Skip to content
GDPR Article 28 - Wexio as Processor

Data Processing Agreement

How Wexio, LLC processes personal data on behalf of its Customers as a Processor under Article 28 of the GDPR.

Effective 15 July 2026

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms of Service between Wexio, LLC ("Wexio", "Processor") and the customer that accepts the Terms of Service ("Customer", "Controller") (each a "party" and together the "parties"). This DPA governs the Processing by Wexio of Personal Data on behalf of the Customer in connection with the Wexio platform (the "Service"). Where the Customer's end users' Personal Data is Processed through the Service, the Customer acts as Controller and Wexio acts as Processor. This DPA applies to the extent the GDPR or an equivalent data-protection law applies to that Processing.

In the event of any conflict between this DPA and the Terms of Service in relation to the Processing of Personal Data, this DPA prevails. In the event of any conflict between this DPA and the Standard Contractual Clauses referenced in Section 8, the Standard Contractual Clauses prevail.

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Terms of Service. For the purposes of this DPA:

  • "GDPR" means Regulation (EU) 2016/679, and, where applicable, the UK GDPR and the Data Protection Act 2018.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the GDPR.
  • "Customer Personal Data" means Personal Data contained in the Conversation Data and other data that Wexio Processes on behalf of the Customer through the Service.
  • "Subprocessor" means any third party engaged by Wexio to Process Customer Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the clauses annexed to Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Data to third countries, and, for UK transfers, the UK International Data Transfer Addendum.
  • "Applicable Data Protection Law" means all laws applicable to the Processing of Customer Personal Data under this DPA, including the GDPR.

2. Roles of the Parties and Scope

The parties acknowledge that, for Customer Personal Data, the Customer is the Controller (or a Processor acting on behalf of a third-party Controller) and Wexio is the Processor. Where the Customer is itself a Processor, Wexio acts as a sub-processor and the Customer warrants that it is authorized by the relevant Controller to engage Wexio on the terms of this DPA. For the Customer's own account, billing, and administrative data, Wexio acts as an independent Controller as described in the Privacy Policy, and that Processing is not governed by this DPA.

This DPA applies to Processing carried out for the duration of the Service and to the categories of data and Data Subjects set out in Annex I.

3. Processing on Documented Instructions

Wexio will Process Customer Personal Data only on the documented instructions of the Customer, including with regard to international transfers, unless required to do otherwise by law to which Wexio is subject; in such a case, Wexio will inform the Customer of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest.

The Customer's instructions are set out in this DPA, the Terms of Service, and the configuration choices the Customer makes through the Service (including choice of channels, integrations, AI provider path, storage mode, and retention settings). The Customer is responsible for the lawfulness of its instructions and of the Customer Personal Data it Processes through the Service. Wexio will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law, without obligation to conduct a legal review.

4. Confidentiality of Processing

Wexio will ensure that persons authorized to Process Customer Personal Data are bound by an appropriate obligation of confidentiality, whether contractual or statutory, and that access is limited to personnel who need access to provide the Service.

5. Security of Processing

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to Data Subjects, Wexio will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex II. These measures include, as appropriate, encryption of Personal Data in transit and at rest, measures to ensure ongoing confidentiality, integrity, availability, and resilience of Processing systems, the ability to restore availability and access following an incident, and a process for regularly testing and evaluating the effectiveness of those measures.

The Customer is responsible for the security of any Customer Personal Data stored in its own infrastructure where it uses Bring-Your-Own-Storage, and for the security and permitted use of any third-party credentials it supplies, including AI provider keys under Bring-Your-Own-Key.

6. Subprocessors

The Customer provides general written authorization for Wexio to engage Subprocessors to Process Customer Personal Data. The current Subprocessors are listed at wexio.io/subprocessors, which forms Annex III to this DPA. Wexio will:

  • impose on each Subprocessor, by written contract, data-protection obligations that are no less protective than those in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures;
  • remain liable to the Customer for the performance of each Subprocessor's obligations; and
  • give the Customer at least 30 days' prior notice of the addition or replacement of a Subprocessor that Processes Customer Personal Data, during which the Customer may object on reasonable data-protection grounds.

If the Customer objects and the parties cannot resolve the objection, the Customer may terminate the affected part of the Service by written notice, as its sole and exclusive remedy.

7. Assistance with Data Subject Rights

Taking into account the nature of the Processing, Wexio will assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests to exercise Data Subject rights under Chapter III of the GDPR. Where Wexio receives a request directly from a Data Subject in respect of Customer Personal Data, it will, unless legally prohibited, promptly inform the Customer and will not respond to the request itself except on the Customer's documented instructions. The Service provides functionality that enables the Customer to access, correct, delete, and export Customer Personal Data to assist in responding to such requests.

8. International Transfers

Wexio's primary infrastructure is located in the European Union (Ireland). Where Processing of Customer Personal Data involves a transfer to a country outside the EEA, United Kingdom, or Switzerland that is not subject to an adequacy decision, the transfer is made pursuant to an appropriate safeguard under Article 46 GDPR, in particular the Standard Contractual Clauses, which are incorporated into this DPA by reference and completed as set out in Annex IV, together with supplementary measures where appropriate. Where a Subprocessor is certified under the EU-US Data Privacy Framework, transfers to that Subprocessor may instead rely on that adequacy decision.

