Data Processing Agreement (DPA)
Last Updated: January 6, 2026
This Data Processing Agreement (“DPA”) forms part of the Wisanna Terms of Use (https://wisanna.com/legal/terms) or other applicable written agreement governing Customer’s use of the Service (the “Agreement”) between (i) the entity accepting the Agreement (“Customer”) and (ii) Navigabiz, a licensed business no. 307015578, registered in Israel, doing business as “Wisanna” (“Wisanna”).
This DPA applies only to the extent Wisanna processes Personal Data on behalf of Customer as a Processor (or sub-processor, as applicable) in providing the Service.
1. Incorporation, Scope, and Order of Precedence
1.1. Incorporated by reference
This DPA is incorporated into and forms part of the Agreement. The Agreement should reference this DPA substantially as follows: “To the extent Wisanna processes Personal Data (as a Processor), Wisanna’s DPA applies.”
1.2. Scope
This DPA reflects the parties’ obligations under Article 28 GDPR and other applicable Data Protection Laws regarding Wisanna’s processing of Personal Data for Customer.
1.3. Order of precedence
If there is a conflict between this DPA and the Agreement, this DPA governs only with respect to the parties’ data protection obligations for Personal Data processed under this DPA.
If Standard Contractual Clauses apply under Section 9, the SCCs prevail over this DPA to the extent of any conflict regarding international transfers.
2. Definitions
2.1. “Data Protection Laws” means GDPR and any other applicable EU/EEA member state data protection laws implementing or supplementing GDPR, each as amended from time to time.
2.2. “EEA” means the European Economic Area.
2.3. “Personal Data” has the meaning given in GDPR, and in this DPA means Personal Data contained in Customer Content or otherwise processed by Wisanna on Customer’s behalf in connection with the Service.
2.4. “Customer Content” has the meaning set out in the Agreement.
2.5. “Controller”, “Processor”, “Processing”, “Personal Data Breach”, and “Supervisory Authority” have the meanings given in GDPR.
2.6. “Sub-processor” means any Processor engaged by Wisanna to process Personal Data on behalf of Customer in connection with the Service.
3. Article 28 Processing Terms
3.1. Roles
Customer is the Controller of Personal Data and Wisanna is the Processor, to the extent Wisanna processes Personal Data on Customer’s behalf in providing the Service.
3.2. Documented instructions
Wisanna will process Personal Data only on documented instructions from Customer.
The parties agree that Customer’s instructions are: (i) the Agreement; (ii) Customer’s configuration and use of the Service; and (iii) any additional instructions agreed by the parties in writing.
Wisanna is not required to comply with instructions outside the scope of the Agreement or this DPA unless mutually agreed in writing.
3.3. Unlawful instructions
Wisanna will notify Customer if Wisanna becomes aware that Customer’s instructions (in Wisanna’s reasonable opinion) violate Data Protection Laws. In such case, Wisanna may suspend the relevant processing until the parties agree on lawful instructions.
3.4. Confidentiality of personnel
Wisanna will ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations (contractual or statutory).
3.5. Data minimization and purpose limitation
Wisanna will access and use Personal Data only as necessary to provide, secure, and maintain the Service, provide support, and otherwise perform under the Agreement and this DPA.
3.6. No training of core AI models on Customer Personal Data
Wisanna will not use Customer Personal Data (including Customer Content, Inputs, or Outputs) to train, retrain, or improve general-purpose or “foundation” AI models for the benefit of other customers or third parties.
Wisanna may process Customer Personal Data to provide the Service to Customer (including generating Outputs for Customer) and may use aggregated and/or de-identified usage analytics to operate, maintain, and improve the Service, provided such analytics do not identify Customer or Data Subjects.
3.7. Compliance information
Taking into account the nature of processing and the information available to Wisanna, Wisanna will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR, subject to Section 8 (Audits and Inspections).
4. Sub-processors (General Authorization)
4.1. General written authorization
Customer grants Wisanna a general written authorization to engage Sub-processors for the provision of the Service.
