Data Processing Agreement Update - Spring 2021

Role as processor/controller

We’ve made some clarifications to the description of Whereby as a controller and processor several places in the DPA. This is our reasoning:

  • Since Whereby determines the purpose of the delivery of the standard service, Whereby will be the controller for the processing for this purpose. Our customers have no real influence on how our standard service operates. Our role as data processor is limited and mainly related to our customer’s account management activities.
  • To protect the privacy of all meeting participants, we can only give individuals rights over their own personal data and allow them to have a role as controller for personal data related to members of their organization. Meeting participants from one organisation should be protected against privacy intrusions by participants belonging to other organisations. For instance, a customer should not be able to obtain IP logs which could be used to undermine the anonymity of meeting participants from outside the customer’s organization.

The purpose, nature of processing, storage information and some of the processing activities are changed or removed to adjust to the role of Whereby as a processor. We have also clarified that participants/recipients in meetings will be the sole controllers of their disclosure of content and use of content received in a call.

Another change is that we have compressed our listed sub-processors. Amazon is the only sub-processor we use at this point, for storage of user account information.

Transfer tool

We have changed our transfer tool to Standard Contractual Clauses for potential data transfers outside the EU/EEA to make sure we stay compliant. At this point, we are not using any sub-processors outside the EU/EEA.

If you have any questions or comments to this update, please contact