Awebbyclick
Get started

Legal

Data Processing Addendum

Effective 2026-06-07 · webbyclick

This Data Processing Addendum (“DPA”) supplements the webbyclick Terms of Service for customers whose use of the service involves processing of personal data subject to the EU General Data Protection Regulation, the UK GDPR, or comparable data-protection laws.

1. Definitions and roles

The terms “controller”, “processor”, “personal data”, “data subject”, and “processing” have the meanings given in the GDPR. For personal data that you submit through the service, you are the controller and Symbolic Design LLC (operating webbyclick) is the processor.

2. Scope and instructions

We process personal data only on your documented instructions, including those embodied in the Terms of Service, your account configuration, and the prompts you submit. We will inform you if, in our opinion, an instruction infringes applicable law.

3. Sub-processors

Current sub-processors:

  • Amazon Web Services, Inc. — hosting, identity (Cognito), object storage (S3), CDN (CloudFront), database (DynamoDB), LLM inference (Bedrock), and transactional email (SES).
  • Anthropic, PBC — LLM inference, accessed exclusively through AWS Bedrock.
  • Stripe, Inc. — billing and payments.
  • Twilio Inc. — SMS and WhatsApp messaging (Pro and Business plans only).

You authorize us to engage the sub-processors above. We will notify you by email at least 30 days before engaging a new sub-processor; you may object on reasonable data-protection grounds, and if the objection cannot be resolved, you may terminate the affected portion of the service for a pro-rated refund of fees paid in advance.

4. Security measures

We maintain the following technical and organizational measures:

  • Encryption in transit (TLS 1.2 or higher) and at rest (AWS-managed AES-256).
  • JWT-based authentication via AWS Cognito with optional multi-factor enrollment.
  • IAM least-privilege roles scoped per Lambda and per service; no human standing access to production data stores.
  • Object versioning on customer S3 buckets to enable point-in-time recovery.
  • Per-customer isolation at the S3 prefix and CloudFront distribution layers.
  • Hashing of phone numbers and prompt text before they reach log streams; one-month CloudWatch log retention.
  • Secrets stored in AWS Secrets Manager and rotated according to provider guidance.

5. Data subject requests

We will assist you in responding to data subject access, rectification, and deletion requests within statutory timelines. Most requests can be self-served through the dashboard (account deletion) or your Stripe Customer Portal (invoice history). For other requests, contact halim@symbolic-design.com.

6. International transfers

Personal data is processed in the United States (AWS region us-east-2). For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland, the parties rely on the Standard Contractual Clauses incorporated by reference through our sub-processors’ standard data-processing agreements (AWS, Stripe, Twilio). The UK International Data Transfer Addendum and the Swiss FDPIC approval apply where relevant.

7. Audit

On reasonable written request and no more than once per twelve months, we will make available to you the third-party audit reports and certifications applicable to our sub-processors (for example, AWS SOC 2 reports) and a written summary of our security controls. Live audit access is provided only where required by law and at the requesting party’s reasonable expense.

8. Return or deletion of data

On termination of your account, we will delete prompt history promptly and tear down your hosted site and CloudFront distribution within 30 days of the deletion request, except where retention is required by law. On written request before termination, we will provide a copy of your site content (JSON and image assets).

9. Personal-data breach

We will notify you without undue delay after becoming aware of a personal-data breach affecting your data and provide the information reasonably necessary for you to meet your notification obligations.

10. Signing

This DPA is incorporated by reference into the Terms of Service and is effective when you accept those Terms. To request a counter-signed copy, email halim@symbolic-design.com.