Last updated: July 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Wippy (“Wippy,” “we,” “us”) and the customer firm (“Customer,” “you”) that has subscribed to the Wippy service (the “Service”). It governs how Wippy processes Personal Data on Customer’s behalf.
For the purposes of Data Protection Laws, Customer is the controller of Personal Data, and Wippy is the processor/service provider. Wippy processes Personal Data only on Customer’s documented instructions, which include instructions given through the configuration of the Service.
The subject matter, duration, nature, and purpose of the Processing are described in the Appendix.
Each party shall comply with its respective obligations under applicable Data Protection Laws. Wippy will not “sell” or “share” Personal Data within the meaning of the CCPA, and will not retain, use, or disclose Personal Data for any purpose other than performing the Service.
Wippy ensures that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations and have received appropriate training on their responsibilities under this DPA.
Wippy implements and maintains appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage. These measures include:
Customer authorizes Wippy to engage the Sub-processors listed in the Appendix to perform parts of the Service. Wippy enters into a written agreement with each Sub-processor imposing data-protection obligations no less protective than those in this DPA.
Wippy will provide at least 30 days’ prior notice of the addition of a new Sub-processor by updating the Appendix and (where Customer has subscribed) by email to [email protected]. Customer may object on reasonable grounds within that period.
Wippy provides Customer with reasonable assistance in responding to requests from data subjects (or, under CCPA, consumers) exercising rights of access, correction, deletion, portability, or objection. Customer is responsible for the substantive response to such requests.
Wippy will notify Customer without undue delay, and in any event within 72 hours of confirming a Personal Data breach affecting Customer’s Personal Data. The notice will include, to the extent known, the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate.
Wippy will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA, including by responding to a security questionnaire no more than once per twelve-month period (more frequently in the case of a confirmed Personal Data breach). For Customer audits beyond questionnaire responses, the parties will agree on scope, timing, and cost in advance.
Upon termination of the Service, Wippy will, at Customer’s election, return or delete all Personal Data within 30 days, except to the extent retention is required by law (e.g., audit trail retention for tax-record compliance) or for legitimate business purposes (e.g., dispute resolution, fraud prevention). Backups containing Personal Data are purged on the standard backup retention cycle.
The Service is hosted in the United States. Where Customer is located in the European Economic Area, United Kingdom, or Switzerland, the parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (controller-to-processor), with Wippy as “data importer” and Customer as “data exporter.” The UK International Data Transfer Addendum applies where required by UK law.
This DPA is incorporated into the Terms of Service. In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the Processing of Personal Data. Wippy may update this DPA from time to time; material changes will be communicated via the application or by email and (for material changes) take effect 30 days after notice.
This DPA is governed by the laws of the State of Colorado, USA, without regard to conflict-of-laws principles. The parties submit to the exclusive jurisdiction of the state and federal courts located in Adams County, Colorado for any dispute arising out of or relating to this DPA.
Subject matter: provision of the Wippy tax practice management Service. Duration: the term of the Customer’s subscription, plus any retention period required by law.
Storage, organization, retrieval, transmission, encryption, and deletion of Personal Data to provide Customer with tax return tracking, client and entity records, time tracking, invoicing, document organization, secure messaging, and related practice-management features.
The following Sub-processors process Personal Data on Wippy’s behalf:
| Sub-processor | Purpose | Location |
|---|---|---|
| DigitalOcean, LLC | Application hosting and managed PostgreSQL database | United States |
| Cloudflare, Inc. | Content delivery, DDoS protection, TLS termination | Global edge network |
| Resend, Inc. | Transactional email delivery (invoices, portal invites, notifications) | United States |
| Stripe, Inc. | Subscription billing and payment processing | United States |
| Google LLC (Gemini API) | Document classification (organizer feature) | United States |
| Anthropic, PBC (Claude API) | AI assistant features (drafting, summarization) | United States |
| Functional Software, Inc. (Sentry) | Error monitoring and performance telemetry | United States |
| PostHog, Inc. | Product usage analytics (events are scrubbed of client tax data in the browser; session recording disabled; users identified by internal ID only — see Privacy Policy §6) | United States |
| OpenAI, LLC (opt-in only) | AI features when Customer configures OpenAI as the AI provider in firm settings (bring-your-own-key) | United States |
The current Sub-processor list is maintained at this page. Material additions are communicated per Section 6.
By using the Service, Customer is deemed to have accepted this DPA. If your firm or your vendor questionnaire requires a counter-signed PDF copy, email [email protected]with your firm name and signing officer’s details and we will return a counter-signed copy within five business days.
Privacy questions, sub-processor objections, data subject requests, or breach reports: [email protected].