Data Processing Agreement
Last updated
January 10, 2026
Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller," "Customer," "you") and Paystrat LLC, operating as Wolense ("Data Processor," "Wolense," "we," "us") for the provision of algorithmic influence analysis services ("Services").
This DPA applies to the extent that Wolense processes Personal Data (as defined below) on your behalf in connection with the Services, and supplements our Privacy Policy and Terms of Service.
Contact Information:
Company: Paystrat LLC (operating as Wolense)
Address: 30 N Gould St Ste R, Sheridan, WY 82801, USA
Email: privacy@wolense.com
DPA-specific contact: dpa@wolense.com
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that is provided to Wolense in connection with the Services, including:
Your account information (name, email, payment details)
Your child's information (name, age, social media activity data)
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates (you and your child).
"Data Controller" means you, the customer, who determines the purposes and means of processing Personal Data.
"Data Processor" means Wolense, who processes Personal Data on behalf of and according to the instructions of the Data Controller.
"Sub-processor" means any third party engaged by Wolense to process Personal Data on behalf of the Data Controller.
"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data, including:
General Data Protection Regulation (GDPR) (EU) 2016/679
UK GDPR and Data Protection Act 2018
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
Children's Online Privacy Protection Act (COPPA)
Any other applicable national, federal, state, or local privacy laws
"Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries.
2. Scope and Roles
2.1 Relationship
For purposes of this DPA:
You are the Data Controller - You determine why and how Personal Data is processed
Wolense is the Data Processor - We process Personal Data according to your instructions
2.2 Instructions
Wolense will process Personal Data only:
As necessary to provide the Services described in our Terms of Service
According to your documented instructions (by using the Services, you instruct us to process data as described)
In compliance with Applicable Data Protection Law
Your instructions include:
Uploading data for analysis
Requesting reports
Managing your account settings
Exercising data subject rights
2.3 Data Controller Obligations
As the Data Controller, you are responsible for:
Ensuring you have legal authority to provide Personal Data for processing
Obtaining necessary consents from Data Subjects (including parental consent for children's data)
Ensuring instructions to Wolense comply with Applicable Data Protection Law
Responding to Data Subject requests (we will assist as described in Section 6)
3. Details of Processing
3.1 Subject Matter
Processing of Personal Data to provide algorithmic influence analysis services for social media content.
3.2 Duration
Processing occurs for the duration of:
Your active use of the Services
Data retention period (30 days post-report delivery, unless earlier deletion requested)
Legal retention requirements (e.g., payment records for tax purposes)
3.3 Nature and Purpose
Purpose: Analyze patterns in social media content to identify algorithmic influences
Nature: Automated analysis using AI and machine learning, followed by expert human review
3.4 Types of Personal Data
About You (Data Controller):
Name, email address
Payment information (processed by Stripe; we don't store card details)
Account credentials (password encrypted)
IP address, device information
Usage data (pages visited, features used)
About Your Child (Data Subject):
First name or pseudonym
Age or date of birth
Social media activity data:
Video watch history
Content engagement (likes, saves, shares)
Followed accounts
Platform recommendations
Engagement metrics
3.5 Categories of Data Subjects
Parents and legal guardians (account holders)
Children (minors under 18, typically ages 11-17)
4. Wolense's Obligations as Data Processor
4.1 Compliance
Wolense shall:
Process Personal Data only according to documented instructions from you
Ensure that persons authorized to process Personal Data are bound by confidentiality
Implement appropriate technical and organizational security measures (Section 5)
Engage Sub-processors only with your prior consent (Section 7)
Assist you in responding to Data Subject requests (Section 6)
Assist you in ensuring compliance with data protection obligations
Delete or return Personal Data upon termination, as requested (Section 9)
Make available all information necessary to demonstrate compliance
Allow for and contribute to audits and inspections
4.2 Notification of Inability to Comply
If Wolense believes your instruction violates Applicable Data Protection Law, we will:
Inform you immediately
Explain why we believe the instruction is problematic
Suspend processing until the matter is resolved
4.3 Notification of Legal Requests
If we receive a legal request to disclose Personal Data (subpoena, court order, government request), we will:
Notify you promptly (unless legally prohibited)
Challenge overly broad requests where possible
Disclose only the minimum information required
5. Security Measures
5.1 Technical and Organizational Measures
Wolense implements appropriate security measures to protect Personal Data, including:
Encryption:
Data in transit: TLS 1.3 encryption
Data at rest: AES-256 encryption
Encrypted backups with secure key management
Access Controls:
Role-based access control (RBAC)
Multi-factor authentication (MFA) for all staff
Principle of least privilege
Regular access reviews and audits
Infrastructure Security:
SOC 2 Type II compliant hosting (AWS)
Regular security audits and penetration testing
Vulnerability scanning and patch management
DDoS protection and web application firewalls
Data Segregation:
Customer data logically separated
Children's data segregated from adult data
Production and development environments separated
Monitoring and Logging:
Security event monitoring and logging
Intrusion detection systems
Audit trails for data access
Personnel Security:
Background checks for all employees
Confidentiality agreements
Regular security training
Secure development practices
Incident Response:
Documented incident response plan
24/7 security monitoring
Regular testing of incident procedures
5.2 Regular Testing and Evaluation
We regularly test, assess, and evaluate the effectiveness of security measures:
Quarterly security audits
Annual penetration testing
Continuous vulnerability monitoring
Regular security training for staff
5.3 Security Documentation
Upon request, we will provide:
Summary of security measures
Copies of relevant certifications (SOC 2 reports)
Evidence of compliance with security standards
6. Data Subject Rights
6.1 Your Obligations
As the Data Controller, you are responsible for responding to Data Subject requests (right to access, rectification, erasure, restriction, portability, objection).
