Legal
Governs how Wordaro processes personal data on your behalf in connection with AI output validation. Applies to GDPR, UK GDPR, and CCPA obligations.
Last updated: June 5, 2025
EU/UK customers requiring a signed copy of Standard Contractual Clauses (SCCs) should contact legal@wordaro.com. This page serves as the published DPA incorporated into our Terms of Service.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Wordaro ("Processor") and the customer ("Controller") and governs the processing of personal data submitted to the Wordaro platform in connection with AI output validation services.
This DPA applies where the Controller submits content to Wordaro that contains or may contain personal data subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), or other applicable data protection laws.
"Personal Data" means any information relating to an identified or identifiable natural person submitted by the Controller to the Wordaro API or playground for validation purposes.
"Processing" means any operation performed on Personal Data, including transmission, validation, and deletion.
"Controller" means the customer who determines the purposes and means of processing Personal Data.
"Processor" means Wordaro, which processes Personal Data on behalf of the Controller.
"Sub-processor" means any third party engaged by Wordaro to process Personal Data.
The Controller represents and warrants that:
• It has a lawful basis for processing and submitting Personal Data to Wordaro under applicable law • It has provided all required notices and obtained all required consents from data subjects where necessary • The instructions it gives to Wordaro comply with applicable data protection laws • It is responsible for ensuring that Personal Data submitted to Wordaro is limited to what is necessary for validation purposes
Wordaro will:
• Process Personal Data only on documented instructions from the Controller (which include use of the service as described in the Terms of Service) • Ensure that persons authorised to process Personal Data are bound by confidentiality obligations • Implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage • Not engage sub-processors without informing the Controller and providing the opportunity to object • Assist the Controller in responding to data subject rights requests to the extent reasonably possible given the nature of the processing • Delete or return Personal Data upon termination of the agreement, at the Controller's choice
Wordaro is designed to minimise data retention. Validation results on the Free plan are returned in the API response only and are not persisted. On paid plans, Wordaro may retain validation metadata (rule violations, scores, timestamps) to support dashboard features — but does not store the content submitted for validation beyond what is necessary to complete the request.
Controllers are encouraged to avoid submitting unnecessary Personal Data and to pseudonymise or anonymise data before submission where possible.
Wordaro uses the following sub-processors in the delivery of its services:
• Supabase, Inc. — database and authentication infrastructure (USA) • Vercel, Inc. — application hosting and edge delivery (USA) • Stripe, Inc. — payment processing (USA)
Wordaro will provide at least 14 days' notice of any intended change to sub-processors. Controllers who object to a new sub-processor and cannot resolve the objection may terminate the agreement.
Wordaro's infrastructure is primarily hosted in the United States. Where Personal Data originating in the European Economic Area, United Kingdom, or Switzerland is transferred to the USA, Wordaro relies on Standard Contractual Clauses (SCCs) as the lawful transfer mechanism, where required.
Controllers who require executed SCCs should contact legal@wordaro.com to obtain a signed copy.
Wordaro implements the following technical and organisational measures:
• Encryption in transit (TLS 1.2+) for all API communications • Encryption at rest for all stored data via Supabase's managed infrastructure • API key authentication with SHA-256 hashed key storage • Role-based access controls within workspaces • No Personal Data used for model training or shared with third parties beyond sub-processors listed above
Wordaro will notify the Controller without undue delay after becoming aware of a Personal Data breach that is likely to result in a risk to the rights and freedoms of natural persons.
Where a data subject submits a request to exercise their rights (access, rectification, erasure, portability, objection) and Wordaro receives such a request, Wordaro will promptly forward it to the Controller. The Controller is responsible for responding to data subject requests.
Wordaro will assist the Controller with erasure requests to the extent technically feasible given the ephemeral nature of most processing.
Upon reasonable written notice (minimum 30 days), Wordaro will provide the Controller with information necessary to demonstrate compliance with this DPA. Wordaro may satisfy audit rights by providing up-to-date third-party audit reports or certifications where available, in lieu of on-site audits.
This DPA is governed by the same law as the Terms of Service (State of Delaware, USA), except to the extent required otherwise by applicable data protection law.
For data protection enquiries, executed SCCs, or to exercise rights under this DPA:
legal@wordaro.com