Data Processing Addendum
Effective · 27 June 2026
This Data Processing Addendum (“DPA”) supplements the agreement between you (“Customer”, controller) and Welookup Insights LLP (“Welookup”, processor) where Welookup processes personal data on the Customer’s behalf in the course of providing services. It is designed to satisfy Article 28 of the EU/UK GDPR and equivalent provisions of the India DPDP Act, 2023.
1. Roles
Customer is the controller; Welookup acts as processor. Each party complies with applicable data-protection law.
2. Processing details
- Subject matter: the services agreed in the underlying contract / SOW.
- Duration: term of the underlying contract plus any retention period required by law.
- Nature & purpose: analytics consulting, CRM operations, managed-talent delivery and related professional services.
- Data categories: business contact details and any data the Customer chooses to share within scope.
- Data subjects: Customer’s employees, contractors and end users as applicable.
3. Customer instructions
Welookup processes personal data only on the Customer’s documented instructions, including for international transfers, unless required by law.
4. Confidentiality
Personnel authorised to process personal data are bound by written confidentiality obligations.
5. Security
Welookup maintains the technical and organisational measures described in our Security Statement, including TLS in transit, encryption at rest, RBAC, least-privilege admin access, signed-URL media access, and access logging.
6. Subprocessors
Customer provides general authorisation for Welookup to engage the subprocessors listed at /subprocessors. Welookup imposes equivalent data-protection obligations on each subprocessor and remains liable for their performance. Customers may object to new subprocessors by emailing legal@welookupinsights.com within 14 days of notification.
7. Data-subject rights
Welookup assists Customer in responding to data-subject requests by appropriate technical and organisational measures, considering the nature of the processing.
8. Personal-data breach
Welookup notifies Customer of any confirmed personal-data breach affecting Customer data without undue delay, and in any case within 72 hours of becoming aware where required by law.
9. International transfers
Where personal data is transferred outside the EEA/UK/India, the parties rely on the EU Standard Contractual Clauses (Module 2 — Controller to Processor, 2021/914), the UK International Data Transfer Addendum (where applicable), and the standard contractual mechanisms under India’s DPDP framework. These are incorporated by reference where applicable.
10. Audits
On reasonable written request and no more than once per year (unless required by a supervisory authority), Welookup will make available information necessary to demonstrate compliance with this DPA, including responses to a reasonable security questionnaire.
11. Deletion or return
On termination, Welookup will, at Customer’s choice, delete or return Customer personal data within 60 days, except where retention is required by law.
12. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions in the underlying contract.
13. Order of precedence
If there is a conflict, this DPA prevails over the underlying contract on data-protection matters.
14. Signing
For a countersigned copy of this DPA, email legal@welookupinsights.com with your legal entity name, registered address and signatory.
Effective 27 June 2026.
This page is maintained by Welookup Insights LLP. It explains current practices and is not an independent certification. Questions: legal@welookupinsights.com.