Data Processing Agreement
Last updated: May 8, 2026
This Data Processing Agreement ("DPA") supplements the Wintura Terms of Service and Privacy Policy. It governs Wintura's processing of personal data on behalf of the Customer in connection with the use of the Wintura service. Capitalised terms not defined here have the meaning given in the GDPR (Regulation 2016/679) or the CCPA (Cal. Civ. Code §1798.100 et seq.).
1. Parties
Processor: Soa Technologies LLC, operator of the Wintura service ("Wintura").
Controller: the Customer entity that has agreed to the Wintura Terms of Service ("Customer").
For data the Customer submits about its own end-clients and prospects, the Customer is the Controller and Wintura is the Processor.
2. Scope and Purpose of Processing
Wintura processes personal data solely to provide and operate the service: generating proposals and statements of work, delivering them to Customer's recipients, tracking engagement, and processing payments. Wintura does not use Customer's personal data for any independent purpose, including model training.
3. Duration
This DPA remains in effect for the duration of the Customer's subscription and any additional period during which Wintura processes personal data on the Customer's behalf.
4. Categories of Data Subjects
- The Customer's end-clients and prospects (named on proposals)
- The Customer's authorised users (account holders within Customer's agency)
5. Categories of Personal Data
- Account data: name, email, agency name, role
- Proposal content: client names, contact emails, business descriptions, scope of work
- Engagement metadata: proposal opens, time-on-page, signatures
- Billing metadata: payment-processor customer ID, subscription status, invoice history
Wintura does not collect special categories of personal data (Article 9 GDPR) and asks Customers not to submit such data through the service.
6. Sub-processors
Wintura engages third-party sub-processors to operate the service. Each sub-processor is bound by contractual data-protection obligations no less protective than this DPA. The categories of sub-processing activities are listed below.
| Category of processing | Region |
|---|---|
| Cloud hosting and edge delivery | US / EU |
| Database (managed PostgreSQL) | US / EU |
| Payment processing and subscription billing | US |
| Transactional email delivery | US |
| Object storage for files and PDFs | Global (US/EU edge) |
| AI inference for proposal generation | US |
| PDF rendering microservice | US |
| Product analytics and event telemetry | US / EU |
| OAuth identity provider (third-party sign-in) | US |
The current list of named sub-processors is provided to Customer on request. Email privacy@wintura.ai and a response will be returned within five business days. Wintura will notify Customer of any new sub-processor before that sub-processor begins processing Customer personal data, and Customer may object on reasonable data-protection grounds.
7. International Data Transfers
Where personal data is transferred outside the EEA, UK, or Switzerland, Wintura relies on the European Commission's Standard Contractual Clauses (SCCs, Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum, as applicable. Sub-processors located outside the EEA are bound by equivalent contractual safeguards.
8. Security Measures
- HTTPS/TLS in transit for every customer-facing endpoint
- Encryption at rest at the database and object-storage layers
- Role-based access controls; least-privilege admin access
- Audit logging on administrative actions (admin_audit_log)
- Secrets stored in environment variables, never committed to source control
- Dependency vulnerability scanning via Dependabot
- Production error monitoring with PII-scrubbing pre-send hooks
9. Data Subject Rights
Wintura assists the Customer in responding to data-subject access, correction, erasure, and portability requests. End-users may export their proposals at any time as PDFs. Account holders may delete their own account and all associated data from the account settings page; deletion cascades to the agency, proposals, invoices, and sessions.
10. Breach Notification
Wintura will notify the Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting the Customer's data. Notice will include the nature of the breach, categories and approximate volume of affected data, likely consequences, and remediation measures.
11. Audit Rights
On reasonable prior written notice (not more than once per year, except in case of a security incident), the Customer may request information necessary to demonstrate compliance with this DPA. Wintura currently relies on self-attestation; SOC 2 Type II attestation is on the roadmap and will replace this clause when available.
12. Return or Deletion of Data
On termination of the Customer's subscription, Wintura will, at the Customer's choice, delete or return all personal data within 30 days, except where retention is required by applicable law (for example, billing records retained for tax purposes).
13. Liability and Indemnification
Liability under this DPA is governed by the limitation-of-liability clauses in the Terms of Service. Nothing in this DPA limits either party's liability that cannot be limited under applicable law.
14. Contact
For DPA-related questions or to exercise data-subject rights, contact us at privacy@wintura.ai.