Data Processing Agreement Update - January 2022

Role as processor/controller

We have made some changes to our role as data processors in some places in the DPA. This is our reasoning:

  • Information about registered users such as date and timestamp for creation, updating, and activating the user account are created by us as we need this information to keep logs and run our application and thus we consider ourselves the controller for this data. Moreover, these categories of data also fall under the definition of usage data according to our Privacy Policy.
  • For users that choose to use Google as a third-party authentication mechanism for logging in to Whereby, the following additional information such as Google account userID, Display Profile image and URL is processed. We obtain this information from google but are we determining the means and purpose of this data- we can say that because we are enabling signing-in through these credentials. Therefore, we consider ourselves a controller for this data. However, we have removed this information from our DPA because our DPA only applied to situations where we are data Processors. 

Transfer tool

As data controllers, we require you to acknowledge that the processor (Whereby) is based in Norway, whereas the data pertaining to this agreement is stored in the Republic of Ireland or another location the processor may choose in the EU/EEA. Where edge components outside the EU/EEA are used for transient storage, the transfer is expected to be covered by one of the contract performance exceptions under Article 49(1)(b) or (c) GDPR as such transfer is subject to the choice of the controller and/or its users to engage in communication with someone who is based outside the EU/EEA. Should a transfer for any reason not be covered by said GDPR exceptions, Standard Contractual Clauses shall be used. 

If you have any questions or comments to this update, please contact