WestHub · Legal ← Back to WestHub

Data Processing Addendum

Effective date: May 5, 2026 · Version 2026.05.05

What this is. This DPA is incorporated into the WestHub Terms of Service. It describes how West Networks, LLC ("Processor") processes personal data on behalf of a Customer ("Controller") to deliver WestHub. It applies automatically to every Customer; no separate signature is required unless your jurisdiction requires one. To request a counter-signed copy, email dpo@westhub.app.

1. Definitions

Capitalized terms used but not defined here have the meanings given in the Terms of Service or the GDPR (Regulation (EU) 2016/679), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and similar laws as applicable.

  • "Personal Data" means information relating to an identified or identifiable natural person processed by Processor on behalf of Controller in connection with the Service.
  • "Sub-processor" means a third party engaged by Processor to process Personal Data on Controller's behalf. The current list is at /legal/subprocessors.
  • "Data Subject" means an individual whose Personal Data is processed.
  • "Data Subject Request" means a request from a Data Subject to exercise rights under applicable data protection law (access, correction, deletion, portability, objection, restriction).

2. Roles

  • Controller determines the purposes and means of processing the Personal Data and is responsible for the lawfulness of the processing.
  • Processor processes Personal Data on Controller's documented instructions and only as necessary to provide the Service or as required by law.

Where Processor is a Service Provider under CCPA, Processor will not (a) sell Personal Data, (b) share Personal Data for cross-context behavioral advertising, (c) retain, use, or disclose Personal Data outside the direct business relationship with Controller, or (d) combine Personal Data received from Controller with Personal Data received from any other source (except where permitted under CCPA for the purpose of providing the Service).

3. Subject matter, duration, nature, and purpose of processing

  • Subject matter. Provision of the WestHub Service to Controller.
  • Duration. The term of the Terms of Service plus the retention windows in our Privacy Policy or the windows configured by Controller, whichever is longer.
  • Nature and purpose. Hosting, transmitting, indexing, displaying, transcribing, summarizing, and otherwise processing Customer Content as necessary to deliver the Service.
  • Categories of Data Subjects. Controller's employees, contractors, end customers, vendors, and any third parties whose Personal Data Controller submits to the Service.
  • Categories of Personal Data. Identifiers (name, email, phone, employer); contact and CRM data; communications content (email, chat, voice, video); documents and other files; usage and device telemetry. Sensitive categories (health information, financial account numbers, government IDs) only where Controller has a documented basis and the appropriate Customer-Specific Addendum (e.g., HIPAA BAA).

4. Processor obligations

Processor will:

  • Process Personal Data only on documented instructions from Controller. The Terms of Service, this DPA, and Controller's configuration of the Service are documented instructions.
  • Ensure that personnel authorized to process Personal Data are subject to confidentiality obligations.
  • Implement appropriate technical and organizational measures (Section 7).
  • Engage Sub-processors only as set out in Section 6.
  • Assist Controller, taking into account the nature of the processing, in responding to Data Subject Requests (Section 8).
  • Notify Controller without undue delay of any Personal Data Breach (Section 9).
  • At Controller's choice, delete or return Personal Data on termination as set out in the Privacy Policy.
  • Make available to Controller information necessary to demonstrate compliance with this DPA and allow audits as set out in Section 10.

5. Controller obligations

Controller will:

  • Have a lawful basis to provide Personal Data to Processor and a lawful basis for Processor's processing.
  • Provide notices and obtain consents required from Data Subjects.
  • Configure the Service appropriately (retention, recording, sharing) for its compliance posture.
  • Not submit Sensitive Personal Data outside the scope of any required Customer-Specific Addendum.
  • Respond to Data Subject Requests as the controller of record. Processor will assist as set out in Section 8.

6. Sub-processors

Controller authorizes Processor to engage the Sub-processors listed at /legal/subprocessors and to add new Sub-processors. Processor will provide notice of new Sub-processors that process Personal Data at least 30 days before they begin processing, by updating that page and emailing the contact on file. Controller may object on reasonable data-protection grounds within the notice period; the parties will work in good faith to resolve the objection, and if no resolution is possible Controller may terminate the affected portion of the Service for convenience without penalty.

Processor will impose data protection obligations on each Sub-processor materially equivalent to those in this DPA and remains liable to Controller for the acts and omissions of its Sub-processors.

7. Technical and organizational measures

Processor maintains a written information security program with the following elements:

  • Encryption in transit. TLS 1.2+ for all external connections.
  • Encryption at rest. Database encryption for sensitive fields; encrypted backups; encrypted object storage where used.
  • Access control. Role-based access, least privilege, multi-factor authentication for all Processor personnel with production access.
  • Network security. Segmented networks, host-based and network-level firewalls, BGP routing controls.
  • Logging and monitoring. Centralized application and audit logs with at least 12 months retention.
  • Vulnerability management. Regular dependency scanning, security patching, third-party penetration testing.
  • Backups. Encrypted backups with documented restore procedures, including immutable cold storage in a geographically distinct location.
  • Personnel. Background checks, security training, confidentiality agreements.
  • Compliance program. Working toward SOC 2 Type II, PCI DSS, and HIPAA technical safeguards.

Specific control descriptions and the most current security overview are available under NDA from security@westhub.app.

8. Assistance with Data Subject Requests

Processor will, taking into account the nature of the processing, provide Controller with the technical means and information needed to respond to Data Subject Requests within applicable legal timelines. The Service exposes self-service tooling for export and deletion that Controller can use directly. For requests Processor cannot fulfill through self-service, Controller may submit a request to dpo@westhub.app and Processor will respond without undue delay.

9. Personal Data Breach notification

Processor will notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Controller's Personal Data. The notice will include, to the extent known: the nature of the Breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed.

Processor will cooperate with Controller's response and will not communicate with regulators or Data Subjects on Controller's behalf unless Controller authorizes it.

10. Audit

Processor will make available to Controller information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports (e.g., SOC 2 once available). Where a third-party report does not address Controller's reasonable concern, Processor will allow Controller (or a mutually agreed independent auditor) to conduct an audit no more than once per twelve months at Controller's expense, on at least 30 days written notice, during business hours, in a manner that does not unreasonably interfere with Processor's operations.

11. International transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country that has not been recognized as providing adequate protection, the parties incorporate the European Commission's Standard Contractual Clauses (Decision 2021/914) and/or the UK International Data Transfer Addendum, as applicable, with Processor as data importer and Controller as data exporter. The Module 2 (controller-to-processor) clauses apply by default. Specific Annexes (description of transfer, technical and organizational measures, list of sub-processors) are populated by reference to this DPA, the Privacy Policy, the Sub-processors page, and Section 7 above.

12. Return or deletion of Personal Data

On termination of the Service, Processor will, at Controller's election, return or delete Personal Data, except where retention is required by applicable law or for items under legal hold. Default behavior and timelines are described in the Privacy Policy.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. Nothing in this DPA limits a party's liability for willful misconduct or gross negligence to the extent that limitation is not permitted by applicable law.

14. Conflict

In case of conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of Personal Data.

15. Updates

Processor may update this DPA in line with changes in applicable law or to reflect operational changes, provided no update will materially diminish Controller's rights. Material changes will be communicated by email or in-product notice with at least 30 days advance notice.

16. Contact

Data Protection Officer: dpo@westhub.app
Privacy: privacy@westhub.app
Security: security@westhub.app
Legal: legal@westhub.app

© 2026 West Networks, LLC. All rights reserved. WestHub is a service of West Networks, LLC, registered in Florida, USA. All legal documents