Data Processing Addendum
Effective Date: March 1, 2026 Last Updated: March 26, 2026
This Data Processing Addendum ("DPA") forms part of the End User License Agreement or other agreement between Wallboard Display-US LLC ("Wallboard," "Processor") and the entity identified on the applicable Order Form ("Customer," "Controller") governing Customer's use of the Wallboard digital signage platform ("Software") (collectively, the "Agreement").
This DPA applies where Wallboard processes Personal Data on behalf of Customer in the course of providing the Software, and where applicable Data Protection Laws require a data processing agreement between the parties.
1. Definitions
"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and the UK Data Protection Act 2018 ("UK GDPR"); (c) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"); and (d) any other applicable data protection or privacy laws.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
"Personal Data" means any information relating to a Data Subject that is processed by Wallboard on behalf of Customer in connection with the Software. Personal Data includes Customer Data (as defined in the Agreement) to the extent it contains information relating to identified or identifiable natural persons.
"Processing" (and its derivatives) means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
"Security Incident" means a confirmed unauthorized access to, or disclosure of, Personal Data processed by Wallboard on behalf of Customer.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of personal data to processors established in third countries, as set out in Commission Implementing Decision (EU) 2021/914, or any successor clauses adopted by the European Commission.
"Sub-processor" means any third party engaged by Wallboard to process Personal Data on behalf of Customer.
2. Roles and Scope
2.1 Roles
Customer is the Controller (or, where Customer acts as a processor for its own customers, a processor) of Personal Data. Wallboard is the Processor of Personal Data processed on behalf of Customer in connection with the Software.
2.2 Scope of Processing
Wallboard shall process Personal Data only as described in Annex 1 (Details of Processing) and in accordance with Customer's documented instructions. The Agreement, including this DPA, constitutes Customer's initial documented instructions.
2.3 Compliance
Each party shall comply with its respective obligations under applicable Data Protection Laws. Customer is responsible for ensuring that its use of the Software and its instructions to Wallboard comply with Data Protection Laws, including having a valid legal basis for processing.
3. Customer Instructions
3.1 Processing Instructions
Wallboard shall process Personal Data only on documented instructions from Customer, unless required to do so by applicable law. If Wallboard is required by law to process Personal Data other than as instructed by Customer, Wallboard shall inform Customer of that legal requirement before processing (unless prohibited by law from doing so).
3.2 Additional Instructions
If Customer issues instructions that, in Wallboard's reasonable opinion, violate applicable Data Protection Laws, Wallboard shall promptly notify Customer. Wallboard shall not be required to comply with instructions that would cause it to violate applicable law.
4. Confidentiality
Wallboard shall ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory) and shall process Personal Data only as necessary to perform their duties.
5. Security
5.1 Security Measures
Wallboard shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures are described in Annex 2 (Security Measures) and shall include, at a minimum:
- Encryption of Personal Data in transit (TLS/HTTPS)
- Access controls restricting Personal Data access to authorized personnel
- Network isolation between customer tenants
- Regular security assessments and vulnerability scanning
- Monitoring and logging of access to systems processing Personal Data
- Backup and recovery procedures
5.2 Updates
Wallboard may update its security measures from time to time, provided that such updates do not materially decrease the overall level of protection of Personal Data.
6. Sub-processors
6.1 Authorization
Customer grants Wallboard general written authorization to engage Sub-processors to process Personal Data on behalf of Customer, subject to the requirements of this Section 6.
6.2 Current Sub-processors
The current list of Sub-processors is maintained at Sub-processor List. Customer acknowledges and approves the Sub-processors listed as of the effective date of this DPA.
6.3 Notification of Changes
Wallboard shall notify Customer at least thirty (30) days before engaging a new Sub-processor or replacing an existing Sub-processor, providing the name, location, and purpose of the proposed Sub-processor. Notification shall be made via email to Customer's designated contact or through the Software's administrative dashboard.
6.4 Objection Right
If Customer has a reasonable, legitimate objection to a new Sub-processor based on data protection grounds, Customer shall notify Wallboard in writing within fifteen (15) days of receiving notice. The parties shall work in good faith to resolve Customer's objection. If the parties are unable to reach a resolution within thirty (30) days, Customer may terminate the affected Order Form and receive a pro-rata refund of any prepaid fees for the unused portion of the Subscription Term.
