This Data Processing Agreement (the "DPA") is entered into between the customer (the "Controller") and Perfect Wiki ("Processor") and forms part of the agreement governing the customer's use of the Perfect Wiki service (the "Agreement"). Where any conflict arises, this DPA prevails over the Agreement with respect to the processing of personal data.
1. Definitions
Terms used in this DPA have the meanings given to them in the EU General Data Protection Regulation 2016/679 ("GDPR"). "Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller in connection with the Agreement.
2. Subject matter, duration, nature, and purpose
- Subject matter: Provision of the Perfect Wiki SaaS service.
- Duration: The term of the Agreement, plus the data-retention period defined in Perfect Wiki's Data Classification, Retention & Deletion Policy.
- Nature and purpose: Hosting, processing, search-indexing, AI-assisted querying, backing up, and supporting the Controller's wiki content and account data.
- Categories of data subjects: Controller's employees, contractors, and other end-users authorized by Controller to use the service.
- Categories of Personal Data: Name, email address, profile picture (if provided), organization membership, user-generated content, integration identifiers, technical data (IP address, device, browser metadata).
3. Roles and responsibilities
Controller determines the purposes and means of processing the Personal Data uploaded to or generated within the service. Processor processes Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data, unless required to do so by applicable law.
4. Confidentiality
Processor ensures that personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Security of processing
Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in the Trust Center, including:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
- Access controls based on least privilege, with authentication via the customer's identity provider (Microsoft Entra, Google) or passwordless one-time codes.
- Logical separation of tenants and of production, staging, and development environments.
- Daily encrypted backups with documented restoration procedure.
- Logging, monitoring, and incident response per published policies.
- Annual review of all security policies; vulnerability management; secure SDLC.
6. Sub-processors
Controller grants Processor a general authorization to engage sub-processors. The current list is maintained on the Sub-processors page of the Trust Center. Processor will:
- Impose data-protection obligations on each sub-processor by written contract that are at least as protective as those in this DPA.
- Notify Controller in advance of any intended addition or replacement of a sub-processor processing Controller's Personal Data, with at least 30 days' notice.
- Allow Controller to object on reasonable, documented grounds. If the parties cannot reach agreement, Controller may terminate the affected service with a pro-rata refund of pre-paid fees.
7. Assistance to Controller
Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling Controller's obligations to:
- respond to requests from data subjects exercising rights under GDPR Chapter III;
- ensure security of processing (Art. 32 GDPR);
- notify personal-data breaches (Art. 33-34 GDPR);
- perform data-protection impact assessments and prior consultations (Art. 35-36 GDPR).
8. Personal data breach notification
Processor notifies Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting Controller's Personal Data, providing information reasonably required for Controller to comply with its own notification obligations.
9. International transfers
Where Personal Data is transferred from the EEA, UK, or Switzerland to a country not deemed adequate by the European Commission, the parties rely on the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) or, where applicable, the UK Addendum and Swiss equivalent. By signing this DPA, the parties are deemed to have signed the relevant SCCs.
10. Audit rights
Processor makes available to Controller all information reasonably necessary to demonstrate compliance with this DPA. On reasonable written notice and no more than once per twelve-month period (except following a personal-data breach), Controller — or an independent third-party auditor mandated by Controller and bound by appropriate confidentiality — may conduct an audit of Processor's compliance. To minimize disruption, Processor may satisfy this obligation by providing relevant certifications, attestations, completed industry questionnaires (such as the CSA CAIQ), and policy documentation.
11. Return or deletion
On termination of the Agreement, Processor will, at the choice of Controller, delete or return all Personal Data and delete existing copies, unless retention is required by applicable law. Backups containing Personal Data age out per the Data Retention Policy.
12. Contact
Data protection contact: [email protected].
To execute this DPA against your contract, contact [email protected]. A countersigned PDF will be provided on request. Version: 2026-05-21.