Data Processing Agreement

Last updated: March 28, 2026

1. Definitions

  • "Controller" means the entity that determines the purposes and means of the processing of Personal Data — i.e., you, the customer.
  • "Processor" means the entity that processes Personal Data on behalf of the Controller — i.e., WPControl.
  • "Data Subject" means any identified or identifiable natural person whose Personal Data is processed.
  • "Personal Data" means any information relating to a Data Subject, including names, email addresses, IP addresses, and any other data defined as personal data under applicable data protection laws.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

This Data Processing Agreement ("DPA") forms part of the Terms of Service between WPControl ("Processor") and the customer ("Controller") and governs the processing of Personal Data by the Processor on behalf of the Controller.

The Processor processes Personal Data solely for the purpose of providing the WPControl service, which includes:

  • Managing user authentication and account data
  • Connecting to and managing WordPress sites via the MCP protocol
  • Storing WordPress site credentials for API access
  • Tracking API usage for billing and plan enforcement
  • Sending service-related notifications

3. Data Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by law
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
  • Not engage another processor without prior written authorization of the Controller
  • Assist the Controller in responding to requests from Data Subjects exercising their rights
  • Assist the Controller in ensuring compliance with data breach notification obligations
  • Delete or return all Personal Data upon termination of the service, at the Controller's choice
  • Make available all information necessary to demonstrate compliance and allow for audits

4. Sub-processors

The Controller hereby provides general written authorization for the Processor to engage the following Sub-processors:

Supabase, Inc.

Purpose: Database hosting (PostgreSQL), data storage, and Row Level Security

Location: United States (AWS infrastructure)

Clerk, Inc.

Purpose: User authentication, session management, OAuth identity provider

Location: United States

Amazon Web Services (Amazon SES)

Purpose: Transactional email delivery for service notifications

Location: ap-northeast-2 (Seoul, South Korea)

Vercel, Inc.

Purpose: Dashboard frontend hosting and edge delivery

Location: Global edge network

The Processor shall notify the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object to such changes.

5. Data Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

  • Encryption at rest: WordPress Application Passwords and sensitive credentials are encrypted using AES-256-GCM before storage
  • Encryption in transit: All data transmissions are protected with TLS 1.2 or higher
  • Access control: Row Level Security (RLS) enforced at the database level; multi-tenant isolation
  • Authentication: OAuth 2.0 via Clerk with JWT-based session tokens
  • API security: Rate limiting, API key authentication, and request validation
  • Infrastructure: Hosted on AWS Lightsail (ap-northeast-2) with automated backups
  • Monitoring: Continuous system health monitoring and automated alerting

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling requests from Data Subjects to exercise their rights under applicable data protection laws, including the right to:

  • Access their Personal Data
  • Rectify inaccurate Personal Data
  • Erase their Personal Data ("right to be forgotten")
  • Restrict processing of their Personal Data
  • Data portability
  • Object to processing

Data Subject requests may be submitted to support@wpcontrol.dev. The Processor shall respond to verified requests within 30 days.

7. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

  • Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
  • Provide the Controller with sufficient information to meet its obligations to report the breach to supervisory authorities and Data Subjects
  • Cooperate with the Controller and take reasonable steps to assist in the investigation and mitigation of the breach
  • Document the breach, including the facts, effects, and remedial actions taken

8. Data Retention and Deletion

The Processor retains Personal Data as follows:

  • Account data: Retained while the account is active; deleted within 30 days of account termination
  • WordPress site credentials: Deleted immediately when a site is disconnected or upon account termination
  • API usage logs: Retained for 90 days, then automatically deleted
  • Monthly usage aggregates: Retained for 12 months for billing history
  • Webhook event logs: Retained for 60 days after processing

Upon termination of the service, the Processor shall delete all Personal Data within 30 days, unless retention is required by applicable law. The Controller may request a copy of their data before deletion.

9. International Data Transfers

Personal Data may be transferred to and processed in the following jurisdictions:

  • South Korea — API server infrastructure (AWS Lightsail ap-northeast-2)
  • United States — Supabase (database), Clerk (authentication), Vercel (frontend)
  • Global — Vercel edge network for dashboard delivery

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as adopted by the European Commission, or reliance on the data importer's certification under an approved framework.

10. Term and Termination

This DPA shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller. It shall automatically terminate upon the termination of the underlying Terms of Service.

Upon termination:

  • The Processor shall cease all processing of the Controller's Personal Data
  • The Processor shall delete or return all Personal Data, at the Controller's choice, within 30 days
  • The Processor shall provide written confirmation of deletion upon request

11. Governing Law

This DPA shall be governed by the laws of the Republic of Korea. For Data Subjects in the European Economic Area, the provisions of the GDPR shall apply in addition to local law. Any disputes arising from this DPA shall be resolved in the courts of Seoul, Republic of Korea.

12. Contact

For questions about this Data Processing Agreement, contact us at support@wpcontrol.dev.

Privacy PolicyTerms of ServiceBack to Home