4.2. Current Sub-processors and list
A current list of Sub-processors is available at https://wisanna.com/legal/sub-processors. By using the Service, Customer authorizes Wisanna’s listed Sub-processors.
4.3. Updates; notice; deemed acceptance
Wisanna may update its Sub-processors from time to time. Wisanna will provide notice of additions or replacements by updating the list and/or by email notification.
If Customer does not object within fourteen (14) days of notice, the change will be deemed accepted.
4.4. Objections and Customer’s sole remedy
Customer may object within the 14-day period on reasonable data protection grounds specific to the new Sub-processor.
If Wisanna cannot reasonably accommodate the objection (without disproportionate burden), Customer’s sole and exclusive remedy is to terminate the affected Service (or the Agreement, if the affected Service is integral) by written notice within thirty (30) days after Wisanna’s response. Wisanna is not required to provide a customized infrastructure or an alternative Sub-processor for Customer.
4.5. Sub-processor terms
Wisanna will impose data protection obligations on Sub-processors that are materially no less protective than those set out in this DPA, including confidentiality, security, and (where applicable) international transfer safeguards.
4.6. Responsibility
Wisanna remains responsible for the performance of its Sub-processors’ obligations to the same extent Wisanna is liable to Customer under the Agreement and this DPA.
5. Security Measures and Confidentiality
5.1. Security measures (TOMs)
Wisanna will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
Wisanna’s current TOMs are described in Annex 2. Wisanna may update its TOMs to reflect evolving security practices, provided that updates do not materially reduce the overall level of protection for the Service.
5.2. Security Policy (reference)
Additional information about Wisanna’s security program may be described in its Security Policy at https://wisanna.com/legal/security, which may be updated from time to time.
5.3. Customer security responsibilities
Customer is responsible for (i) using the Service in a manner consistent with the Agreement, (ii) maintaining the confidentiality of its access credentials, (iii) configuring its account settings appropriately, and (iv) ensuring it has a lawful basis to process and provide Personal Data to Wisanna.
6. Personal Data Breach Notification
6.1. Notification
Wisanna will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer’s Personal Data.
6.2. Information provided
To the extent reasonably available, Wisanna’s notice will describe: the nature of the breach, categories and approximate number of Data Subjects and records concerned (if known), likely consequences, and measures taken or proposed to address the breach.
6.3. Cooperation
Wisanna will provide reasonable cooperation and information to support Customer’s compliance with breach notification obligations under Data Protection Laws, subject to Section 7.3 (Costs).
7. Assistance to Customer (DSARs, DPIAs, Supervisory Authorities)
7.1. Data subject requests (DSARs)
Taking into account the nature of processing, Wisanna will reasonably assist Customer in responding to Data Subject requests, to the extent required under Data Protection Laws.
Customer acknowledges and agrees that Wisanna’s primary means of assistance is providing self-service functionality within the Service (such as export and deletion features) where available.
7.2. DPIAs and prior consultation
To the extent required by Data Protection Laws and taking into account the nature of processing and information available to Wisanna, Wisanna will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities, limited to processing under this DPA.
7.3. Costs for non-standard assistance
Where Wisanna’s assistance under this Section 7 requires material effort beyond the Service’s self-service features or Wisanna’s standard support, Wisanna may charge reasonable fees for such assistance, unless the assistance is required due to Wisanna’s breach of this DPA.
7.4. Direct requests to Wisanna
If Wisanna receives a request from a Data Subject relating to Personal Data processed under this DPA, Wisanna will (to the extent legally permitted) direct the Data Subject to Customer and will not respond substantively except on Customer’s documented instruction or as required by law.
8. Audits and Inspections (“Startup Shield”)
8.1. Documentation-first compliance review
Customer’s audit and information rights under Article 28 GDPR will be satisfied primarily by Wisanna providing one or more of the following, as reasonably available and applicable to the Service: (i) Wisanna’s Security Policy and written description of its TOMs; (ii) responses to reasonable security questionnaires; and/or (iii) other documentation reasonably necessary to demonstrate compliance.
Customer acknowledges Wisanna may be unable, at an early stage, to provide formal certifications (e.g., ISO 27001 or SOC 2).
