Data Processing Addendum

This page summarizes the PACKWOLF DPA process. It is not itself a contract and does not modify any signed agreement. The executed DPA, customer agreement, order form, and security addendum are the operative documents for a customer relationship.

We provide a DPA when PACKWOLF processes personal data on behalf of a customer, including personal data in workspace content, traces, support files, logs, connected-system payloads, or model-provider calls made through PACKWOLF Cloud.

Customers decide what data enters a workspace, what agents may do, who can access the workspace, which tools are connected, and which model route is used. For that customer personal data, the customer is usually the controller or processor, and PACKWOLF acts as processor or subprocessor.

PACKWOLF may act as an independent controller for limited business contact data, billing/procurement records, fraud prevention, website requests, legal compliance, and security administration, as described in the privacy policy.

Our DPA covers processor obligations, documented instructions, confidentiality, personnel access controls, security measures, assistance with data-subject requests, incident notice, subprocessor approval, audit rights, return or deletion, and cooperation with impact assessments where applicable.

For international transfers, the DPA can incorporate the EU Standard Contractual Clauses and the UK International Data Transfer Addendum where applicable. We align transfer and subprocessor commitments with the customer's selected deployment model and provider path.

The current subprocessor package is provided with the DPA and includes infrastructure, CRM/support, and any PACKWOLF-managed model or service providers used for your deployment. Customer-configured providers, bring-your-own-key providers, local models, and customer-hosted MCP or API services may be governed by the customer's own provider terms.

Customers receive notice of material subprocessor additions before they take effect and have the objection rights stated in the signed DPA. We can also document a no-managed-model-provider path where your workspace uses local models or customer-owned keys only.

The DPA references technical and organizational measures for access control, encryption in transit and at rest, tenant isolation, logging, vulnerability handling, least privilege, support access, incident response, and employee confidentiality. Our public security posture is summarized at /security.

For vendor review, we can respond to security questionnaires, share architecture details under NDA, and document deployment-specific controls for Cloud, Desktop, BYOK, local model, and hybrid workflows.

The signed DPA sets the incident-notification timeline. In practice, we notify affected customers without undue delay after confirming a personal-data breach involving customer personal data and provide the information reasonably needed to meet legal obligations.

We assist customers with deletion, export, access, correction, restriction, data-subject requests, and regulator inquiries to the extent required by the DPA and technically possible for the selected deployment model.

At termination or on written request, we return, export, delete, or de-identify customer personal data according to the signed agreement. Backups and security logs may persist for a limited period before ordinary deletion, unless law requires longer retention.

Desktop deployments are primarily controlled by the customer's local environment. PACKWOLF can help identify local deletion/export steps, but the customer controls devices, local files, local model stores, and customer-managed connected systems.

Email legal@packwolf.ai with your company legal name, jurisdiction of incorporation, signatory name and title, workspace deployment model, and any vendor-review deadline. We aim to return the standard PACKWOLF DPA within five business days during closed beta.

Custom redlines, security addenda, regulator-specific clauses, and customer paper are reviewed case by case. They may take longer during closed beta.