WhirlWhirlBack to home

Data Processing Addendum

Last updated: May 26, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Whirl and the customer using Whirl for business purposes. It applies where Whirl processes personal data on behalf of the customer under UK GDPR, EU GDPR, or similar data protection laws.

1. Roles

For customer workspace data and connected integration data, the customer is normally the controller and Whirl is the processor. Whirl is a controller for its own account, billing, security, website, support, and business operations data.

2. Processing Details

  • Subject matter:providing Whirl's AI agent, integration, browser automation, workflow, and support features.
  • Duration:for the term of the customer's use of Whirl, plus any retention period needed for deletion, backup, security, legal, or audit purposes.
  • Nature and purpose: ingesting, storing, searching, summarizing, routing, generating, drafting, executing approved actions, and maintaining audit records for customer workflows.
  • Types of data: account data, messages, emails, files, calendar data, task and ticket data, contacts, call/transcript data, property/booking data, browser run data, usage metadata, and similar data selected by the customer.
  • Data subjects: customer users, employees, contractors, end customers, guests, suppliers, and other people whose data appears in connected tools.

3. Customer Instructions

Whirl will process customer personal data only to provide the service, as documented in the agreement and product settings, as instructed by the customer, or as required by law.

4. No AI Training by Default

Whirl does not use customer content to train generalized AI models, build cross-customer datasets, or create benchmarks from customer data unless the customer has expressly instructed or opted into that use. Whirl uses paid API, enterprise, or processing terms intended to prevent AI model providers from training on customer content.

5. Confidentiality and Security

Whirl restricts production access to personnel and contractors who need it to operate, secure, or support the service and are bound by confidentiality obligations. Whirl uses technical and organizational measures including access controls, encryption in transit, encrypted secrets and OAuth tokens at rest, tenant separation, approval workflows, audit records, and incident response procedures.

6. Sub-processors

The customer authorizes Whirl to use sub-processors needed to provide the service. The current list is available at /subprocessors. Whirl will impose data protection obligations on sub-processors consistent with this DPA.

7. International Transfers

Where customer personal data is transferred outside the UK or EEA and no adequacy decision applies, Whirl will rely on appropriate transfer mechanisms such as Standard Contractual Clauses, the UK Addendum, or the UK International Data Transfer Agreement.

8. Assistance

Whirl will provide reasonable assistance for data subject requests, security questionnaires, DPIAs, deletion requests, and data protection inquiries, taking into account the nature of the processing and information available to Whirl.

9. Security Incidents

Whirl will notify affected customers without undue delay after becoming aware of a personal data breach involving customer personal data and will provide information reasonably available to Whirl.

10. Return and Deletion

On termination or request, Whirl will delete or return customer personal data in accordance with the service functionality, backups, legal obligations, and documented retention periods.

11. Contact

Data protection questions can be sent to hello@whirl.sh.