Go back

Data Processing Agreement

This Data Processing Agreement ("DPA") governs the processing of personal data by Theridion IT ("Provider", "Processor") on behalf of the Customer ("Controller") in connection with the Gwilio Services. This DPA forms an integral part of the Gwilio Terms of Use. In the event of any conflict regarding data protection matters, this DPA prevails.

Both parties acknowledge and comply with:

  • Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR),
  • The Belgian Act of 30 July 2018 on the Protection of Natural Persons with regard to the Processing of Personal Data.

1) Roles of the Parties

The Customer acts as the Data Controller for all personal data entered into or generated within the Services.
The Provider acts as the Data Processor, processing personal data only on behalf of and under the instructions of the Customer.

2) Subject Matter and Purpose of Processing

The Provider processes personal data exclusively for:
  • Operating, maintaining, and supporting the Gwilio Services;
  • Managing User authentication and access;
  • Ensuring security, stability, and performance;
  • Providing technical support and resolving incidents.
The Provider shall not process personal data for any other purposes.

3) Categories of Data and Data Subjects

3.1 Data Subjects

Users (team members) of the Customer's organisation. No intentional processing of Guest personal data occurs.

3.2 Categories of Data

  • User email address and username (authentication data);
  • Operational Content created or uploaded by Customer staff;
  • System and server logs that are de-identified or anonymous;
  • Anonymous guest interaction metrics (non-personal).
No special categories of personal data are processed. No personal data of Guests is collected, stored, or processed. All data processed by the Provider is hosted on EU-based cloud infrastructure, ensuring data remains within the EEA. Any visits or usage metrics recorded on the Public Guide are anonymous, non-identifying, server-side statistics.

4) Instructions and Compliance

The Provider processes personal data only on documented instructions from the Customer unless required by Belgian or EU law. If such legal requirements exist, the Provider will notify the Customer unless legally prohibited from doing so.

5) Security Measures

The Provider implements appropriate technical and organisational measures in accordance with GDPR Article 32 and the Belgian Act of 30 July 2018, including:
  • Encryption of data in transit;
  • Access controls and credential restrictions;
  • Secure EU-based hosting;
  • Monitoring and incident-handling procedures.

6) Subprocessors

The Provider may use subprocessors for hosting, infrastructure, analytics, or maintenance, provided that:
  • All subprocessors are bound by GDPR-compliant terms;
  • The Provider remains fully liable for their actions.
A list of subprocessors is available upon request at gwilio.guide@gmail.com.

7) International Transfers

Any transfer of Customer data outside the EU/EEA will rely on:
  • An EU adequacy decision, or
  • Standard Contractual Clauses (SCCs) issued by the European Commission.

8) Data Subject Rights

The Provider shall:
  • Forward any data subject request received directly to the Customer;
  • Assist the Customer in fulfilling GDPR rights requests as needed and where technically feasible.
The Customer is solely responsible for responding to data subject requests.

9) Personal Data Breach Notification

The Provider will notify the Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer data, in alignment with GDPR obligations.

10) Retention and Deletion

Upon account termination or Customer request:
  • Personal data (e.g., User accounts) will be deleted or anonymised within 30–90 days unless EU or Belgian law requires retention for a longer period;
  • Metadata, which is fully de-identified and aggregated, may be retained permanently by the Provider.

11) Audit Rights

To maintain security, platform integrity, and confidentiality, the Customer's audit rights are limited to:
  • Receiving documentation demonstrating compliance;
  • Written answers to reasonable compliance-related questions.
No on-site audits or access to infrastructure, source code, or internal logs is permitted.

12) Customer Responsibilities as Controller

As Data Controller, the Customer is solely responsible for:
  • Ensuring a valid legal basis for all personal data provided or entered into the Services;
  • Ensuring that Users are properly informed about data processing;
  • Managing, updating, and deleting User accounts;
  • Ensuring Users do not enter any Guest personal data into any part of the Services;
  • Ensuring Gwilio is not used for Guest communication, complaints, or operational logs;
  • Requesting immediate deletion if personal data is accidentally entered.

13) Governing Law

This DPA is governed by Belgian law. Any disputes shall be subject to the non-exclusive jurisdiction of the Belgian courts.

Last Updated Date: Monday, 18 May 2026