DATA PROCESSING ADDENDUM (DPA)

This Data Processing Addendum (“DPA”) forms part of the agreement between Media Hygiene. (“Processor”) and the customer identified below (“Customer” or “Controller”) and applies to the extent Processor processes Personal Data on behalf of Controller in the course of providing the Media Hygiene plugin/service (“Services”).

Effective Date: January 1, 2026
Controller (Customer): Media Hygiene
Controller Contact Email: [email protected]
Processor: Media Hygiene

1. Definitions

1.1. “Data Protection Laws” means all laws applicable to the processing of Personal Data under this DPA, including Canadian privacy laws and, where applicable to Controller, the EU/UK GDPR and related implementing laws.
1.2. “Personal Data”, “Processing”, “Controller”, “Processor”, “Subprocessor”, and “Personal Data Breach” have the meanings given in applicable Data Protection Laws.
1.3. “Controller Data” means any Personal Data processed by Processor on behalf of Controller under this DPA, excluding de-identified aggregated analytics as described in Section 10.
1.4. “Services” means the Media Hygiene plugin and any associated services provided by Processor.

2. Roles and scope

2.1. Controller is the Controller of Controller Data. Processor processes Controller Data solely as a Processor on behalf of Controller for the limited purposes described in Annex 1.
2.2. Processor will process Controller Data only on documented instructions from Controller, including as necessary to provide the Services and as otherwise permitted by Data Protection Laws.
2.3. Data minimization. The parties intend that Processing under this DPA is limited to the telemetry and support-related processing described in Annex 1.

3. Processing details

3.1. The subject matter, nature, purpose, and categories of Personal Data and data subjects are described in Annex 1.
3.2. Limited telemetry. Controller instructs Processor to collect and process only the limited telemetry described in Annex 1. Processor does not collect or process media file contents as part of telemetry.

4. Processor obligations

Processor shall:
4.1. Ensure persons authorized to process Controller Data are bound by confidentiality obligations.
4.2. Implement and maintain the technical and organizational measures (“TOMs”) in Annex 3.
4.3. Not sell Controller Data and not process Controller Data for advertising profiling unrelated to providing the Services.
4.4. Ensure Controller Data is accessed only as necessary to provide the Services, provide support, maintain security, or comply with law.

5. Subprocessors

5.1. Controller authorizes Processor to engage Subprocessors listed in Annex 2.
5.2. Processor will impose data protection obligations on Subprocessors that are no less protective than those in this DPA for the relevant processing.
5.3. Processor remains responsible for the performance of its Subprocessors to the extent required by Data Protection Laws.

6. International transfers

6.1. Controller acknowledges that Subprocessors may process data in multiple regions (including outside Canada) depending on vendor infrastructure.
6.2. Where Data Protection Laws require a transfer mechanism (e.g., EU SCCs / UK Addendum), the parties agree the applicable mechanism will be deemed incorporated by reference and apply to the extent required for lawful transfer.

7. Assistance to Controller

7.1. Taking into account the nature of Processing, Processor will provide reasonable assistance to Controller in responding to data subject requests and regulatory inquiries related to Controller Data, insofar as Processor is legally permitted and able to do so.
7.2. Controller is responsible for responding to requests. Processor will notify Controller if it receives a request directly, unless prohibited by law.

8. Personal Data Breach

8.1. Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller Data, and in any event within 72 hours where feasible, and provide information reasonably required to assist Controller’s response.
8.2. Processor will take reasonable steps to contain, investigate, and remediate the breach.

9. Audit and compliance

9.1. Upon Controller’s reasonable written request, Processor will provide information reasonably necessary to demonstrate compliance with this DPA, limited to information relevant to the Services and Controller Data.
9.2. Any on-site audit (if applicable) must be: (a) no more than once per year, (b) during business hours, (c) subject to reasonable confidentiality and security controls, and (d) limited to systems relevant to Controller Data. Processor may satisfy audit requests by providing appropriate third-party reports or written attestations where available.

10. Deletion, retention, and aggregated analytics

10.1. Telemetry processing and retention. Processor processes limited telemetry described in Annex 1 on an ephemeral basis for each individual site and deletes such site-level telemetry in less than one (1) day (and is designed to delete it immediately after aggregation/processing).
10.2. Aggregated analytics (not attributable to any site). Processor may retain historical aggregated telemetry derived from site-level telemetry solely in de-identified, aggregated form that is not attributable to any individual site and is not linked to a domain, license identifier, or other unique identifier (“Aggregated Analytics”). To the extent Aggregated Analytics is de-identified and not attributable to Controller or any individual site, Aggregated Analytics is not Controller Data.
10.3. Upon termination of the Services, Processor will delete Controller Data in its possession in accordance with this Section 10 and Annex 1, unless retention is required by law (e.g., accounting records).

