Document ID: WBL-POL-DPA-v1.0 - Effective Date: 31 May 2026 - Processor: Webility SRL/BV
This Data Processing Agreement ("DPA") forms part of the agreement between Webility SRL/BV ("Webility", "we", "us") and the client identified in the applicable proposal, order form, statement of work, or service agreement ("Client", "you") when Webility processes personal data on behalf of the Client.
This DPA is intended to satisfy Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). It applies automatically to covered services unless a separate signed data processing agreement between Webility and the Client replaces it.
1. Roles of the Parties
For personal data processed in order to deliver client services:
| Party | GDPR Role | Scope |
|---|---|---|
| Client | Controller | Determines the purposes and lawful basis for processing personal data supplied to Webility. |
| Webility | Processor | Processes personal data only to deliver the agreed services and follow the Client's documented instructions. |
| Webility subprocessors | Subprocessors | Process personal data only where engaged under this DPA and bound by written data protection terms. |
Webility remains an independent controller for its own business administration, including billing, supplier management, legal compliance, website analytics, and direct communications with business contacts. Those controller activities are covered by our Privacy Policy.
2. Agreement Structure and Priority
This DPA supplements the applicable commercial agreement, including any proposal, statement of work, terms of service, hosting agreement, or support agreement.
If there is a conflict:
- This DPA controls for data protection obligations relating to processor services.
- The signed commercial agreement controls for commercial scope, pricing, delivery, payment, and liability, unless it expressly says otherwise.
- Any stricter written instruction approved by both parties controls for that specific processing activity.
3. Processing Details
The subject matter, duration, nature, purpose, categories of personal data, and categories of data subjects are described in Annex A.
Webility will not intentionally process special category data, criminal offence data, health data, children's data, or highly sensitive financial data unless the Client clearly identifies that data in writing and Webility accepts the processing in the applicable statement of work or written instruction.
4. Client Instructions
Webility will process personal data only on documented instructions from the Client, including instructions in the commercial agreement, project tickets, onboarding forms, support requests, written emails, and approved system configurations.
Webility will not sell the Client's personal data, use it for unrelated advertising, or use it to train public AI models unless the Client gives explicit written approval for a specific use case.
If Webility believes an instruction infringes GDPR, Belgian data protection law, or other applicable EU or Member State data protection law, Webility will inform the Client without undue delay unless legally prohibited from doing so.
5. Client Responsibilities
The Client is responsible for:
- Having a lawful basis for collecting and sharing personal data with Webility.
- Providing required privacy notices to data subjects.
- Ensuring the personal data supplied to Webility is accurate, relevant, and limited to what is needed.
- Giving clear instructions and promptly answering data protection questions from Webility.
- Maintaining appropriate security for Client-controlled accounts, devices, passwords, and administrative users.
- Reviewing and approving website privacy notices, cookie notices, consent settings, and content before publication.
6. Confidentiality
Webility will ensure that persons authorised to process personal data are bound by confidentiality obligations or an appropriate statutory duty of confidentiality.
Access to personal data is limited to personnel, contractors, and subprocessors who need access to deliver the agreed services.
7. Security Measures
Webility will implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.
The current security measures are described in Annex B. Security measures may evolve over time, provided the updated measures do not materially reduce the overall protection of personal data.
8. Subprocessors
The Client gives Webility general written authorisation to use subprocessors where reasonably necessary to deliver the services.
Webility will:
- Use subprocessors only for service delivery, support, infrastructure, collaboration, communications, analytics, payment, hosting, AI, or specialist implementation tasks.
- Put written data protection obligations on subprocessors that are materially equivalent to this DPA.
- Remain responsible to the Client for subprocessors' performance of their data protection obligations.
- Keep a current description of subprocessor categories in Annex C.
- Notify the Client of material subprocessor changes by website notice, email, proposal update, or another reasonable written method.
The Client may object to a new subprocessor on reasonable data protection grounds within 10 business days after receiving notice. The parties will work in good faith to resolve the objection. If the objection cannot reasonably be resolved, Webility may suspend or terminate the affected service without penalty, and any refund will be handled under the applicable commercial agreement.
