Data Processing Agreement (DPA)
WebDisk Files · Version 1.0 · Effective 2026-06-09
Agreement between:
Data Controller (Customer):
- Name: [Customer name]
- Address: [Address], [ZIP] [City]
- Tax/VAT ID: [VAT ID]
- Contact email: [Contact email]
- Represented by the WebDisk Files account administrator
and
Data Processor (Processor):
- WebDisk (registration and contact details in the footer of files.webdisk.io)
This DPA governs the processing of personal data in connection with the Customer's use of the WebDisk Files service (the "Service") under the Files Terms.
§1. Definitions
Terms in this DPA follow the GDPR (Regulation 2016/679) definitions. In particular:
- "GDPR" — Regulation (EU) 2016/679,
- "Personal Data" — any information relating to an identified or identifiable natural person processed in the Service,
- "Data Subjects" — Customer end-users and any other natural persons whose Personal Data the Customer entrusts to WebDisk,
- "Personal Data Breach" — a breach of security leading to accidental or unlawful disclosure, loss, alteration of or unauthorised access to Personal Data.
§2. Subject matter, nature and purpose
2.1. Subject matter: Personal Data contained in the Customer's files and the application's metadata (user emails, billing data, access logs).
2.2. Nature of processing: storage, replication, sharing via API and web panel, share-link generation, metadata backups, optional SSE-C encryption, optional immutability (Object Lock).
2.3. Purpose of processing: providing the WebDisk Files Service to the Customer per the Files Terms and the chosen subscription plan.
2.4. Categories of Personal Data may include (depending on content uploaded by the Customer):
- identifiers (name, email),
- contact details (phone, address),
- professional data (job title, organisation),
- other categories within Customer files — at Customer's discretion.
2.5. Categories of Data Subjects:
- Customer end-users (employees, contractors, collaborators),
- natural persons whose data the Customer stores in files (clients, partners, suppliers, etc.).
2.6. Duration of processing: for the term of the Service agreement, until termination or fulfilment of the right to erasure (per §9).
§3. Processor (WebDisk) obligations
WebDisk commits to:
3.1. Process Personal Data only on documented instructions from the Customer — the Files Terms, the Customer panel configuration and operations triggered through the Customer's API constitute such instructions.
3.2. Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation.
3.3. Implement and maintain the technical and organisational measures described in §5, providing a level of security appropriate to the risk (GDPR Art. 32).
3.4. Assist the Customer in handling Data Subject requests (Art. 12-22 GDPR) — in particular by providing data-export, account-closure and profile-edit features.
3.5. Assist the Customer in compliance with obligations regarding:
- security (Art. 32 GDPR),
- breach notification (Art. 33-34 GDPR) — §7,
- data-protection impact assessment (Art. 35 GDPR) — we will share the Anti-Ransomware DPIA on request.
3.6. Upon termination of the Service delete or return all Personal Data to the Customer (§9).
3.7. Make available to the Customer all information necessary to demonstrate compliance with GDPR Art. 28 and allow audits per §10.
§4. Controller (Customer) obligations
The Customer commits to:
4.1. Process Personal Data in compliance with the GDPR, in particular maintaining a lawful basis for each category entrusted to WebDisk.
4.2. Inform end-users and Data Subjects that their data is stored on WebDisk infrastructure as Processor.
4.3. Not upload to the Service special categories of personal data (Art. 9 GDPR — health, biometric, judicial and criminal data, etc.) or data subject to special regulations (US HIPAA, full PCI-DSS PAN) without prior written arrangement with WebDisk.
4.4. Manage Service access on its side (in-organisation permissions, MFA, password rotation).
4.5. Cooperate with WebDisk on Data Subject requests — promptly forward any requests pertaining to Personal Data processed in the Service.
§5. Technical and organisational measures
WebDisk applies in particular:
5.1. Encryption:
- TLS 1.2+ on all connections (panel, API, S3),
- optional SSE-C (Server-Side Encryption with Customer Keys) — Customer enables at magazyn level,
- account-password hashing (bcrypt cost ≥10),
- master-key and SSE-C-key encryption at rest in the database (AES-256-GCM).
5.2. Access control:
- personal accounts for WebDisk staff, MFA required on critical operations,
- environment separation (dev/staging/prod),
- RGW bucket policies enforcing per-organisation isolation,
- direct production access only via SSH bastion with hardware keys.
5.3. Audit log:
- administrative operations (account creation/deletion, plan changes, operator interventions) logged with 12-month retention,
- S3 access (RGW access log) retained for 90 days.
5.4. Redundancy and resilience:
- 3× replication of every object at the Ceph layer (separate hosts, RBAC),
- mdadm RAID1 on cluster system disks,
- 24h MySQL snapshots with 30-day retention,
- security-anomaly detector (Wazuh SIEM) with 24/7 alerting.
5.5. Data location:
- all Personal Data stored on WebDisk infrastructure in Poland (EU),
- no transfer outside EU/EEA (except via subprocessors per §6).
5.6. Continuous improvement:
- regular security updates,
- penetration tests at least annually,
- annual review of technical and organisational measures.
