Data Processing Addendum

LAST REVISION: 01 Feb 2026

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Use ("Agreement") between WeCP and Customer.

  1. Definitions
    1. "Customer Data" means any personal data that Customer or its authorized users submit to the Services, including Candidate data.
    2. "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, CCPA/CPRA, and state biometric privacy laws (BIPA, CUBI, RCW 19.375).
    3. "Sub-processor" means any third party engaged by WeCP to process Customer Data.
  2. Roles and Scope
    1. Customer as Controller. Customer is the controller of Customer Data. WeCP processes Customer Data as a processor on Customer's behalf.
    2. Processing Scope. WeCP will process Customer Data solely to provide the Services, including:
      • Assessment delivery and scoring
      • Proctoring and session integrity monitoring (including facial detection/comparison where enabled)
      • Video response evaluation
      • AI-assisted assessment features
  3. Customer Obligations
    1. Lawful Basis. Customer is responsible for ensuring it has a lawful basis for processing Customer Data, including obtaining all required consents from Candidates.
    2. Biometric Consent. Where Customer enables features involving facial image processing, Customer shall obtain all consents required under applicable biometric privacy laws, including written consent where required by BIPA, CUBI, or similar laws.
    3. Notice. Customer shall provide Candidates with notice of data processing practices, including disclosure that third-party AI providers may process assessment data.
  4. WeCP Obligations
    1. Processing Instructions. WeCP will process Customer Data only in accordance with Customer's documented instructions, unless required by law.
    2. Confidentiality. WeCP personnel authorized to process Customer Data are bound by confidentiality obligations.
    3. Security. WeCP will implement appropriate technical and organizational measures to protect Customer Data, as described in WeCP's Technical Organizational Measures.
    4. Assistance. WeCP will reasonably assist Customer in responding to data subject requests and fulfilling Customer's obligations under Data Protection Laws.
  5. Sub-processors
    1. Authorized Sub-processors. Customer authorizes WeCP to engage the Sub-processors listed in Annex A. WeCP will maintain an up-to-date, available upon request.
    2. New Sub-processors. WeCP will notify Customer of new Sub-processors at least 14 days before engagement. Customer may object in writing within that period; if the parties cannot resolve the objection, Customer may terminate the affected Services.
    3. Sub-processor Agreements. WeCP will ensure Sub-processors are bound by data protection obligations no less protective than this DPA.
    4. Non-Enterprise AI Providers. Customer acknowledges that certain Sub-processors (identified in Annex A) operate under standard terms of service rather than negotiated enterprise agreements. These providers may retain data for limited periods as part of service operations. WeCP is working to transition to enterprise agreements where available.
  6. Data Transfers
    1. Transfer Mechanisms. Where Customer Data is transferred outside the EEA/UK to a country not subject to an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and apply as follows:
      1. Module Two (Controller to Processor) applies where Customer is a controller and WeCP is a processor.
      2. For the purposes of Clause 9(a), Option 2 (general written authorization) applies, and the time period for prior notice of Sub-processor changes is 14 days.
      3. For the purposes of Clause 11, the optional language (independent dispute resolution body) is not included.
      4. For the purposes of Clause 17, Option 1 applies, and the SCCs are governed by the law of Ireland.
      5. For the purposes of Clause 18(b), disputes shall be resolved by the courts of Ireland.
      6. Annex I (List of Parties, Description of Transfer) is deemed completed with the information in this DPA and Annex B.
      7. Annex II (Technical and Organizational Measures) is satisfied by WeCP's Technical Organizational Measures, available upon request.
    2. UK Transfers. For transfers of Customer Data from the United Kingdom, the UK Addendum to the EU SCCs (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the UK Information Commissioner's Office under S119A(1) of the Data Protection Act 2018) is incorporated by reference. The information required by Table 1 of the UK Addendum is set forth in this DPA and Annex B. For the purposes of Table 4 of the UK Addendum, neither party may end the UK Addendum in accordance with Section 19 of the UK Addendum.
    3. Swiss Transfers. For transfers of Customer Data from Switzerland, the EU SCCs as incorporated in Section 6.1 apply with the following modifications:
  • References to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss Federal Act on Data Protection ("FADP").
  • References to "EU," "Union," and "Member State" shall not be interpreted in a way that excludes data subjects in Switzerland from exercising their rights.
  • References to the "competent supervisory authority" and "competent courts" shall mean the Swiss Federal Data Protection and Information Commissioner and the competent courts in Switzerland, respectively.
  • The term "Member State" shall not be interpreted to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland).
  1. Copies. The SCCs, UK Addendum, and any applicable transfer mechanism documentation are available at Trust Center : https://trust.wecreateproblems.com  or upon request.
  1. Data Retention and Deletion
    1. Retention. WeCP will retain Customer Data for the duration of the Agreement and as specified in the Data Archiving Policy.
    2. Deletion. Upon termination or Customer's written request, WeCP will delete or return Customer Data within 30 days, except where retention is required by law.
    3. Transient Processing. Certain data (including facial detection outputs and biometric analysis results) is processed transiently during assessment sessions and is not written to persistent storage.
  2. Security Incidents
    1. Notification. WeCP will notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a security incident affecting Customer Data.
    2. Cooperation. WeCP will provide reasonable cooperation and information to assist Customer in meeting its breach notification obligations.
  3. Audit Rights. Upon reasonable notice and no more than once per year, Customer may request information or conduct an audit to verify WeCP's compliance with this DPA. WeCP may satisfy this obligation by providing third-party audit reports (SOC 2, ISO 27001) or completing Customer's security questionnaire.

  4. Liability. Liability under this DPA is subject to the limitations set forth in the Agreement.

ANNEX A: SUB-PROCESSORS

https://trust.wecreateproblems.com/subprocessors

ANNEX B: PROCESSING DETAILS

Also check WeCPs:
Privacy PolicyTerms of UseTrust CenterMSASLAData Processing AddendumSub Processor ListWeCP Security WhitepaperProfessional Services AddendumTerms of AI FeaturesTechnical Organizational Measures