9. International Transfers
Webility will prioritise processing within the EU/EEA where practical for the relevant service.
Where personal data is transferred outside the EU/EEA, Webility will use an appropriate transfer mechanism, such as:
- An adequacy decision recognised by the European Commission.
- Standard Contractual Clauses approved by the European Commission.
- The EU-US Data Privacy Framework where applicable.
- Another lawful transfer mechanism permitted under GDPR.
The Client authorises Webility to enter into transfer safeguards with subprocessors on the Client's behalf where needed to provide the services.
10. Data Subject Requests
Taking into account the nature of the processing, Webility will provide reasonable assistance to help the Client respond to requests from data subjects exercising rights under GDPR, including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.
If a data subject contacts Webility directly about personal data processed on behalf of the Client, Webility will, where legally permitted, forward the request to the Client or advise the data subject to contact the Client.
11. Security Incidents and Personal Data Breaches
Webility will notify the Client without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Client. Where feasible, Webility aims to provide initial notice within 48 hours after confirming that a personal data breach has occurred.
The notice will include information reasonably available to Webility, such as:
- The nature of the breach.
- The categories of data and data subjects affected, where known.
- Likely consequences, where known.
- Measures taken or proposed to address and mitigate the breach.
- A contact point for follow-up questions.
Webility may provide information in phases if complete details are not immediately available. The Client remains responsible for assessing whether notification to a supervisory authority or data subjects is legally required.
12. Assistance With Compliance
Taking into account the nature of the processing and information available to Webility, Webility will provide reasonable assistance for the Client's compliance with GDPR Articles 32 to 36, including security, breach assessment, data protection impact assessments, and prior consultation with a supervisory authority where required.
Assistance outside normal service scope may be charged at Webility's then-current professional rates unless the assistance is needed because of Webility's breach of this DPA.
13. Return and Deletion of Personal Data
At the end of the services, Webility will, at the Client's choice, return or delete personal data processed on behalf of the Client, unless applicable law requires retention.
If the Client does not make a written choice within 30 days after service termination, Webility may delete Client personal data according to its standard retention procedures.
Deletion may exclude:
- Backup copies that are overwritten on a normal backup cycle.
- Accounting, tax, legal, or security records that Webility must retain.
- Records needed to establish, exercise, or defend legal claims.
- Aggregated or anonymised information that no longer identifies a person.
14. Audit and Information Rights
Webility will make available information reasonably necessary to demonstrate compliance with this DPA.
The Client may request an audit of Webility's processing under this DPA no more than once per calendar year, unless a personal data breach, regulator request, or material compliance concern justifies an additional audit.
Audits must:
- Be requested with at least 30 days' written notice, except in urgent circumstances.
- Be conducted during normal business hours.
- Avoid disruption to Webility's business and other clients.
- Protect confidential information, security-sensitive information, and third-party information.
- Be performed by the Client or an independent auditor bound by confidentiality.
Webility may satisfy audit requests through questionnaires, policy summaries, evidence of controls, third-party reports, or a structured remote review where appropriate.
15. AI and Automated Tools
Webility may use AI tools to support writing, design, development, support, analytics, and automation work as described in the AI Use & Data Policy.
Webility will not submit Client-controlled personal data to AI providers unless:
- The Client has authorised the processing through the project scope, written instruction, or system configuration.
- The use is necessary for the agreed AI-enabled service.
- Appropriate contractual and transfer safeguards are in place where required.
The Client must not provide sensitive personal data for AI processing unless the use has been explicitly approved in writing.
16. Liability
Each party remains liable for its own obligations under GDPR and applicable data protection law.
Unless a signed agreement states otherwise, liability under this DPA is subject to the limitations, exclusions, and remedies in the applicable commercial agreement between the parties.
Nothing in this DPA limits liability where such limitation is not permitted by applicable law.
17. Notices and Contact
Data protection notices under this DPA should be sent to:
Webility SRL/BV
Avenue Louise 54, 1050 Brussels, Belgium
Email: privacy@webility.local
The Client should provide its data protection contact in the applicable project agreement, onboarding form, or written instruction.