8.2. On-site audits as last resort
Customer may conduct an on-site audit or inspection of Wisanna’s facilities and systems used to process Personal Data only if:
■ (a) the documentation provided under Section 8.1 is insufficient to reasonably demonstrate compliance with this DPA and Article 28 GDPR; and
■ (b) Customer provides a written explanation of the specific compliance concern(s) that cannot be addressed through documentation; or
■ (c) a competent Supervisory Authority requires or requests such an audit.
8.3. Conditions for any on-site audit
Any on-site audit must:
■ (a) be at Customer’s sole cost and expense;
■ (b) be conducted by Customer or an independent auditor bound by confidentiality;
■ (c) be subject to at least sixty (60) days’ prior written notice;
■ (d) occur no more than once in any twelve (12) month period (unless required by a Supervisory Authority);
■ (e) be limited in scope to matters reasonably necessary to assess compliance with this DPA, and conducted during normal business hours in a manner that does not unreasonably interfere with Wisanna’s operations; and
■ (f) comply with Wisanna’s reasonable security, confidentiality, and facility access policies.
8.4. Findings; confidentiality
Audit findings and any materials shared are Wisanna’s Confidential Information to the extent permitted by law. Customer will promptly provide Wisanna with a copy of any audit report and will allow Wisanna to review it for confidentiality before any external disclosure (unless legally prohibited).
9. International Data Transfers
9.1. Locations
Customer acknowledges that Wisanna may process Personal Data in Israel, the EEA, the United States, and other jurisdictions where Wisanna and its Sub-processors operate, as described in Wisanna’s sub-processor list.
9.2. Israel adequacy
The parties acknowledge that the European Commission has recognized Israel as providing an adequate level of protection for Personal Data (adequacy decision), and transfers from the EEA to Wisanna in Israel may rely on that adequacy decision where applicable.
9.3. Transfers to non-adequate countries (including the United States)
Where Personal Data is transferred to a country not recognized as adequate under EU law (including via certain Sub-processors in the United States), Wisanna will ensure that such transfers are subject to an appropriate transfer mechanism, such as:
■ (a) the EU-U.S. Data Privacy Framework (where the recipient is certified); and/or
■ (b) the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), as incorporated in Annex 3.
9.4. Customer authorization for AI providers
Customer acknowledges and authorizes that Wisanna may use AI Sub-processors (e.g., OpenAI and/or Anthropic, as listed on the sub-processor page) to provide AI features of the Service, including where this involves transfers to the United States, subject to the safeguards in this Section 9.
10. Return and Deletion of Personal Data
10.1. Export during the term
Customer may export or retrieve Customer Content from the Service using available functionality during the term of the Agreement.
10.2. Deletion after termination; grace period
Upon termination or expiration of the Agreement, Wisanna will delete Customer’s Personal Data within a reasonable period in accordance with Wisanna’s standard deletion processes.
Unless legally required to retain it, Wisanna may retain Personal Data for up to sixty (60) days after termination to allow Customer to export data and to complete account closure processes (“grace period”), after which Wisanna may delete the Personal Data.
10.3. Backups
Customer acknowledges that Personal Data may be retained in backups for a limited period consistent with Wisanna’s backup rotation and disaster recovery practices, and will be deleted or overwritten as part of those cycles.
10.4. Deletion upon request
Where the Service supports deletion by Customer, Customer may request deletion through the Service or by contacting support@wisanna.com. Wisanna will process deletion requests in accordance with applicable law and Wisanna’s standard processes.
11. Liability
11.1. Liability cap and exclusions
To the maximum extent permitted by applicable law, all liability arising out of or relating to this DPA (including data protection-related claims) is subject to the exclusions, limitations, and liability cap set forth in the Agreement, and is not subject to any separate or higher cap under this DPA.
11.2. No expansion of remedies
This DPA does not create any additional remedies or rights to compensation beyond those set out in the Agreement, except where required by Data Protection Laws.
12. General
12.1. Term
This DPA remains in effect for as long as Wisanna processes Personal Data on behalf of Customer under the Agreement.