6.5 Sub-processor Obligations
Wallboard shall impose data protection obligations on each Sub-processor that are no less protective than those set forth in this DPA. Wallboard remains responsible for the acts and omissions of its Sub-processors.
7. Data Subject Rights
7.1 Assistance
Wallboard shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures to fulfill Customer's obligations to respond to Data Subject requests to exercise their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
7.2 Notification
If Wallboard receives a Data Subject request directly, Wallboard shall promptly redirect the request to Customer and shall not respond to the request directly unless authorized by Customer or required by law.
7.3 Costs
Wallboard shall provide assistance under this Section 7 at no additional charge for straightforward requests. For requests that are manifestly unfounded, excessive, or require significant effort, Wallboard may charge a reasonable fee based on administrative costs.
8. Security Incident Notification
8.1 Notification
Wallboard shall notify Customer of a Security Incident without undue delay and in any event within seventy-two (72) hours of becoming aware of the incident. Notification shall include, to the extent available:
- A description of the nature of the Security Incident, including categories and approximate number of Data Subjects affected
- The name and contact details of Wallboard's point of contact
- A description of the likely consequences of the Security Incident
- A description of measures taken or proposed to address the Security Incident, including measures to mitigate its effects
8.2 Cooperation
Wallboard shall cooperate with Customer and provide reasonable assistance to enable Customer to fulfill its own breach notification obligations under Data Protection Laws.
8.3 Limitations
Wallboard's notification of a Security Incident shall not be construed as an acknowledgment of fault or liability.
9. Data Protection Impact Assessments
Where required by Data Protection Laws, Wallboard shall provide Customer with reasonable assistance in conducting data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to Wallboard.
10. International Data Transfers
10.1 Data Location
Wallboard hosts Customer Data on infrastructure provided by DigitalOcean. The data center region is determined based on Customer's location:
- EU/EEA customers: Data is hosted in EU-based data centers. Personal Data does not leave the EU/EEA during normal operations.
- US customers: Data is hosted in US-based data centers.
10.2 Transfer Mechanisms
Where Personal Data is transferred from the EEA or UK to a country that has not received an adequacy decision from the European Commission, Wallboard shall ensure that appropriate transfer mechanisms are in place, including:
-
Standard Contractual Clauses (SCCs): The parties agree that the SCCs (Commission Implementing Decision (EU) 2021/914) are hereby incorporated by reference and shall apply to transfers of Personal Data outside the EEA. For the purposes of the SCCs:
- Module Two (Controller to Processor) applies where Customer is a Controller and Wallboard is a Processor
- Module Three (Processor to Processor) applies where Customer acts as a Processor on behalf of its own customers
- The data exporter is Customer
- The data importer is Wallboard
- The details of the transfer are as set out in Annex 1
- The technical and organizational measures are as set out in Annex 2
-
UK Addendum: For transfers of Personal Data from the UK, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner's Office) shall apply.
10.3 Transfer Impact Assessment
Wallboard shall, upon Customer's request, provide information reasonably necessary for Customer to conduct a transfer impact assessment in respect of any international transfer of Personal Data.
11. Audit
11.1 Information
Wallboard shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws.
11.2 Audit Rights
Customer (or a qualified independent third-party auditor appointed by Customer) may conduct an audit of Wallboard's processing activities under this DPA, subject to the following conditions:
- Customer shall provide at least thirty (30) days' prior written notice
- Audits shall be conducted during normal business hours
- Audits shall not unreasonably interfere with Wallboard's business operations
- Customer shall bear its own costs of any audit
- Audit frequency shall not exceed once per twelve (12) month period, unless required by a supervisory authority or in response to a Security Incident
- Customer shall treat all information obtained during an audit as Confidential Information
11.3 SOC 2 Reports
Wallboard maintains a SOC 2 compliance program. Where available, Wallboard shall provide Customer upon request with a copy of its most recent SOC 2 report (or equivalent certification), which may satisfy Customer's audit requirements under this Section 11.
