Skip to main content
WaiverKit.
FeaturesBlogPricing
Sign InGet Started Free
ColophonWaiverKit · Rev. 2026
WaiverKit

Sign it. Store it. Never lose it. A small Swiss tool that replaces the clipboard with a searchable, timestamped PDF.

EPFL alumni · Lausanne

Product

  • Features
  • Pricing
  • How It Works
  • Blog
  • Industries
  • Waiver templates

Company

  • About
  • Contact

Legal

  • Privacy
  • Terms
  • Editorial policy
  • DPA
Compliance · On File
GDPREncryption in transit and at rest

© 2026 WaiverKit · All rights reserved.

A Clashware Sàrl product · clashware.com

PrivacyTermsContact
WaiverKit

Data Processing Agreement

Last updated: April 13, 2026

This Data Processing Agreement ("DPA") forms part of the WaiverKit Terms of Service between WaiverKit ("Processor") and the customer ("Controller") and reflects the parties' agreement on processing of personal data in accordance with the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and, where applicable, the UK GDPR and Swiss FADP.

1. Subject Matter and Duration

The subject matter of the processing is the provision of the WaiverKit digital waiver platform to the Controller. Processing continues for as long as the Controller maintains an active account and for any applicable post-termination retention period described in Section 11.

2. Nature and Purpose of Processing

The Processor processes personal data solely to host, deliver, secure, and support the WaiverKit service: collecting and storing signed waivers, generating PDF records, sending transactional emails, authenticating users, processing payments, and producing analytics on behalf of the Controller.

3. Types of Personal Data and Categories of Data Subjects

Personal data processed may include:

  • Signer identity data (name, date of birth, address, email, phone)
  • Signature images and typed signatures
  • Guardian data for minor signers
  • Business user account data (name, email, authentication identifiers, IP address)

Categories of data subjects include: participants signing waivers, guardians of minor participants, and employees or authorized users of the Controller.

4. Obligations and Rights of the Controller

The Controller is responsible for the lawfulness of the collection and processing of personal data, for obtaining any necessary consents from data subjects, for the accuracy of instructions given to the Processor, and for ensuring that the waiver templates and workflows it configures comply with applicable law. The Controller retains all rights in the personal data and may issue documented instructions to the Processor at any time.

5. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors to deliver the service:

  • Clerk (authentication, session management, and user directory).
  • Stripe (payment processing and subscription billing).
  • Resend (transactional email delivery).
  • Cloudflare R2 (object storage for signature images and PDF artifacts).
  • Vercel (application hosting, edge network, and request routing).
  • Neon (Postgres) (managed Postgres database hosting for structured data).

The Processor will notify the Controller of any intended addition or replacement of sub-processors with a reasonable opportunity to object on legitimate grounds.

6. Security Measures

The Processor implements appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest for database and object storage
  • Role-based access controls and least-privilege IAM across infrastructure
  • Tenant isolation enforced at the application and query layer
  • Audit logging of administrative actions and PII access
  • Regular backups, automated dependency scanning, and incident response procedures

7. Data Subject Rights

Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organizational measures to fulfil the Controller's obligation to respond to requests from data subjects exercising their rights of access, rectification, erasure, restriction, portability, and objection under GDPR Articles 15 to 22.

8. Data Breach Notification

The Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller's data. The notification will describe the nature of the breach, likely consequences, measures taken or proposed, and a point of contact for further information.

9. International Transfers

Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, such transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum and the Swiss addendum, together with any supplementary measures required by the transfer impact assessment.

10. Audit Rights

The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable confidentiality obligations and no more than once per calendar year except in the case of a documented security incident or regulatory request.

11. Termination, Return, and Deletion

Upon termination of the agreement, the Processor will, at the Controller's choice, delete or return all personal data processed on behalf of the Controller, and delete existing copies, unless applicable law requires continued storage. Backups containing personal data will be deleted in the ordinary course of the backup retention cycle.

Need a signed copy?

This page is the standard WaiverKit DPA. For a countersigned copy or for organizations requiring a custom DPA, our legal team is happy to help.

Request signed copyContact us