Data Processing Agreement
Version: 1.2 (January 2026)
Governing Authority: EU GDPR, UK GDPR, CCPA/CPRA, and EU AI Act (Tier 1 Transparency)
This DPA is entered into between WynnMetrics (the “Processor”) and the Client (the “Controller”).
1. Scope and Role of Parties
1.1 Processor Role: WynnMetrics processes Personal Data only on behalf of the Controller and in accordance with the Controller’s documented instructions for the provision of AI-driven win/loss analysis.
1.2 Bifurcation of Data: This DPA applies solely to Respondent Data (data collected via surveys). It does not apply to Administrative Data (Client login/billing), for which WynnMetrics acts as a Data Controller under the primary Privacy Policy.
1.3 Zero-Sync Standard: The parties acknowledge that the “Zero-Sync” model is the default integration. The Controller is instructed to provide pseudo-anonymized identifiers (e.g., {{contact_id}}) rather than raw PII (emails/names) in URL parameters.
2. Technical and Organizational Measures (TOMs)
WynnMetrics shall maintain a security program that includes, at minimum:
2.1 Data Sanitization & Pseudo-anonymization:
- Log-Level Scrubbing: The Processor employs automated middleware to identify and scrub raw PII (emails/phone numbers) from server-side request logs and “Referer” headers before they are written to disk.
- In-Flight PII Redaction: Free-text survey responses (e.g., “Magic Wand” questions) are processed via a redaction layer to identify and mask inadvertently provided PII (names, emails, phone numbers) before being analyzed by the AI Engine.
- Cryptographic Hashing: Where email addresses are used as identifiers, they are transformed into non-reversible cryptographic hashes or encrypted at rest, ensuring that the database does not contain “Clear-Text PII.”
2.2 Network Resilience and Availability:
- Edge Protection: Cloudflare is deployed as a Web Application Firewall (WAF) to provide DDoS mitigation, bot management, and IP-reputation filtering.
- Rate Limiting: Upstash Redis is utilized for high-performance, distributed rate limiting to prevent brute-force exploitation of survey endpoints and to ensure service availability for all tenants.
- Tenant Isolation: Data is strictly isolated at the database level using Supabase Row-Level Security (RLS), ensuring that no Controller can access another Controller’s data.
3. Sub-processors and AI Transparency
3.1 Authorized Sub-processors: Controller provides general authorization for WynnMetrics to engage the sub-processors listed in Annex III.
3.2 AI-Specific Safeguards (Gemini): WynnMetrics utilizes Google Gemini for sentiment analysis and categorization. Processor warrants that:
- Data is processed via Enterprise-tier API endpoints.
- No Data for Training: Personal Data submitted for analysis is not used to train, retrain, or improve Google’s public foundation models.
- Transparency: All AI-generated insights are marked as “Probabilistic Output” to comply with the EU AI Act’s transparency requirements.
4. Data Subject Rights
Processor shall, to the extent legally permitted, promptly notify Controller if Processor receives a request from a Data Subject to exercise their rights (Access, Erasure, Portability). Given the Zero-Sync model, Processor may require Controller’s assistance to link a contact_id to a specific individual.
ANNEX I: DETAILS OF PROCESSING
| Category | Description |
| Subject Matter | Provision of AI-automated win/loss feedback analysis. |
| Duration | The term of the Master Subscription Agreement plus the period until all data is deleted. |
| Nature of Processing | Collection, storage, and AI-driven categorization of buyer feedback. |
| Data Categories | Pseudo-anonymized IDs, Survey responses, Sentiment scores, and Metadata (Timestamp, Browser type). |
| Sensitive Data | Prohibited. Controller shall not transmit health, financial, or biometric data. |
ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)
| Measure | Implementation Detail | Legal Risk Addressed |
| Access Control | Just-in-Time (JIT) access for engineering; MFA required. | Unauthorized Access |
| Logging | 30-day auto-expiry of server-side http logs. | PII Leakage/Storage Limitation |
| Network Security | No third-party tracking pixels (Google Analytics removed). | Shadow Tracking / Cookie Compliance |
| AI Isolation | API-only interaction with Gemini (No human-in-the-loop at sub-processor). | Confidentiality / Data Leakage |
ANNEX III: LIST OF SUB-PROCESSORS
|
Sub-processor |
Purpose |
Location |
|
Supabase (PostgreSQL) |
Primary Database Hosting & Auth |
USA |
|
Google LLC (Gemini AI) |
AI Sentiment Analysis (Zero-Training Tier) |
USA |
|
Cloudflare, Inc. |
WAF, DDoS Protection, and CDN |
Global |
|
Upstash, Inc. |
Serverless Redis (Rate Limiting) |
USA (AWS Region) |
|
Rybbit.io |
Analytics Processing |
USA |
|
Stripe, Inc. |
Payment Processing (Controller Data only) |
USA |