Introducing Warp Code: the fastest way from prompt to production.

Learn More.

Contact sales

Warp Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) amends and forms part of the written agreement between Licensee and Denver Technologies, Inc. d/b/a Warp.dev (“Warp”) (collectively, “the parties”) for the provision of services to Licensee (the “Agreement”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

1. Definitions

1.1. In this DPA: a) “Data Protection Law” means all laws that apply to the Processing of Personal Data under the Agreement, including European Data Protection Law and the laws and regulations of the United States and its states, including the California Consumer Privacy Act (“CCPA”), as amended from time to time, to the extent such laws and regulations apply to the relevant party.

b) “European Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all other privacy and data protection laws of the European Economic Area (“EEA”), and their respective Member States, Switzerland and the United Kingdom (“UK”) and all laws implementing or supplementing the foregoing.

c) “Personal Data” means any Licensee Data that reasonably relates, directly or indirectly, to an identified or identifiable natural person that Warp Processes on Licensee’s behalf to provide services under the Agreement.

d) “Processing” (including its cognate "Process”) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

e) “Security Incident” means a breach of security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Personal Data.

f) “Standard Contractual Clauses” means (i) Module 2 of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”), and (ii) where the UK GDPR applies, the EU SCCs as supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 (the “UK SCCs”).

1.2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

2. Scope and Roles

2.1. The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Annex I.

2.2. Warp agrees that it will Process Personal Data only in accordance with the Agreement and this DPA. To the extent applicable, Warp will Process Personal Data as a “processor” or “service provider” as such terms are defined under applicable Data Protection Law.

3. Data Protection

3.1. When Warp Processes Personal Data, it will:

a) Process the Personal Data in accordance with Licensee's documented instructions as described in the Agreement or this DPA. Warp will notify Licensee if it considers that an instruction from Licensee is in breach of Data Protection Law, unless it is prohibited from doing so by law on important grounds of public interest;

b) assist Licensee, taking into account the nature of the Processing and the information available to Warp, in complying with Licensee's obligations to respond to requests concerning Personal Data from individuals under applicable Data Protection Law;

c) implement and maintain appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risk, which include the technical and organizational measures required by applicable Data Protection Law;

d) only entrust the Processing of Personal Data to personnel who have undertaken to comply with confidentiality requirements; and

e) upon termination of the Agreement, as instructed by Licensee, to the extent that Warp retains Personal Data, permit Licensee to delete or obtain copies of such Personal Data consistent with the functionality of the services and applicable law.

3.2. Warp certifies that it will not (a) “sell” or “share” (as defined in the CCPA) the Personal Data; (b) retain, use, combine or disclose the Personal Data for any purpose other than as permitted under this DPA and in accordance with the Agreement; or (c) retain, use, or disclose the Personal Data other than in the context of the direct relationship with Licensee in accordance with the Agreement.

4. Licensee Responsibilities

4.1 Licensee is responsible for the lawfulness of Personal Data processing under or in connection with the services. Licensee will (i) provide all required notices and obtain all required consents, permissions and rights necessary under applicable Data Protection Law for Warp to lawfully Process Personal Data for the purposes contemplated by the Agreement; (ii) make appropriate use of the services to ensure a level of security appropriate to the particular content of the Personal Data; (iii) comply with all Data Protection Law applicable to the collection of Personal Data and the transfer of such Personal Data to Warp; and (iv) ensure its processing instructions comply with applicable laws (including applicable Data Protection Law).

5. Subprocessing

5.1. Licensee agrees that Warp may use the third-party suppliers listed in Annex III to Process Personal Data on its behalf for the provision of the services under the Agreement (each a “Subprocessor”).

5.2. Warp will maintain a list of Subprocessors and, prior to authorizing any new Subprocessor to access Personal Data, Warp will update the list of Subprocessors. Warp will notify Licensee by email prior to the appointment of a new Subprocessor. If Licensee objects to the appointment of such Subprocessor within ten (10) days, it may terminate the portion of the services that cannot be provided without such Subprocessor on written notice to Warp that includes Licensee’s legitimate and documented grounds for non-approval.

5.3 Warp will ensure that any Subprocessors to which it transfers Personal Data enter into written agreements with Warp requiring that the Subprocessor abide by terms substantially similar to those contained in this DPA.

