DATA PROCESSING AGREEMENT (DPA)

Last Updated: April 14, 2025

This Data Processing Agreement (“Agreement”) is entered into between:

• Data Controller: The Client (you), who has entered into a service agreement with Whisper (Markethinkers Agency OÜ);
  
• Data Processor: Markethinkers Agency OÜ, a company incorporated in Estonia under registration number 16273849, with its principal office at Lasnamäe linnaosa, Ruunaoja tn 3, Tallinn, Harju maakond 11415, Estonia, operating the platform Whisper (https://thewhisper.co).
  

This Agreement is incorporated by reference into the Terms and Conditions and governs the processing of Personal Data on behalf of the Controller in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws.

1. Subject Matter and Duration

This Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the services provided via Whisper. The Agreement remains valid as long as Whisper processes personal data on behalf of the Controller.

2. Nature and Purpose of Processing

Processor shall process personal data solely for the purpose of providing the following services:

• Account creation and user management via Leap Hub SSO
  
• Content ordering, generation (via AI and/or human), and publication
  
• Transactional and wallet-related operations
  
• Communication preference management
  
• Invoice creation and financial compliance
  
• Publisher coordination and media transactions
  
• Customer support and service optimization
  
• Analytics, security monitoring, and possible future remarketing
  

3. Types of Personal Data Processed

The following categories of personal data may be processed:

• Name and surname
  
• Email address
  
• Company name
  
• Country and language of communication
  
• Sector/industry
  
• Position within company
  
• Communication preferences (marketing consent and language)
  
• Invoice details (tax office, tax number, address, etc.)
  
• IP address and device/browser metadata
  
• Uploaded media and user-submitted content
  
• Policy consent timestamps
  
• Whisper Wallet transaction details
  
• Payment status (via Stripe, PayPal, bank transfer – no card details stored)
  

4. Data Subjects

The personal data concern the following categories of data subjects:

• Clients or prospective clients of the Controller
  
• Users acting on behalf of their company
  
• Publisher representatives and partners
  
• Website visitors using Whisper services
  

5. Third-Party Subprocessors

The Processor uses the following subprocessors for specific functions, each of whom has committed to GDPR compliance:

• Leap Hub: User identity management (SSO provider)
  
• Stripe & PayPal: Payment processing (no card data stored by Whisper)
  
• Cloudways: Hosting and data storage services (server location: Frankfurt, Germany; headquartered in the United States)
  
• Cloudflare: CDN and security services
  
• MailerSend / MailerLite: Transactional and marketing emails
  
• Google Analytics & Tag Manager: Analytics and conversion tracking
  
• Meta (Facebook Ads): (planned) remarketing and ad performance
  
• OpenAI & Anthropic (Claude): AI content generation services
  
• Wise API: Currency exchange rate service
  

6. Controller Responsibilities

• Ensure legal basis for the processing of personal data
  
• Provide privacy notices to data subjects
  
• Obtain valid consent where necessary
  
• Maintain up-to-date records of data processing activities
  
• Respond to data subject requests in compliance with GDPR
  

7. Processor Responsibilities

• Process data only on documented instructions from the Controller
  
• Implement appropriate technical and organizational measures to ensure data security
  
• Assist the Controller in fulfilling obligations regarding data subject rights
  
• Ensure confidentiality and training of personnel involved in processing
  
• Notify the Controller of any personal data breach without undue delay
  
• Cooperate with supervisory authorities upon request
  

8. Data Transfers

Data may be transferred to countries outside the EEA only where:

• An adequacy decision exists; or
  
• Standard Contractual Clauses (SCCs) are implemented; or
  
• The transfer is necessary for contractual performance (e.g., to use subprocessors)
  

All international transfers by Whisper are conducted in compliance with GDPR.

9. Data Retention and Deletion

Personal data will be retained:

• As long as the user account is active
  
• As required by applicable laws (e.g., tax, legal, compliance)
  
• Until the data subject requests deletion, subject to legitimate grounds
  

Upon termination of the Controller’s use of the Services, the Processor shall delete or return all personal data unless otherwise required by law.

10. Data Subject Rights

The Controller retains the primary responsibility for responding to data subject rights requests. However, the Processor agrees to support the Controller in:

• Access, rectification, and erasure requests
  
• Objection or restriction of processing
  
• Data portability requests
  
• Withdrawal of consent and communication preference changes
  

11. Audits and Inspections

The Controller may, upon reasonable written notice and during normal business hours, audit Whisper’s data processing and security measures, either personally or via an independent auditor.

12. Liability

Each Party shall be liable for its own breaches of this Agreement. The Processor’s liability is limited in accordance with the Terms and Conditions unless otherwise required under applicable law.

13. Miscellaneous

• This Agreement shall prevail in case of conflict with other contractual provisions.
  
• This DPA is governed by the laws of Estonia.
  
• Jurisdiction: Courts of Tallinn, Estonia.
  

Markethinkers Agency OÜ

Lasnamäe linnaosa, Ruunaoja tn 3

Tallinn, 11415, Estonia

support@thewhisper.co