12. Data Retention and Deletion
12.1 During the Agreement
Wallboard shall process and retain Personal Data for the duration of the Agreement, unless otherwise required by applicable law.
12.2 Upon Termination
Upon expiration or termination of the Agreement, Wallboard shall:
- Allow Customer thirty (30) days to export Personal Data through the Software's standard export functionality
- After the export period, delete all Personal Data in Wallboard's possession or control, including copies in backups (which shall be deleted as they expire in the normal backup rotation cycle, within ninety (90) days)
- Upon Customer's written request, certify in writing that all Personal Data has been deleted
12.3 Exceptions
Wallboard may retain Personal Data to the extent required by applicable law, provided that Wallboard shall: (a) limit such retention to only the data required; (b) maintain the confidentiality of such data; and (c) process it only for the purpose required by law.
13. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement. This DPA does not create any independent liability beyond what is set forth in the Agreement, except as required by applicable Data Protection Laws.
14. Term
This DPA shall remain in effect for as long as Wallboard processes Personal Data on behalf of Customer. Upon termination of the Agreement, this DPA shall automatically terminate, subject to Section 12 (Data Retention and Deletion).
15. Conflict
In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.
Annex 1: Details of Processing
| Element | Description |
|---|---|
| Subject matter | Provision of the Wallboard digital signage platform |
| Duration | Duration of the Agreement |
| Nature and purpose | Processing of Personal Data to provide, maintain, and improve the Software, including account management, content management, device management, and customer support |
| Categories of Data Subjects | Customer's employees, contractors, agents, and other Authorized Users; end users of Customer's digital signage content (to the extent their data is included in Content) |
| Categories of Personal Data | Names, email addresses, IP addresses, login credentials, billing information (if applicable), user activity logs, device identifiers |
| Sensitive data | None processed by default. Customer is responsible for ensuring that sensitive or special category data is not uploaded to the Software unless appropriate safeguards are in place. |
| Processing operations | Collection, storage, organization, retrieval, use, disclosure (to authorized Sub-processors), erasure, and destruction |
| Retention | As set forth in Section 12 of this DPA and the Privacy Policy |
Annex 2: Security Measures
Wallboard implements the following technical and organizational security measures:
Access Control
| Measure | Description |
|---|---|
| Authentication | Token-based authentication (OAuth 2.0) with configurable token lifetimes |
| Authorization | Role-based access control with per-tenant isolation |
| Password policy | Configurable password strength requirements |
| Multi-factor authentication | TOTP-based two-factor authentication available for all Authorized User accounts, with optional enforcement at the customer level |
| Session management | Configurable session timeouts with automatic token expiration |
Network Security
| Measure | Description |
|---|---|
| Encryption in transit | TLS 1.2+ for all data in transit |
| Network isolation | Kubernetes-based tenant isolation with namespace separation |
| Firewall | Network-level access controls and ingress policies |
| DNS security | Cloudflare DNS |
| Load balancing | DigitalOcean load balancers with TLS termination |
Data Protection
| Measure | Description |
|---|---|
| Encryption at rest | DigitalOcean managed database encryption |
| Backup | Automated daily backups with 90-day retention |
| Data isolation | Logical tenant separation at application and database level |
| Data minimization | Collection limited to data necessary for service provision |
Monitoring and Incident Response
| Measure | Description |
|---|---|
| Monitoring | Continuous monitoring via Prometheus and Grafana (self-hosted) |
| Logging | Centralized log aggregation with retention policies |
| Alerting | Automated alerting for anomalous activity and system health |
| Incident response | Documented incident management procedure with severity classification (Low/Medium/High/Critical) and defined escalation paths |
| On-call | 24/7 on-call engineer rotation for incident response |
Organizational Measures
| Measure | Description |
|---|---|
| Personnel | Confidentiality obligations for all staff with access to Personal Data |
| Access reviews | Periodic review of access privileges |
| Security assessments | Regular vulnerability assessments and security audits |
| Compliance | SOC 2 compliance program |
| Information Security Officer | Designated officer responsible for data protection and security oversight |