12.2. Conflict with mandatory law
Nothing in this DPA limits or reduces any data protection rights that cannot be limited under applicable Data Protection Laws.
12.3. Contact
Customer may contact Wisanna regarding data protection matters at support@wisanna.com (or such other address Wisanna designates in writing).
Annex 1: Details of Processing (Art. 28(3))
1. Subject matter
Provision of the Service (including Wisanna web platform and Microsoft Word add-in) under the Agreement.
2. Duration
For the term of the Agreement plus any applicable grace period under Section 10.
3. Nature of processing
Hosting, storage, retrieval, transmission, organization, and other processing necessary to provide and secure the Service; customer support; abuse prevention; and generating AI-assisted outputs based on Customer inputs.
4. Purpose(s) of processing
To provide, maintain, secure, and support the Service as described in the Agreement.
5. Types/categories of Personal Data
Depending on Customer’s use, may include:
○ Account Information (e.g., name, business email, username, authentication details)
○ End-user and client matter data contained in Customer Content (e.g., names, contact details, identifiers within documents)
○ Metadata and usage logs related to use of the Service (to the extent they constitute Personal Data)
6. Categories of Data Subjects
Customer’s representatives, employees, contractors, clients, counterparties, and other individuals whose Personal Data is included in Customer Content.
7. Special categories of data
The Service is not intended for Special Categories of Personal Data. Customer agrees not to upload Special Categories of Personal Data (or other highly sensitive data) unless strictly necessary and Customer has ensured a lawful basis and appropriate safeguards; Customer remains responsible for such safeguards.
Annex 2: Technical and Organizational Measures (TOMs)
Wisanna maintains a security program designed to protect the confidentiality, integrity, and availability of the Service and Personal Data. The specific measures may evolve. Current measures may include, as appropriate:
1. Access controls
Role-based access controls for internal systems; least-privilege access; administrative access restricted to authorized personnel.
2. Authentication and account security
Customer authentication mechanisms supported by the Service; administrative authentication controls; processes designed to reduce unauthorized access risk.
3. Encryption (functional description)
Industry-standard encryption in transit and at rest, as supported by Wisanna and its infrastructure providers.
4. Logging and monitoring (functional description)
Security logging and monitoring designed to detect suspicious activity and support incident response.
5. Vulnerability and change management (functional description)
Processes for deploying updates and fixes, and for managing changes to production systems.
6. Backups and resilience (functional description)
Backups and disaster recovery practices designed to support availability and restoration.
7. Personnel and organizational measures
Confidentiality obligations for personnel; access granted based on business need; security awareness practices appropriate to company stage.
8. Sub-processor management
Risk-based selection and engagement of Sub-processors; contractual obligations addressing confidentiality, security, and (where applicable) transfer safeguards.
Annex 3: SCCs (Incorporation by Reference and Parameters)
1. Incorporation by reference
Where SCCs are required for a transfer under Section 9.3, the parties incorporate by reference the Standard Contractual Clauses adopted by the European Commission in Commission Implementing Decision (EU) 2021/914 (“SCCs”).
2. SCC module
The parties intend Module Two (Controller to Processor) to apply where Customer (EEA Controller) transfers Personal Data to Wisanna (Processor) in a non-adequate jurisdiction, and Module Three (Processor to Processor) to apply where Wisanna transfers Personal Data to a Sub-processor in a non-adequate jurisdiction, as applicable.
3. SCC selections (high-level)
○ Docking clause: enabled.
○ Third-party beneficiary: as per SCCs.
○ Governing law and forum: as determined by the SCCs and applicable requirements for enforceability in the EEA member state of the Customer.
4. Annexes to SCCs
The information in Annex 1 (Details of Processing) and Annex 2 (TOMs) of this DPA is intended to populate the corresponding SCC annexes, as applicable.
References
- Terms of Use: https://wisanna.com/legal/terms
- Data Processing Agreement (DPA): https://wisanna.com/legal/dpa
- Security Policy & TOMs: https://wisanna.com/legal/security
- Sub-processors: https://wisanna.com/legal/sub-processors