§6. Sub-processors
6.1. The Customer hereby grants general authorisation for WebDisk to engage sub-processors (GDPR Art. 28(2)).
6.2. The current sub-processor list is appended to the Files Terms (§9) and published at files.webdisk.io/subprocessors.
6.3. Changes to the list (new sub-processor, scope change) are notified by email with 30-day notice to the org-admin contact.
6.4. The Customer may raise a reasoned objection to a new sub-processor within 14 days of notice. If objection:
- WebDisk and Customer look for an alternative within 30 days,
- if no agreement is reached the Customer may terminate with immediate effect retaining data-export rights.
6.5. WebDisk is liable to the Customer for the acts and omissions of its sub-processors as if its own (GDPR Art. 28(4)). All sub-processors are bound by an equivalent level of data protection.
§7. Breach notification
7.1. On a Personal Data Breach within this DPA's scope, WebDisk:
a) without undue delay and at most within 48h of detection notifies the Customer by email and through the panel (where available);
b) provides the information required by GDPR Art. 33(3):
- nature of the breach, categories and approximate number of affected Data Subjects and records,
- consequences of the breach,
- measures taken or proposed,
- WebDisk's contact point for further communication;
c) assists the Customer in notifying the supervisory authority (UODO) and affected Data Subjects (where required).
7.2. The Customer reports the breach to UODO within 72h of receiving WebDisk's information, unless unlikely to result in a risk to the rights and freedoms of natural persons.
§8. Assistance with Data Subject rights
WebDisk provides the following mechanisms:
| Right | Mechanism |
|---|---|
| Art. 15 — access | "Export my data (GDPR)" in the user profile — ZIP with files + metadata.json |
| Art. 16 — rectification | profile edit; billing-data edit in the org-admin panel |
| Art. 17 — right to be forgotten | "Close account" in profile (USER) / "Close organisation" (ORG_ADMIN); 30-day grace, then physical deletion |
| Art. 20 — portability | "Export my data" — ZIP readable by standard tools |
| Art. 21 — objection | Customer contacts support@webdisk.io |
| Art. 22 — automated decisions | we do not apply automated profiling or decisions with legal effects |
§9. Return or deletion of data
9.1. On termination of the Service (for any reason) WebDisk:
a) grants the Customer a 14-day window for self-service data export (the "Export my data" mechanism);
b) after 14 days or immediately on written Customer request — physically deletes all Customer Personal Data, subject to §9.2.
9.2. Exceptions for Anti-Ransomware magazyny. Files in Object-Lock-Compliance magazyny are deleted progressively as each version's retention lapses. The Customer is informed of the estimated complete-deletion timeline. With the Customer's written consent WebDisk may apply the procedure described in Files Terms §4.5 (low-level intervention) shortening this process.
9.3. Exceptions for legal obligations. WebDisk retains:
- anonymised access audit log for 12 months (GDPR Art. 17(3)(b) — compliance with security obligations),
- accounting metadata (invoices, VAT IDs, amounts) for 5 years per Polish accounting and tax laws.
9.4. After §9.1.b completion WebDisk issues a written deletion confirmation on request.
§10. Audits
10.1. The Customer has the right to audit WebDisk's compliance with this DPA, in particular the technical and organisational measures (§5), no more than once per calendar year.
10.2. The audit is announced in writing with at least 30-day notice.
10.3. The Customer may appoint an independent auditor subject to confidentiality.
10.4. The audit does not cover data of other WebDisk customers or WebDisk business secrets unrelated to the DPA.
10.5. Audit costs are borne by the Customer. If material DPA violations are found, WebDisk covers reasonable audit costs.
10.6. Alternatively the Customer may accept as proof of compliance:
- a current independent auditor's report (e.g. ISO 27001, SOC 2 Type II — if WebDisk holds one),
- WebDisk's own penetration test reports.
§11. Liability
11.1. WebDisk is liable for damages arising from DPA breach per general civil-code principles, capped at the fees paid by the Customer in the last 12 months before the damage, except for:
- damages caused intentionally or by gross negligence,
- third-party rights violations through WebDisk's fault.
11.2. Liability for Data Subject claims (Art. 82 GDPR) — the parties bear it per Art. 82(4)–(5) GDPR (joint liability with right of recourse).
§12. Final provisions
12.1. DPA changes. Changes require written form under pain of nullity; email notification with a re-acceptance prompt in the panel after the new version takes effect is treated as written form.
12.2. Precedence. In case of conflict between the DPA and the Files Terms / WebDisk SaaS Terms — the DPA prevails in the scope of personal-data protection.
12.3. Language. Where the language versions of this DPA conflict — the PL version prevails.
12.4. Governing law and jurisdiction. Polish law. Courts having jurisdiction over WebDisk's seat.
12.5. Effective date. This DPA takes effect upon acceptance in the org-admin panel (recorded in the audit log) or qualified-signature signing of the downloaded PDF.
Document: webdisk-files / DPA · version 1.0 · effective 2026-06-09 · 2026-07-09T19:22:44.508Z