11. Liability and precedence

11.1. This DPA is subject to the limitation of liability provisions in the main agreement unless prohibited by applicable law.
11.2. If there is a conflict between this DPA and the main agreement regarding Processing of Controller Data, this DPA will control.

ANNEX 1 — PROCESSING DETAILS

A. Subject matter

Provision of the Media Hygiene plugin/service, including limited telemetry necessary to provide aggregate media inventory insights and operational support.

B. Nature and purpose of processing

  • Provide the Services and maintain functionality
  • Generate limited aggregate reporting regarding a site’s media library composition (counts/types)
  • Troubleshooting and support (when initiated by Controller)
  • Security and abuse prevention for the Services (as applicable)

C. Categories of data subjects

  • Controller’s authorized users (e.g., site administrators) and support contacts

D. Categories of Personal Data processed

Primary telemetry (site-level; ephemeral):

  • Number of media files on a WordPress site (aggregate count for that site)
  • Media file types (aggregate categories for that site, such as XLSX, MP3, JPG, PNG, PDF, etc.)

Cross-customer Aggregated Analytics (historical; de-identified):

  • Processor may generate and retain Aggregated Analytics derived from the telemetry above, provided such Aggregated Analytics is de-identified, not attributable to any individual site, and contains no identifiers that allow re-linking to a site, domain, license identifier, or Controller.

Explicit exclusions (not processed as telemetry by design):

  • Media file contents (images, documents, audio/video)
  • Filenames, file paths, EXIF or embedded metadata within files
  • End-user/site visitor content
  • Contact lists, marketing audiences, or behavioral profiles unrelated to the Services

E. Special categories of data

Processor is not intended to process special categories of data.

F. Frequency and duration

  • Processing occurs as needed to provide Services during the subscription/term.
  • Site-level telemetry (counts/types for an individual site) is retained less than one (1) day and deleted immediately after aggregation/processing.
  • Processor may retain historical Aggregated Analytics that is de-identified and not attributable to any individual site.

G. Return/deletion

  • Site-level telemetry is deleted per Section 10.1.
  • Aggregated Analytics retained under Section 10.2 is not Controller Data to the extent it is de-identified and not attributable to Controller or any individual site.
  • Standard service records (e.g., billing/transactions) may be retained where required by law or for legitimate accounting purposes.

ANNEX 2 — SUBPROCESSORS

Controller authorizes Processor to use the following Subprocessors for the purposes described. Regions may vary by vendor infrastructure; where unknown, Processor discloses “global/multi-region”.

  1. Vultr — Infrastructure hosting
  • Purpose: Hosting of Service components (if any) and operational systems
  • Data: Site-level telemetry (ephemeral) and service operation data (as applicable)
  1. Cloudflare — CDN/WAF/DNS and performance/security services
  • Purpose: Security, performance, DNS/CDN
  • Data: Network traffic metadata as part of normal web/CDN operation (as applicable)
  1. Google (Email / Workspace / SMTP) — Transactional and support email delivery
  • Purpose: Sending/receiving service communications
  • Data: Email content and headers for support/transactional messages (as applicable)
  1. Google Analytics — Website analytics
  • Purpose: Measurement of website usage
  • Data: Website analytics data (as applicable to visitors to Processor’s marketing website)
  1. tawk.to — Support chat/helpdesk
  • Purpose: Customer support communications
  • Data: Support chat content and metadata (as applicable)
  1. Userback.io — Feedback/bug reporting
  • Purpose: Collecting user feedback/bug reports
  • Data: Feedback content, page context, and related metadata (as applicable)
  1. Stripe — Payment processing
  • Purpose: Subscription payments and billing processing
  • Data: Payment and billing details (Processor does not store full card numbers)

Note: If Controller requires a vendor-specific DPA, Controller should review the Subprocessor’s published DPA / terms.

ANNEX 3 — TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

Processor maintains a security program appropriate to the nature of the Services and limited data scope, including:

  1. Access control
  • Role-based access to production systems where applicable
  • Least-privilege access and administrative access restrictions
  • MFA for administrative access where supported
  1. Encryption
  • TLS encryption in transit for applicable service endpoints
  • Protection of secrets/keys (no hardcoded credentials in source)
  1. Operational security
  • Logging and monitoring for availability and security signals
  • Patch management for service components under Processor control
  • Secure configuration practices for hosting and perimeter services (e.g., Cloudflare)
  1. Data minimization and retention controls
  • Telemetry collection limited to aggregate counts and file-type categories
  • Site-level telemetry retention less than one day and deletion immediately after aggregation/processing
  • Aggregated Analytics retained only in de-identified form not attributable to any site
  1. Incident response
  • Documented process to detect, respond to, and remediate security incidents
  • Breach notification to Controller per Section 8
  1. Business continuity
  • Reasonable backups for operational systems where applicable (excluding site-level telemetry retained less than one day)
  • Recovery procedures appropriate to the service footprint