6.2 Our Assistance
Wolense will assist you by:
Providing technical means for you to access, correct, or delete Personal Data
Responding to your requests within 10 business days
Providing data in machine-readable format upon request (data portability)
Suspending processing when requested (restriction)
6.3 Direct Data Subject Requests
If a Data Subject contacts Wolense directly to exercise their rights:
We will forward the request to you within 2 business days
You will be responsible for responding to the Data Subject
We will assist you in fulfilling the request as described above
6.4 Fees for Assistance
For standard requests, our assistance is provided at no additional cost. For complex, repetitive, or manifestly unfounded requests, we may charge a reasonable fee based on administrative costs.
7. Sub-processors
7.1 Authorized Sub-processors
You authorize Wolense to engage the following Sub-processors:
Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
Amazon Web Services (AWS) | Cloud hosting and storage | United States | All Personal Data |
Stripe, Inc. | Payment processing | United States | Payment information only |
[Email Service Provider] | Email delivery | [Location] | Email addresses, report notifications |
7.2 Sub-processor Obligations
Wolense ensures that Sub-processors:
Are bound by data protection obligations at least as protective as this DPA
Implement appropriate technical and organizational security measures
Process Personal Data only for purposes authorized by Wolense
Comply with Applicable Data Protection Law
7.3 Changes to Sub-processors
Notice of New Sub-processors:
We will notify you at least 30 days before engaging a new Sub-processor
Notification will be sent to your account email address
We will provide information about the Sub-processor (name, purpose, location)
Your Right to Object:
You have 10 business days to object to a new Sub-processor
Objections must be based on reasonable data protection concerns
If we cannot accommodate your objection, either party may terminate the Services
7.4 Liability for Sub-processors
Wolense remains fully liable to you for the performance of Sub-processors' obligations under this DPA.
8. International Data Transfers
8.1 Data Transfer Mechanisms
Personal Data may be transferred to and processed in the United States (where Wolense and its Sub-processors are located).
For transfers from the EEA/UK to the US: We rely on the following mechanisms:
Standard Contractual Clauses (SCCs): We incorporate the European Commission's SCCs approved for controller-to-processor transfers
Supplementary Measures: We implement additional technical and organizational measures to ensure data protection
For transfers from other jurisdictions:
We comply with applicable data transfer requirements
We implement appropriate safeguards as required by local law
8.2 Your Rights Under SCCs
If SCCs apply to your data transfers:
You and your Data Subjects are third-party beneficiaries of the SCCs
You can enforce the SCCs directly against Wolense or Sub-processors
If Wolense cannot comply with the SCCs, you may suspend data transfer or terminate the agreement
8.3 Government Access to Data
We will:
Challenge overly broad government requests where legally possible
Notify you of government requests (unless prohibited by law)
Publish transparency reports annually (when volume justifies)
9. Data Retention and Deletion
9.1 Retention Periods
Social media data exports: 30 days after report delivery
Analysis reports: Indefinitely (in your account), until you request deletion
Account data: Duration of active account, plus legal retention requirements
Payment records: 7 years (tax and legal compliance)
9.2 Deletion Upon Termination
Upon termination of the Services or at your request:
We will delete all Personal Data within 30 days
Or, at your choice, return Personal Data to you in a commonly used electronic format
Deletion is permanent and irreversible (except for legally required data retention)
Exceptions:
Backups may retain data for up to 90 days (deleted during next backup cycle)
Payment records retained for legal compliance
Anonymized, aggregated data (no Personal Data) retained indefinitely
9.3 Certification of Deletion
Upon request, we will provide written certification that Personal Data has been deleted.
