Last updated: April 13, 2026
This Data Processing Agreement ("DPA") forms part of the WaiverKit Terms of Service between WaiverKit ("Processor") and the customer ("Controller") and reflects the parties' agreement on processing of personal data in accordance with the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and, where applicable, the UK GDPR and Swiss FADP.
The subject matter of the processing is the provision of the WaiverKit digital waiver platform to the Controller. Processing continues for as long as the Controller maintains an active account and for any applicable post-termination retention period described in Section 11.
The Processor processes personal data solely to host, deliver, secure, and support the WaiverKit service: collecting and storing signed waivers, generating PDF records, sending transactional emails, authenticating users, processing payments, and producing analytics on behalf of the Controller.
Personal data processed may include:
Categories of data subjects include: participants signing waivers, guardians of minor participants, and employees or authorized users of the Controller.
The Controller is responsible for the lawfulness of the collection and processing of personal data, for obtaining any necessary consents from data subjects, for the accuracy of instructions given to the Processor, and for ensuring that the waiver templates and workflows it configures comply with applicable law. The Controller retains all rights in the personal data and may issue documented instructions to the Processor at any time.
The Controller authorizes the Processor to engage the following sub-processors to deliver the service:
The Processor will notify the Controller of any intended addition or replacement of sub-processors with a reasonable opportunity to object on legitimate grounds.
The Processor implements appropriate technical and organizational measures to protect personal data, including:
Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organizational measures to fulfil the Controller's obligation to respond to requests from data subjects exercising their rights of access, rectification, erasure, restriction, portability, and objection under GDPR Articles 15 to 22.
The Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller's data. The notification will describe the nature of the breach, likely consequences, measures taken or proposed, and a point of contact for further information.
Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, such transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum and the Swiss addendum, together with any supplementary measures required by the transfer impact assessment.
The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable confidentiality obligations and no more than once per calendar year except in the case of a documented security incident or regulatory request.
Upon termination of the agreement, the Processor will, at the Controller's choice, delete or return all personal data processed on behalf of the Controller, and delete existing copies, unless applicable law requires continued storage. Backups containing personal data will be deleted in the ordinary course of the backup retention cycle.
This page is the standard WaiverKit DPA. For a countersigned copy or for organizations requiring a custom DPA, our legal team is happy to help.