5.4. Warp will remain liable for any breaches of this DPA caused by its Subprocessors.

6. Restricted Data Transfers

6.1. In the event that Licensee is subject to European Data Protection Law and the transfer of Personal Data to Warp would be restricted in the absence of the Standard Contractual Clauses, the Parties agree that the Standard Contractual Clauses shall be incorporated into this DPA with Licensee as the “data exporter” and Warp as the “data importer.”

6.2. The Standard Contractual Clauses are further completed as follows: the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; the governing law in Clause 17 is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; and Annex 1, 2 and 3 to the Standard Contractual Clauses are Paragraph 3, 4, and 5 of this DPA respectively. To the extent required by Data Protection Law in the UK, Part 1, tables 1, 2 and 3 of the UK SCCs will be deemed to be completed like its equivalent provisions in the EU SCCs. For the purpose of Part 1, Table 4, the party that may end the UK SCCs in accordance with Section 19 of the UK Addendum is the importer.

7. Assistance and Notifications

7.1. Upon Licensee’s request, Warp will provide Licensee with reasonable cooperation and assistance to the extent required to fulfil Licensee’s obligation under European Data Protection Law to:

a) reply to investigations and inquiries from data protection regulators; and

b) carry out a data protection impact assessment related to the services, where Client does not otherwise have access to the relevant information necessary to perform such assessment.

7.2. Unless prohibited by Data Protection Law, Warp must inform Licensee without undue delay if Warp:

a) receives a request, complaint or other inquiry regarding the Processing of Personal Data;

b) receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body;

c) is subject to a legal obligation that requires Warp to Process Personal Data in contravention of Licensee’s instructions; or

d) is otherwise unable to comply with Data Protection Law or this DPA.

7.3. Upon becoming aware of a Security Incident, Warp will inform Licensee without undue delay and will provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Licensee to allow Licensee to fulfill its data breach reporting obligations under applicable Data Protection Law.

8. Audit

8.1. Warp will make available to Licensee at Licensee’s request information which is necessary to demonstrate compliance with this DPA and allow for any audits, including inspections, conducted by Licensee or another auditor, as requested by Licensee.

8.2. To the extent Warp makes available to Licensee confidential summary reports ("Audit Report") prepared by third-party security professionals, Licensee agrees to accept such Audit Report, subject to confidentiality requirements, in satisfaction of its audit right; however, if Licensee can demonstrate that it requires additional information, beyond the Audit Report, then Licensee may request, at Licensee's cost, Warp to provide for an audit subject to reasonable confidentiality procedures, which will: (i) not include access to any information that could compromise confidential information relating to other Warp Licensees or suppliers, Warp's technical and organizational measures, or any trade secrets; and (ii) be performed upon not less than thirty (30) days’ notice, during regular business hours and in such a manner as not to unreasonably interfere with Warp’s normal business activities.

9. General

9.1. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Personal Data.

9.2. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

9.3. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.

9.4. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

ANNEX I

A. LIST OF PARTIES

Licensee is the controller and the data exporter and Warp is the processor and the data importer.

B. DESCRIPTION OF TRANSFER

  • Subject Matter: Providing the services under the Agreement
  • Duration of the Processing: For the duration of the Agreement
  • Nature and Purpose of the Processing: Providing the services under the Agreement
  • Frequency of the Processing: Continuous
  • Categories of Data: Names, contact information, information regarding usage of the services
  • Special Categories of Data Processed: N/A
  • Data Subjects: Licensee employees and other authorized users

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority is the Irish Data Protection Commission.

ANNEX II

Warp or its subprocessors (as applicable) maintain the following technical and organizational measures:

1. Physical access control

Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (e.g., access authorizations; key management procedures; door locking; etc.).

2. Data access control

Technical and organizational measures to prevent data processing systems from being used by unauthorized persons (e.g., user identification and authentication procedures; ID/password security procedures; logging of access; network security; etc.).

3. Disclosure control

Technical and organizational measures designed to prevent personal data from being read, copied, modified or deleted without authorization during transmission, transport or storage (e.g., encryption/tunneling; logging; transport security, etc.).

4. Availability control

Technical and organizational measures designed to protect personal data against accidental destruction or loss (e.g., backup; mirroring; uninterruptible power supply (UPS); remote storage; antivirus/firewall systems; disaster recovery; etc.).

5. Separation control

Technical and organizational measures designed to maintain separation between different data processing environments (e.g., separation of databases; segregation of functions (production/testing); procedures for storage, amendment, deletion, transmission of data for different purposes; etc.).

ANNEX III

List of Subprocessors

Licensee authorizes Warp to engage the following Subprocessors: warp.dev/subprocessors