’ notice (by email to account owners) before adding a subprocessor that processes Customer personal data; the Customer may object on reasonable data-protection grounds, and if the objection cannot be resolved, may terminate the affected service with a pro-rata refund of prepaid fees. Adwave remains responsible for its subprocessors’ performance.

5. International transfers

Where processing involves transfers of EEA/UK personal data to countries without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2, controller-to-processor) and the UK Addendum by reference, with the Customer as data exporter and Adwave as data importer, and the technical measures of Annex 1 applying.

6. CCPA

Where the CCPA applies, Adwave acts as a “service provider”: it will not sell or share Customer personal information, nor retain, use, or disclose it other than to provide the Service, and it certifies that it understands these restrictions.

7. Liability

Liability under this DPA is subject to the limitations of liability in the Terms of Service, to the extent permitted by Data Protection Laws.


Annex 1 — Technical and organizational measures

  • Isolation: per-tenant sandboxed compute (Firecracker micro-VMs) with default-deny networking; per-tenant data ledgers.
  • Encryption: TLS 1.2+ in transit; AES-256-GCM envelope encryption at rest for credentials with per-tenant data keys wrapped by a master key.
  • Credential custody: connected-account credentials are never exposed to AI models; authenticated calls are brokered by an egress proxy that injects credentials outside the model boundary.
  • Access control: tenant-scoped session tokens; single-use email sign-in; hash-stored API keys; internal service authentication; instant session revocation.
  • Action control: risk-tiered action classification with human approval enforced at the proxy for irreversible and financial actions; single-use, action-scoped approval tokens; configurable spend caps; kill switch.
  • Input hardening: signature verification on all inbound webhooks; DKIM verification on inbound email; quarantine and taint-tracking of untrusted content.
  • Monitoring: append-only audit logging of tool calls, proxied requests, approvals, and administrative events; anomaly detection with automatic suspension.
  • Data lifecycle: self-serve full export; self-serve permanent deletion including vault and workspace destruction; defined retention periods (Privacy Policy §5).

To execute a countersigned copy of this DPA, contact hello@waveguide.adwave.com.