← Home

Data Processing Addendum

Effective · 27 June 2026

This Data Processing Addendum (“DPA”) supplements the agreement between you (“Customer”, controller) and Welookup Insights LLP (“Welookup”, processor) where Welookup processes personal data on the Customer’s behalf in the course of providing services. It is designed to satisfy Article 28 of the EU/UK GDPR and equivalent provisions of the India DPDP Act, 2023.

1. Roles

Customer is the controller; Welookup acts as processor. Each party complies with applicable data-protection law.

2. Processing details

  • Subject matter: the services agreed in the underlying contract / SOW.
  • Duration: term of the underlying contract plus any retention period required by law.
  • Nature & purpose: analytics consulting, CRM operations, managed-talent delivery and related professional services.
  • Data categories: business contact details and any data the Customer chooses to share within scope.
  • Data subjects: Customer’s employees, contractors and end users as applicable.

3. Customer instructions

Welookup processes personal data only on the Customer’s documented instructions, including for international transfers, unless required by law.

4. Confidentiality

Personnel authorised to process personal data are bound by written confidentiality obligations.

5. Security

Welookup maintains the technical and organisational measures described in our Security Statement, including TLS in transit, encryption at rest, RBAC, least-privilege admin access, signed-URL media access, and access logging.

6. Subprocessors

Customer provides general authorisation for Welookup to engage the subprocessors listed at /subprocessors. Welookup imposes equivalent data-protection obligations on each subprocessor and remains liable for their performance. Customers may object to new subprocessors by emailing legal@welookupinsights.com within 14 days of notification.

7. Data-subject rights

Welookup assists Customer in responding to data-subject requests by appropriate technical and organisational measures, considering the nature of the processing.

8. Personal-data breach

Welookup notifies Customer of any confirmed personal-data breach affecting Customer data without undue delay, and in any case within 72 hours of becoming aware where required by law.

9. International transfers

Where personal data is transferred outside the EEA/UK/India, the parties rely on the EU Standard Contractual Clauses (Module 2 — Controller to Processor, 2021/914), the UK International Data Transfer Addendum (where applicable), and the standard contractual mechanisms under India’s DPDP framework. These are incorporated by reference where applicable.

10. Audits

On reasonable written request and no more than once per year (unless required by a supervisory authority), Welookup will make available information necessary to demonstrate compliance with this DPA, including responses to a reasonable security questionnaire.

11. Deletion or return

On termination, Welookup will, at Customer’s choice, delete or return Customer personal data within 60 days, except where retention is required by law.

12. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions in the underlying contract.

13. Order of precedence

If there is a conflict, this DPA prevails over the underlying contract on data-protection matters.

14. Signing

For a countersigned copy of this DPA, email legal@welookupinsights.com with your legal entity name, registered address and signatory.

Effective 27 June 2026.

This page is maintained by Welookup Insights LLP. It explains current practices and is not an independent certification. Questions: legal@welookupinsights.com.

Ready to start?