Roles of the parties
Where WIZZ Cloud processes personal data on behalf of a customer in the course of providing the service, the customer is the controller and WIZZ Cloud is the processor. Where WIZZ Cloud processes personal data of its own customers, prospects and visitors, it acts as a controller. This DPA governs the first relationship.
Scope of processing
The duration, nature, purpose, types of personal data and categories of data subjects are as set out in the Order Form and in this DPA's Annex A. By default, the subject matter is the provision of the WIZZ Cloud service; the categories of personal data are determined by the customer in its instructions to WIZZ Cloud.
Security measures
WIZZ Cloud implements and maintains the technical and organisational measures described in our Security Overview, which is updated as the service evolves and is part of our ISO 27001 management system. A current version is published at /security.html.
Sub-processors
WIZZ Cloud uses the following sub-processors, all of which are bound by contractual obligations equivalent to those in this DPA:
- Hetzner Online GmbH (DE) — primary infrastructure hosting for EU regions
- OVHcloud SAS (FR) — secondary infrastructure hosting and disaster recovery
- Cloudflare, Inc. (US, with EU traffic terminated in the EU) — content delivery and DDoS protection
- Stripe Payments Europe Ltd. (IE) — subscription billing processor
- Intercom R&D Unlimited (IE) — customer support messaging
- Twilio Ireland Limited (IE) — transactional email and SMS
- Datadog International Ltd. (IE) — operational telemetry and monitoring
Customers are notified at least 30 days in advance of any change to this list, and have the right to object to a new sub-processor for legitimate reasons.
International transfers
Customer content is stored only in EU regions. Where operational data is processed outside the EU by a sub-processor, the transfer is covered by the European Commission's Standard Contractual Clauses (Module 2 or 3, as applicable) together with supplementary technical measures including encryption in transit and at rest and strict access controls.
Audit rights
Customers may, on reasonable prior notice and not more than once per year (more often if required by their supervisory authority), audit WIZZ Cloud's compliance with this DPA. WIZZ Cloud will satisfy a substantial part of audit requirements by providing recent SOC 2 Type II and ISO 27001 reports.
Data subject rights
Where WIZZ Cloud receives a request from a data subject, it will forward the request to the relevant customer without undue delay and will assist the customer in responding, where the customer cannot do so on its own.
Personal data breaches
WIZZ Cloud will notify the customer without undue delay (and in any case within 24 hours) after becoming aware of a personal data breach affecting that customer's data, and will support the customer's notification obligations under Articles 33 and 34 of the GDPR.
Return or deletion
On termination of the service, WIZZ Cloud will, at the customer's choice, return or delete all customer personal data within 60 days. Backups follow our documented retention schedule and are encrypted until they expire and are destroyed.
Signing the DPA
The signed DPA is included with every Order Form. If you need a copy ahead of contracting, email dpo@wizzair.cloud and we will send the current PDF.