For transfers subject to the EU SCCs: Module Two (Controller to Processor) applies where the Customer is a Controller, and Module Three (Processor to Processor) applies where the Customer is itself a Processor. The optional docking clause applies; the governing law is the law of Ireland; the competent supervisory authority is determined in accordance with the SCCs; and the completed Annexes to this DPA populate the corresponding appendices to the SCCs.

9. Personal Data Breach Notification

Wexio will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will, to the extent available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach. Wexio will provide reasonable assistance to the Customer in meeting the Customer's own breach-notification obligations under Articles 33 and 34 GDPR. Wexio's notification is not an acknowledgment of fault or liability.

10. Data Protection Impact Assessments and Prior Consultation

Taking into account the nature of Processing and the information available to Wexio, Wexio will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with Supervisory Authorities under Articles 35 and 36 GDPR, where required in relation to the Customer's use of the Service.

11. Audits and Compliance

Wexio will make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. To satisfy audit requests, Wexio may make available its then-current security documentation, certifications held by its infrastructure providers, and summaries of any penetration testing. Where an on-site audit is reasonably required, it will be conducted on reasonable prior notice, no more than once per year except where required by a Supervisory Authority or following a Personal Data Breach, during business hours, subject to confidentiality, and in a manner that does not disrupt Wexio's operations or the security of other customers' data.

12. Deletion and Export of Personal Data

Upon termination or expiry of the Service, and at the Customer's choice, Wexio will delete Customer Personal Data or make it available to the Customer for retrieval through the Service's export functionality, and will delete existing copies, unless retention is required by law. During the Service, Customer Personal Data in the form of Conversation Data and associated media is subject to configurable retention enforced by plan tier through an automated daily cleanup, and the Customer may trigger deletion to meet erasure requirements. Where the Customer uses Bring-Your-Own-Storage, Customer Personal Data stored in the Customer's own infrastructure is under the Customer's control, and deletion of that data is the Customer's responsibility. Backup copies held by Wexio are deleted in accordance with its documented backup cycle.

13. Liability, Term, and General

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA takes effect on the effective date of the Terms of Service and continues for as long as Wexio Processes Customer Personal Data. If any provision of this DPA is invalid or unenforceable, the remainder continues in effect. This DPA is governed by the law stated in the Terms of Service, except where Applicable Data Protection Law or the Standard Contractual Clauses require otherwise.

Wexio, LLC

Data protection contact: privacy@wexio.io

14. Annex I - Description of Processing

A. Parties

Data exporter: the Customer, acting as Controller (or as Processor on behalf of a third-party Controller), being the entity that accepts the Terms of Service. Data importer: Wexio, LLC, acting as Processor, providing the Service described in the Terms of Service.

B. Subject matter, nature, and purpose

Subject matter: the provision of the Wexio conversational AI platform. Nature and purpose: hosting, storage, transmission, and automated Processing of communications between the Customer and its end users, including AI-generated responses, summarization, classification, and Agent Actions configured by the Customer, together with related support and security.

C. Duration

For the duration of the Service and until deletion or export of Customer Personal Data in accordance with Section 12.

D. Categories of Data Subjects

CategoryExamples
Customer's end usersIndividuals who contact the Customer through connected messaging channels
Customer personnelAgents and administrators the Customer authorizes to use the Service

E. Categories of Personal Data

CategoryExamples
Contact and identifiersNames, usernames, phone numbers, email addresses, channel identifiers
Communications contentMessages, media, files (images, voice, PDFs) exchanged through the Service
Knowledge base contentReference material uploaded by the Customer, which may contain Personal Data
Usage and technical dataTimestamps, message metadata, and diagnostic data

Special-category data is not intentionally requested by Wexio. The Customer is responsible for not submitting special-category data through the Service except where it has a lawful basis and has configured appropriate safeguards.

F. Frequency

Continuous, for the duration of the Service.

15. Annex II - Technical and Organizational Measures

Wexio implements and maintains the following measures, as further described at wexio.io/security:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256), with per-organization, per-context key derivation and managed key rotation.
  • Logical tenant isolation, with tenant-scoped queries and an optional dedicated database and cache for Pro and Enterprise plans.
  • Access controls based on role-based access control, authentication through third-party identity providers with no stored passwords, and support for two-factor authentication, passkeys, and enterprise SSO.
  • Network security including segmentation, security headers, a web application firewall, and DDoS protection.
  • Malware scanning and validation of uploaded files, with organization-scoped storage and signed-URL access.
  • Continuous monitoring, dependency scanning, encrypted backups with documented recovery, and a documented incident-response plan following NIST SP 800-61.
  • Configurable data retention with automated deletion of expired messages and media.

16. Annex III - Subprocessors

The list of authorized Subprocessors, including their purpose, the categories of data processed, and their location, is maintained at wexio.io/subprocessors and is incorporated into this DPA by reference. Wexio provides notice of changes and an opportunity to object as set out in Section 6.

17. Annex IV - Standard Contractual Clauses Details

Where the Standard Contractual Clauses apply under Section 8, they are completed as follows: the module is selected according to the parties' roles (Module Two where the Customer is a Controller; Module Three where the Customer is a Processor); the optional docking clause applies; the option requiring prior authorization of Subprocessors is met by the general authorization and notice mechanism in Section 6; the governing law and the forum are those of Ireland; Annex I to this DPA populates Annex I to the SCCs; Annex II to this DPA populates Annex II to the SCCs; and the list of Subprocessors in Annex III populates the relevant appendix. For UK transfers, the UK International Data Transfer Addendum applies to the SCCs, with the information in the Annexes to this DPA completing the Addendum tables.