1. Parties
Data Controller: The customer (“you”) who subscribes to WP-Claw services.
Data Processor:dcode technologies S.a r.l., registered in Luxembourg (RCS B243386), operating WP-Claw at wp-claw.ai (“we”, “us”).
2. Scope of Processing
We process personal data solely to provide the WP-Claw service. This includes:
- — WordPress site visitor data (IP addresses, page views, form submissions) processed by AI agents
- — Live chat messages between site visitors and the Concierge agent
- — WooCommerce customer data processed by the Commerce agent
- — Email addresses collected through lead capture forms
3. Sub-processors
We use the following sub-processors, each under a GDPR-compliant DPA:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner | Infrastructure hosting | Germany (EU) |
| Supabase | Database, authentication | EU region |
| Stripe | Payment processing | Ireland (EU) |
| Anthropic | AI model API | EU-routed |
| Cloudflare | CDN, DDoS protection | Global (EU edge) |
4. Security Measures
- — AES-256-GCM encryption for all secrets at rest
- — TLS 1.3 for all data in transit
- — Row-level security on all database tables
- — Isolated Klawty instances per customer (no shared data)
- — Immutable audit logs for all data access
- — 30-day data retention after account deletion
5. Data Subject Rights
We assist you in fulfilling data subject requests (access, rectification, erasure, portability, restriction, objection) under GDPR Articles 15-22. Contact [email protected] to initiate a request. We respond within 72 hours.
6. Data Breach Notification
In the event of a personal data breach, we will notify you without undue delay and no later than 48 hours after becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, and remedial measures taken.
7. Governing Law
This DPA is governed by the laws of the Grand Duchy of Luxembourg. Any disputes shall be submitted to the competent courts of Luxembourg City.