10. Data Breach Notification
10.1 Notification to You
If Wolense becomes aware of a Personal Data breach:
We will notify you without undue delay and within 72 hours of becoming aware
Notification will include:
Nature of the breach (categories and approximate number of affected Data Subjects)
Name and contact details of our data protection contact
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate harm
10.2 Your Obligations
As the Data Controller, you are responsible for:
Assessing whether notification to Data Subjects or authorities is required
Notifying relevant authorities (e.g., supervisory authorities) as required by law
Notifying affected Data Subjects if required
10.3 Our Assistance
We will:
Cooperate with your investigation of the breach
Provide additional information as it becomes available
Assist you in meeting your obligations to notify authorities and Data Subjects
Take reasonable steps to remediate the breach and prevent recurrence
10.4 Not a Waiver
Our notification does not constitute an acknowledgment of fault or liability.
11. Audit Rights
11.1 Your Audit Rights
You have the right to:
Request information demonstrating our compliance with this DPA
Conduct audits or inspections (subject to Section 11.2)
11.2 Audit Process
Documentation Review:
We will provide documentation of our compliance measures upon reasonable request
This includes security policies, certifications (SOC 2), and audit reports
On-Site Audits:
Audits must be requested in writing with at least 30 days' notice
Audits may be conducted no more than once per year (unless required by a breach or legal obligation)
Audits must be conducted during business hours and not disrupt operations
Audits must be conducted by you or an independent third-party auditor (bound by confidentiality)
You are responsible for audit costs
Restrictions:
Audits may not access other customers' data or our proprietary systems
We may redact confidential business information unrelated to your data
Audits must comply with our security policies
11.3 Alternative Verification
Instead of on-site audits, you may accept:
Our SOC 2 Type II audit reports
Third-party security certifications
Questionnaires completed by our security team
12. Liability and Indemnification
12.1 Liability Allocation
Each party's liability under this DPA is subject to the limitations in the Terms of Service, except:
Liability is not limited for breaches of confidentiality or data security
Liability is not limited for violations of Applicable Data Protection Law
12.2 Indemnification
Wolense will indemnify you against:
Claims by Data Subjects arising from Wolense's breach of this DPA or Applicable Data Protection Law
Fines or penalties imposed by supervisory authorities due to Wolense's non-compliance
You will indemnify Wolense against:
Claims arising from your breach of this DPA or Applicable Data Protection Law
Claims arising from your unlawful instructions to Wolense
Claims arising from your failure to obtain necessary consents
13. Term and Termination
13.1 Term
This DPA takes effect when you accept our Terms of Service and continues for the duration of our Services agreement.
13.2 Termination
This DPA terminates automatically upon:
Termination of the Services agreement
Your cessation of using the Services
Mutual written agreement
13.3 Effect of Termination
Upon termination:
Wolense will cease processing Personal Data (except as required for deletion or legal retention)
Data will be deleted or returned as described in Section 9
Obligations that by their nature survive (confidentiality, audit rights for past processing) remain in effect
14. Changes to This DPA
14.1 Material Changes
We may update this DPA to reflect:
Changes in Applicable Data Protection Law
Guidance from supervisory authorities
Changes to our Sub-processors or security measures
Notice of Material Changes:
We will notify you at least 30 days before changes take effect
Notification will be sent to your account email
Continued use after the effective date constitutes acceptance
14.2 Non-Material Changes
For minor clarifications or non-substantive updates, we will post the updated DPA with a new "Last Updated" date.
15. Governing Law and Jurisdiction
15.1 Governing Law
This DPA is governed by:
The laws of Wyoming, USA (for general contract terms)
Applicable Data Protection Law (for data processing obligations)
15.2 Jurisdiction
For EEA/UK customers:
Disputes related to data protection obligations will be subject to the jurisdiction of the courts in your country
You and Data Subjects may enforce this DPA in courts with jurisdiction over Wolense (Wyoming, USA)
For other customers:
Disputes will be resolved according to the dispute resolution provisions in the Terms of Service
16. Contact Information
16.1 Data Protection Contact
For DPA-related inquiries: Email: dpa@wolense.com
Mail: Paystrat LLC (Wolense) Attn: Data Protection Officer 30 N Gould St Ste R Sheridan, WY 82801 USA
16.2 EU Representative
[If you appoint an EU representative under GDPR Article 27, include details here]
16.3 UK Representative
[If you appoint a UK representative, include details here]
17. Standard Contractual Clauses
17.1 Incorporation of SCCs
For customers in the EEA or UK, the Standard Contractual Clauses approved by the European Commission (Module Two: Controller-to-Processor) are incorporated into this DPA by reference and form an integral part of this agreement.
17.2 Hierarchy of Terms
In case of conflict between this DPA and the SCCs, the SCCs prevail to the extent required for compliance with Applicable Data Protection Law.
17.3 SCC Annex Information
Annex I - Parties and Processing Details: See Sections 2, 3, and 7 of this DPA
Annex II - Technical and Organizational Measures: See Section 5 of this DPA
Annex III - Sub-processors: See Section 7.1 of this DPA
18. Acceptance
By using Wolense Services, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.
If you do not agree to this DPA, you must not use the Services.
Paystrat LLC, operating as Wolense Last Updated: January 10, 2026