18. Governing Law
This DPA is governed by Belgian law. The courts of Brussels have jurisdiction, unless mandatory data protection law gives a data subject or supervisory authority another right or forum.
Annex A - Processing Details
| Item | Description |
|---|---|
| Subject matter | Website, SEO, hosting, automation, AI, analytics, maintenance, support, and digital service delivery for the Client. |
| Duration | For the term of the applicable service agreement, plus any retention period required for backup, handover, legal, tax, accounting, or dispute purposes. |
| Nature of processing | Collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, transmission, hosting, support access, testing, deletion, and return. |
| Purpose | Delivering, improving, securing, supporting, hosting, maintaining, and documenting Client services. |
| Data subjects | Client personnel, Client users, website visitors, leads, customers, suppliers, contractors, job applicants, and other persons whose data the Client provides or makes accessible. |
| Personal data categories | Names, email addresses, phone numbers, company details, job titles, website form submissions, support messages, project content, account identifiers, IP addresses, analytics events, CRM or marketing data, and other personal data included in Client systems or content. |
| Special categories | Not expected unless explicitly approved in writing. |
| Processing locations | Primarily Belgium and the EU/EEA, with possible processing in adequate countries or through safeguarded international transfers. |
Annex B - Technical and Organisational Measures
| Control Area | Measures |
|---|---|
| Access control | Least-privilege access, named accounts where practical, password manager use, strong passwords, and multi-factor authentication where supported. |
| Confidentiality | Confidentiality obligations for personnel and contractors with access to Client personal data. |
| Encryption | TLS for data in transit where supported; encryption at rest where provided by hosting, cloud, database, storage, or SaaS providers. |
| Credential handling | Client credentials are stored only in approved secure systems and are not shared in plain chat channels where avoidable. |
| Hosting and infrastructure | Use of reputable hosting and cloud providers with documented security controls appropriate to the service. |
| Backups and recovery | Backup and recovery practices appropriate to the contracted hosting or maintenance plan. |
| Logging and monitoring | Security and operational logs where supported by the relevant platform; logs retained for limited operational periods. |
| Change management | Project, deployment, and configuration changes handled through controlled workflows appropriate to the engagement. |
| Vulnerability management | Updates, dependency review, and remediation practices appropriate to the contracted maintenance and support plan. |
| Incident response | Internal triage, containment, investigation, communication, and remediation workflow for suspected security incidents. |
| Data minimisation | Personal data is limited to what is needed for the agreed services where Webility controls the implementation. |
| Subprocessor review | Commercially reasonable review of subprocessors based on service sensitivity, available documentation, and data protection terms. |
| Disposal | Deletion, return, or archival of Client personal data according to the commercial agreement, written instruction, and applicable law. |
Annex C - Subprocessor Categories
Webility may use subprocessors in the following categories when required for the services:
| Category | Typical Purpose |
|---|---|
| Hosting and cloud infrastructure | Website hosting, databases, file storage, backups, content delivery, DNS, deployment, and monitoring. |
| Email and collaboration tools | Project communication, shared documents, calendars, internal notes, and client support. |
| Analytics and performance tools | Website analytics, diagnostics, monitoring, SEO measurement, and performance reporting. |
| Payment and invoicing providers | Payment processing, invoicing, accounting exports, and financial administration. |
| E-signature and contract tools | Proposal, contract, and approval workflows. |
| AI providers | AI-enabled services, content support, coding assistance, automation, classification, summarisation, or client-approved AI workflows. |
| Specialist contractors | Design, development, SEO, copywriting, security, support, or implementation assistance under confidentiality and data protection obligations. |
| Customer support and ticketing tools | Support intake, ticket tracking, status updates, and maintenance communication. |
Webility will provide more specific subprocessor details on reasonable request where required for the Client's vendor assessment.
Policy Changelog
| Version | Date | Summary |
|---|---|---|
| v1.0 | 2026-05-31 | Initial publication |