Compliance — data processing agreement, subprocessors, signing
Wilow is your data processor under GDPR — you control the data, we process it on your behalf. The Compliance page is where that relationship is paperwork: request a Data Processing Agreement (DPA), sign it electronically, download the executed copy, and acknowledge which third-party subprocessors we use to deliver the service.
What lives on this page
- Your DPAs — the list of DPAs your workspace has on file. State per row: draft, pending signature, signed, canceled.
- Request a DPA — start a new one. Choose template language (EN/DE) and fill in the company / contact / address fields.
- Sign / download — once you've requested a DPA, sign it electronically (via Documenso, our signing tool) and download the executed PDF afterwards.
- Subprocessors — the list of third parties that touch your data on our behalf, with the current version of our subprocessor list and a button to acknowledge new versions.
When do I need a DPA?
If you're a business in the EU/UK, or if any of your visitors are, you almost certainly need one. GDPR makes the processor relationship contract-binding; the DPA is the contract.
If you're a US-only B2C operation with no European customers, the strict legal requirement is looser, but a DPA is still a good idea to codify expectations.
If your security/compliance team asked you to find ours, they're asking for this.
How to request a DPA
- Admin → Settings → Data processing agreement.
- Request DPA.
- Pick the template language — English or German.
- Fill in your legal entity name, contact name, contact email, and registered address. We pre-fill from your account data where we have it; double-check before submitting.
- Submit.
We generate the DPA from the chosen template, fill your details in, and email a signing link.
Only one draft/pending request can be in flight at a time. Cancel the existing one if you want to start over with different details.
How to sign
Click the signing link (also visible on the Compliance page next to the row). Documenso opens, you eSign the document, and the signed state propagates back here within a minute. Download the executed PDF from this page once it's marked signed.
If signing in-product isn't on for your workspace, the request flow still works — we'll countersign manually and email you the executed copy.
Subprocessors
The subprocessor list names every third party that processes your data on our behalf: hosting providers, the LLM provider, the email sender, etc. Each entry includes the company name, location, and what they do.
When the list changes (we add a subprocessor, or change one), the page surfaces an Acknowledge new version prompt. Click to acknowledge — that's the GDPR-required notification step on your side. Past versions are kept on the page so you can see what changed.
Common questions
- DPA — what is it? Data Processing Agreement. The contract between you (controller) and Wilow (processor) under GDPR.
- Where's my data processing agreement? Compliance → Your DPAs. If the list is empty, Request DPA.
- How do I sign electronically? Click the signing link sent to your contact email after you submit the request. Documenso handles the eSign; the signed state flows back automatically.
- Can I use my own DPA template? Sometimes. If your legal team insists on their template, email it to us; we'll review and countersign separately. Off-template DPAs aren't a button on this page.
- Where's your list of subprocessors? Compliance → Subprocessors. The current version is highlighted; older versions are listed underneath for the audit trail.
- I have a new subprocessor notification — what do I do? Acknowledge it on this page. That records your awareness for GDPR purposes; it doesn't change what the subprocessor does, just documents that we told you and you saw it.
- Where can I see who acknowledged what and when? The audit log — see audit log. Every compliance action there has a timestamp + actor.
- What if I never acknowledge? Subprocessor changes still take effect; the acknowledgment is a record of notification, not a veto.
See also account privacy for data export and deletion (GDPR rights of the data subject), audit log for who-did-what, and team for permission scoping.
Where to find us
Stuck? Email [email protected]. For legal/contract questions specifically, the same address — we route to the right person internally.