For data your store collects from end customers (orders, names, emails, addresses, browsing behavior), you are the controller and OpenWPAgent is the processor. We process that data only on your documented instructions, which you express through the dashboard settings, the agent strategy configs, and the actions you approve.

The personal data we process on your behalf includes:

• Customer order metadata (order ID, date, total, fulfillment status) — pulled from WooCommerce when an agent needs it
• Email addresses and names — for the email marketer agent and customer service chat
• Chat transcripts — when a customer interacts with the AI chat widget
• Search Console + GA4 traffic data — when the analytics loop pulls metrics

We do not process payment card numbers, full payment methods, or any data classified as special-category under GDPR Article 9.

See openwpagent.com/sub-processors. We email you 30 days before adding a new sub-processor.

OpenWPAgent implements:

• Encryption in transit (TLS 1.2+) and at rest (AES-256-GCM for credentials, AES at the database level)
• Role-based access controls inside organizations (owner / admin / member / viewer)
• Postgres row-level security gating every per-tenant table
• Audit logging of every privileged action (member.invited, license.activated, etc.)
• Stripe + Resend + Supabase as security-vetted sub-processors
• 14-day retention on AI provider request bodies (we don't store them long-term)

You retain primary responsibility for responding to your customers' data subject access, rectification, erasure, and portability requests. OpenWPAgent assists you with reasonable measures, including a one-click export and delete of your entire org's data via /account/settings → Export and /account/settings → Delete organization.

OpenWPAgent is hosted in us-east-1 (US East). For EU/UK customers we rely on the EU Standard Contractual Clauses + UK IDTA addendum. Sub-processors with EU presences (Stripe, Resend) operate under the same framework. We do not transfer data to countries without an adequate decision or SCC coverage.

If we become aware of a personal data breach affecting your data, we notify you within 72 hours via the email address on the org's billing contact. The notification includes nature, scope, likely consequences, and the measures we've taken or propose to take.

On reasonable notice, we provide audit information necessary to demonstrate compliance with this DPA. For paying customers we accept reasonable third-party audits at the auditor's expense, no more than once per year, scoped to OpenWPAgent's controls (not our sub-processors').

On termination, we delete or return all customer personal data within 30 days unless retention is required by law. Backups age out within 90 days.

DPA questions: dpa@openwpagent.com.