This Data Processing Agreement (DPA) supplements the Terms of Service and applies wherever WordpexAI processes personal data on your behalf under the EU General Data Protection Regulation (GDPR), UK GDPR, or equivalent legislation. By using WordpexAI you accept this DPA.
Your organisation determines the purposes and means of processing personal data on your WordPress sites. You are the controller in respect of any personal data that is incidentally included in telemetry sent to WordpexAI (for example, the email address of a WordPress admin user listed in a site inventory).
WordpexAI processes the data described in this DPA only on your documented instructions, for the purposes of providing the monitoring and operations platform. We do not process this data for any other purpose, including advertising or analytics sold to third parties.
WordpexAI's data collection is intentionally narrow. We are a control plane — we monitor operational signals, not content or visitor behaviour.
Plugin inventory (names, versions, active state), WordPress and PHP version, theme metadata, health signals. Transmitted hourly by the connector plugin on your server.
AI-generated incident analyses, action proposals, policy decisions, approval records, and audit logs. These contain operational context about your site, not personal data from your site visitors.
Names and email addresses of your organisation's users who access the WordpexAI dashboard. Processed to provide authentication and access control.
These categories of data are explicitly out of scope. If you believe any of the following is being transmitted, disconnect the connector and contact us immediately.
Customer names, emails, order history, IP addresses, and any other personal data stored in your WordPress database are not transmitted to or accessible by WordpexAI.
Posts, pages, products, comments, and media are not transmitted. The connector reads operational metadata only.
Pre-update snapshots (file backups and DB dumps created before executing plugin updates) are stored exclusively on your own server. WordpexAI does not upload or hold snapshot data.
We engage the following sub-processors. We impose data protection obligations on each sub-processor at least equivalent to those in this DPA. You will be notified by email at least 30 days before we add a new sub-processor.
Where sub-processors are located outside the UK/EU, transfers are made under Standard Contractual Clauses (SCCs) issued by the European Commission (2021 decision). A full sub-processor list with transfer mechanisms is available by emailing legal@wordpex.com.
WordpexAI implements the following measures to protect personal data in processing:
All data in transit between the connector plugin and our API is protected by HTTPS/TLS 1.2+. Heartbeats are authenticated with HMAC-SHA256 signatures. Connector secrets are stored encrypted at rest in the WordPress database using AES-256-CBC.
Data stored on our API servers is protected by volume encryption. Access to production databases is limited to named engineers and is logged. We do not retain data longer than the periods described in the Privacy Policy.
Dashboard access is mediated by Clerk authentication. All action dispatches carry short-TTL signatures and nonce protection. Tenant isolation ensures your organisation's data is not accessible to other customers.
In the event of a personal data breach, we will notify you without undue delay and within 72 hours of becoming aware of the breach, providing sufficient information for you to fulfil your obligations to supervisory authorities.
As a controller, you are responsible for responding to data subject requests in relation to personal data you control. We will assist you as required under Article 28 GDPR:
On request, we will provide information about the personal data we process on your behalf to help you respond to data subject access, rectification, erasure, or portability requests.
You have the right to audit our data processing activities. We will respond to reasonable audit requests within 30 days. Where third-party audit certifications are available (SOC 2, ISO 27001 — in progress), we will provide these in lieu of on-site audit.
Upon termination of the Terms of Service or disconnection of a site, we will delete or return all personal data processed under this DPA within 30 days, at your election. Deletion confirmation will be provided in writing. Audit logs may be retained for the statutory minimum period where required by law.
Last updated: 30 May 2026 · DPA questions: legal@wordpex.com
Enterprise customers can request a countersigned DPA. Contact us with your legal entity details and we will turn around a signed copy within 5 business days.