Data Processing Agreement
Last updated: July 14, 2026
Waygrid is a brand operated by SOFTEAM CONSULTING, S.A.S.
This Data Processing Agreement ("DPA") forms part of the agreement between the customer and SOFTEAM CONSULTING, S.A.S. ("SOFTEAM CONSULTING", "we", "us"), the company that operates the Waygrid platform, governing the customer's use of that platform (the "Agreement"). It applies whenever SOFTEAM CONSULTING processes personal data on the customer's behalf. A countersigned copy is available from your account team or through our contact page.
1. Roles and scope
For personal data contained in traffic, configuration, and records the customer submits to the platform ("Customer Data"), the customer is the controller (or a processor acting for another controller) and Waygrid is a processor within the meaning of the GDPR. This DPA does not apply to data for which Waygrid is a controller, such as account and billing information, which is covered by our privacy policy.
2. Processing on instructions
Waygrid processes Customer Data only on the customer's documented instructions, as set out in the Agreement and the customer's configuration of the platform, unless required to do otherwise by law. If a law requires such processing, Waygrid will inform the customer before processing unless the law prohibits it. Waygrid will inform the customer if, in its opinion, an instruction infringes applicable data protection law.
3. Details of processing
The subject matter of the processing is the provision of the Waygrid platform; the duration is the term of the Agreement plus any agreed retention period; the nature and purpose are the routing, governance, securing, and observation of API traffic as configured by the customer. The categories of data subjects and personal data are determined by the customer and depend on what the customer routes through the platform.
4. Confidentiality
Waygrid ensures that persons authorized to process Customer Data are bound by contractual or statutory obligations of confidentiality, and that access follows the least-privilege practices described in our Trust Center.
5. Security
Waygrid implements and maintains appropriate technical and organizational measures to protect Customer Data, including encryption in transit and at rest, HSM-backed key management, just-in-time production access with session recording, and an immutable audit log. These measures are maintained under our ISO/IEC 27001-certified information security program and verified through annual SOC 2 Type II attestations and independent penetration tests.
6. Subprocessors
The customer grants Waygrid general authorization to engage subprocessors for the provision of the platform. Waygrid imposes data protection obligations on each subprocessor equivalent to those in this DPA and remains liable for their performance. Current subprocessor categories include cloud infrastructure providers in the regions the customer selects and providers of support and operational tooling.
Waygrid gives customers advance notice of any intended addition or replacement of a subprocessor. The customer may object on reasonable data protection grounds; if the objection cannot be resolved, the customer may terminate the affected service.
7. Data subject rights
Taking into account the nature of the processing, Waygrid assists the customer with appropriate technical and organizational measures in fulfilling requests from data subjects to exercise their rights. If a data subject contacts Waygrid directly about Customer Data, Waygrid will refer the request to the customer without undue delay.
8. Personal data breaches
Waygrid notifies the customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and provides the information reasonably available to help the customer meet its own notification obligations.
9. Assistance
Waygrid assists the customer, insofar as possible and taking into account the information available to it, with data protection impact assessments and prior consultations with supervisory authorities relating to the processing under this DPA.
10. International transfers
Customer Data is processed in the regions the customer selects, and the platform enforces that choice. Where the provision of the platform involves a transfer of personal data outside the European Economic Area to a country without an adequacy decision, the parties rely on the European Commission's Standard Contractual Clauses, which are incorporated into this DPA, together with any supplementary measures required.
11. Audits
Waygrid makes available the information necessary to demonstrate compliance with this DPA, including its ISO/IEC 27001 certificate, SOC 2 Type II report, and penetration test summaries through the Trust Center. Where these are not sufficient, the customer may conduct an audit under reasonable conditions of scope, notice, and confidentiality agreed in the Agreement.
12. Return and deletion
Upon termination of the Agreement, Waygrid deletes or returns Customer Data at the customer's choice, and deletes remaining copies once any legally required retention period expires. Audit records are retained for the period stated in the Agreement, seven years by default.
13. Precedence
If there is a conflict between this DPA and the Agreement with respect to the processing of personal data, this DPA prevails. If there is a conflict between this DPA and the Standard Contractual Clauses, the Clauses prevail.
14. Contact
Questions about this DPA can be sent to [email protected].