This Data Processing Agreement (“DPA”) forms part of the agreement between WholeSum Business Ltd (“Processor”, “we”, “us”) and the customer using the Services (“Controller”, “you”) (together, the “Parties”).
The Services are designed for inputs that do not contain any Personal Data, and you are explicitly instructed not to upload Personal Data. This DPA applies only to the limited and unintended circumstances where Personal Data is included in your inputs contrary to that instruction and we process it on your behalf as a processor.
Capitalised terms not defined here have the meaning given in the main Terms.
Applicable Data Protection Law: all laws applicable to the processing of Personal Data under this DPA, including the UK GDPR, EU GDPR (where applicable), and any local laws implementing or supplementing those regimes.
Personal Data, Personal Data Breach, Data Subject, Processor, Controller, Processing: have the meanings given in Applicable Data Protection Law.
Subprocessor: any third party appointed by us to process Personal Data on your behalf.
2.1 Controller–processor relationship: For any Personal Data inadvertently included in Input Data submitted to the Services, you are the Controller and we are the Processor. You are expressly required not to submit Personal Data. If you nonetheless include Personal Data in your inputs, you instruct us to process it only to the minimum extent necessary to provide the Services and manage the associated systems.
2.2 Purpose and instructions: We will process Personal Data solely to: provide the Services; ensure their security, integrity and lawful operation; and comply with your documented instructions under the Contract, this DPA, and your use of the Services.
2.3 No further use: We will not process Personal Data for our own purposes. We will notify you if an instruction is unlawful or cannot be followed.
3.1 Types of Personal Data processed: The Services are designed for non-personal, fully de-identified data. You should not include Personal Data. If you upload Personal Data in error, we may incidentally process whatever Personal Data appears within your Workpieces or inputs solely to deliver the Services.
3.2 Data subjects: In such cases, data subjects may include any individuals referenced in your inputs.
3.3 Processing operations: Where Personal Data is included contrary to guidance, processing may include ingestion, hosting, transmission, analysis, model inference, output generation, storage, and deletion as required to provide the Services.
We maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, loss, destruction or damage.
Individuals authorised to process Personal Data are bound by confidentiality obligations.
6.1 Authorised subprocessors: You grant us a general authorisation to appoint subprocessors. Our material subprocessors for model inference include:
- OpenAI, LLC – https://openai.com/policies/data-processing-addendum
- Google LLC – https://cloud.google.com/terms/data-processing-addendum
6.2 Subprocessor obligations: We ensure subprocessors are subject to contractual obligations no less protective than those in this DPA.
6.3 Changes: We will notify you of material subprocessor changes. You may object if a change materially increases risk. If unresolved, your sole remedy is to cease using the Services.
7.1 We and our subprocessors may process Personal Data in any location in which we or they operate. Where this involves a transfer outside the UK or EEA to a country without an adequacy decision, we will ensure the transfer is covered by an appropriate safeguard.
7.2 For transfers by subprocessors such as OpenAI and Google, we rely on the transfer mechanisms in their DPAs, including SCCs, the UK IDTA, and supplementary measures.
7.3 Where we act as exporter, we will enter into the relevant transfer mechanism unless another lawful basis applies.
7.4 No guarantee of location. We do not guarantee that data will be processed in any specific location unless explicitly agreed in writing.
We will assist you with Data Subject rights, breach notifications, DPIAs and regulatory consultations. We may charge reasonable costs for excessive requests.
We will notify you without undue delay after becoming aware of a breach affecting Personal Data processed for you.
You may request compliance information. Audits may occur once per year unless required following a breach. We may restrict audit scope to protect confidentiality or security. Reasonable costs may apply.
Upon termination, we will delete or return all data unless legally required to retain it. We do not isolate Personal Data from inputs; deletion applies to entire input objects and related logs. Deletion may follow standard backup retention cycles.
Liability under this DPA is governed solely by the liability provisions of the main Contract (the Website Terms and Conditions).
This DPA remains in effect for the duration of the Contract and continues until all Personal Data is deleted or returned.
If this DPA conflicts with the Contract, this DPA prevails regarding data protection obligations.
© 2026 WholeSum. All rights reserved.
