Data Processing Agreement (DPA)

Genwolf

Last updated: January 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service and applies where Genwolf processes Personal Data on behalf of a User in connection with the use of the Service.

1. Parties

  1. Controller: The User of the Genwolf Service.
  2. Processor: Oskar Więckowicz, conducting business as Oskar Więckowicz Software Development, a sole proprietor registered in Poland, address: aleja Marcina Kromera 61/3, 51-163 Wrocław, Poland, VAT / Tax ID: PL8992924472, email: contact@genwolf.ai ("Processor").

2. Scope and Subject Matter

  1. This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Genwolf SaaS platform.
  2. The subject matter, duration, nature, and purpose of the processing are defined by the use of the Service under the Terms of Service.

3. Processing Details

3.1 Nature of Processing

Processing operations may include:

  • collection
  • storage
  • analysis
  • transmission to AI models
  • display and reporting

3.2 Categories of Data Subjects

  • employees and contractors of the Controller
  • customers or business contacts referenced in User data
  • other individuals whose data is included in prompts or inputs

3.3 Types of Personal Data

  • identification data (e.g. names, email addresses if provided)
  • usage data
  • content submitted by Users (prompts, labels, URLs)

The Service is not intended for processing special categories of personal data.

4. Processor Obligations

The Processor shall:

  1. process Personal Data only on documented instructions from the Controller
  2. ensure that persons authorized to process Personal Data are bound by confidentiality
  3. implement appropriate technical and organizational security measures
  4. assist the Controller in fulfilling data subject rights under GDPR
  5. notify the Controller without undue delay of any Personal Data breach
  6. delete or return Personal Data upon termination of the Service, unless retention is required by law

5. Controller Obligations

The Controller shall:

  1. ensure a valid legal basis for processing Personal Data
  2. ensure that Personal Data submitted to the Service is lawful and accurate
  3. not submit sensitive personal data unless strictly necessary and lawful
  4. comply with all applicable data protection laws

6. Sub-processors

  1. The Controller authorizes the use of sub-processors necessary to provide the Service, including infrastructure, AI model providers, and payment processors.
  2. The Processor shall impose data protection obligations equivalent to this DPA on sub-processors and remain responsible for their performance.
  3. An up-to-date list of sub-processors may be provided upon request or made publicly available.

7. International Data Transfers

  1. Personal Data may be transferred outside the EEA where required to provide the Service.
  2. Such transfers shall be safeguarded using Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms under GDPR.

8. Security Measures

The Processor implements appropriate measures, including:

  • access controls
  • encryption in transit and at rest where appropriate
  • logging and monitoring
  • regular security reviews

9. Data Subject Requests

The Processor shall promptly notify the Controller of any request from a data subject and shall not respond directly unless authorized.

10. Audits

  1. Upon reasonable request, the Processor shall make available information necessary to demonstrate compliance with this DPA.
  2. Audits shall be limited in scope and frequency and subject to confidentiality.

11. Liability

Liability under this DPA shall be subject to the limits set out in the Terms of Service.

12. Term and Termination

  1. This DPA remains in effect for the duration of the processing of Personal Data.
  2. Upon termination of the Service, Personal Data shall be deleted or returned in accordance with the Terms of Service.

13. Governing Law

This DPA is governed by the laws of Poland, and disputes shall be subject to the jurisdiction specified in the Terms of Service.