Data Processing Agreement
Last updated: January 21, 2026
Enterprise customers: For a signed DPA or custom terms, please contact us at abdmusttoumi@gmail.com
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between WikiBeam ("Processor", "we", "us") and the Customer ("Controller", "you") who uses our documentation publishing services.
This DPA reflects the parties' agreement regarding the processing of Personal Data in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
3. Scope of Processing
3.1 Categories of Data Subjects
- Customer account holders
- End users who view published documentation sites
- Individuals mentioned in synced ClickUp Docs content
3.2 Types of Personal Data
- Account information (name, email address)
- Authentication tokens (ClickUp OAuth tokens)
- Content from synced ClickUp Docs (which may contain Personal Data)
- Usage data and logs (IP addresses, access times)
3.3 Purpose of Processing
Personal Data is processed solely for the purpose of providing the WikiBeam documentation publishing service, including syncing documents from ClickUp and serving published documentation sites.
4. Processor Obligations
The Processor agrees to:
- Process Personal Data only on documented instructions from the Controller
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to Data Subject requests
- Delete or return all Personal Data upon termination of services, at the Controller's choice
- Make available all information necessary to demonstrate compliance with GDPR obligations
- Notify the Controller without undue delay upon becoming aware of a Personal Data breach
5. Security Measures
We implement the following security measures:
- Encryption in Transit: All data transmitted using TLS 1.3
- Encryption at Rest: Database encryption using AES-256
- Access Control: Role-based access with principle of least privilege
- Authentication: OAuth 2.0 for ClickUp, secure session management
- Monitoring: 24/7 system monitoring and logging
- Backups: Daily automated backups with secure storage
For detailed security information, see our Security page.
6. Sub-processors
The Controller authorizes the Processor to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Frontend hosting, CDN | USA (with EU edge nodes) |
| Paddle.com Market Ltd | Payment processing | UK/EU |
| Private VPS Provider | Database, sync service | France, EU |
| ClickUp | Source data (Docs API) | USA |
We will notify the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object.
7. Data Location
All customer data (documents, account information, and content) is stored and processed in:
Paris, France (European Union)
Database and sync service hosted on EU-based infrastructure
This ensures compliance with GDPR data residency requirements by default.
8. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all Sub-processors
- Verification that Sub-processors maintain appropriate security measures
9. Data Subject Rights
We assist the Controller in fulfilling Data Subject requests including:
- Right of Access: Providing copies of Personal Data
- Right to Rectification: Correcting inaccurate data
- Right to Erasure: Deleting Personal Data ("right to be forgotten")
- Right to Restriction: Limiting processing of Personal Data
- Right to Data Portability: Providing data in a portable format
- Right to Object: Stopping processing for certain purposes
Controllers can fulfill most Data Subject requests directly through their WikiBeam dashboard, including data export and account deletion.
10. Data Retention and Deletion
Personal Data is retained only for as long as necessary to provide the services:
- Active accounts: Data retained while account is active
- Account deletion: All data permanently deleted within 30 days of account deletion request
- Backups: Removed from backups within 90 days of deletion
- Logs: Access logs retained for 90 days for security purposes
You can delete all your data at any time from your account settings.
11. Data Breach Notification
In the event of a Personal Data breach, we will:
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware
- Provide details of the breach, including categories and approximate number of Data Subjects affected
- Describe the likely consequences of the breach
- Describe the measures taken or proposed to address the breach
12. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. We will:
- Make available information necessary to demonstrate compliance
- Allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller
- Respond to reasonable audit requests within 30 days
13. Contact Information
For DPA-related inquiries, Data Subject requests, or to request a signed copy of this DPA:
Email: abdmusttoumi@gmail.com
We respond to all DPA and data protection inquiries within 5 business days.