Skip to content

Data processing agreement

Version 1.0 — last reviewed 10 July 2026

1. What this is

This data processing agreement (DPA) under article 28 GDPR governs the personal data Wexlo — a trade name of Rybier Consulting (KvK 66637694), President Allendelaan 263, 1068 VM Amsterdam — processes on your behalf when scanning the websites you designate. It applies automatically as part of our terms for every customer — no signature needed. If you need a signed copy for your records, email [email protected] and we send you one. If this DPA and the terms conflict on data protection, this DPA prevails.

2. Roles

For the scan processing described here, you are the controller (or a processor for your own clients, in which case we act as your sub-processor) and we are your processor: you decide which domains we scan and we process what appears on those pages only to produce your reports. For your account, orders and invoices we are an independent controller — that processing is described in the privacy policy and falls outside this DPA.

3. Subject matter, duration, nature and purpose

Subject matter: automated accessibility scanning of the websites you register, and generation and delivery of the resulting reports. Duration: the term of your subscription, plus the deletion window in section 10. Nature: automated collection and analysis of publicly reachable web pages. Purpose: solely to deliver the reports and related features of your plan — never for our own purposes.

4. What data is involved

Categories of data: whatever personal data happens to be visible on the publicly reachable pages of the websites you designate (for example names on a team page). Categories of data subjects: visitors to and people featured on those websites. By design we minimize this radically: we store structured findings only — the rule, the WCAG criterion, the severity and a CSS selector — and never screenshots or HTML of your pages. The realistic residue of personal data in our systems is therefore limited to what can appear in a URL or CSS selector.

5. Your instructions

We process only on your documented instructions. Registering a domain and configuring your plan are those instructions; additional instructions can be agreed by email. We tell you if, in our view, an instruction violates the GDPR. We process outside your instructions only where EU or member-state law requires it, and we inform you first unless that law forbids it.

6. Confidentiality and security

Access to personal data is limited to persons who need it to deliver the service and who are bound by confidentiality. Taking into account the state of the art and the nature of the data, we apply the measures in article 32 GDPR, including: TLS encryption in transit (HSTS-enforced), encryption at rest at our database and storage providers, EU-hosted infrastructure, data minimization by design (no screenshots or HTML stored), single-use login links instead of passwords, least-privilege access, rate limiting and security event logging.

7. Sub-processors

You give general authorization for the sub-processors below. We announce additions or replacements at least 30 days in advance by email; if you object on reasonable data protection grounds and we cannot offer a solution, you may cancel your subscription as of the date the change takes effect.

  • Scalingo — application hosting (Paris, France)
  • Fly.io — scan worker that visits your pages (Frankfurt region, Germany; US company)
  • Neon — database for scan findings (Frankfurt region, Germany; US company)
  • Cloudflare — report storage (R2, EU jurisdiction), DNS and firewall (US company)
  • Upstash — job queue and rate limiting (EU region; US company)
  • Mailjet — report delivery by email (Paris, France; Sinch group)
  • Anthropic — AI-generated report text from structured findings (United States; no training on your data)
  • Sentry — error monitoring (EU data residency region)

Each sub-processor is bound by a data processing agreement with obligations materially equivalent to this one, and we remain fully liable to you for their performance.

8. International transfers

Processing takes place in the EU, with one exception we name honestly: the AI text generation step runs through Anthropic’s API in the United States, covered by the EU Standard Contractual Clauses and minimized to structured findings only. Some EU-region sub-processors (Neon, Fly.io, Cloudflare, Upstash) are US-owned; their processing for us stays in EU regions, and any transfer that does occur is covered by Standard Contractual Clauses or an adequacy mechanism such as the EU–US Data Privacy Framework.

9. Assistance and breach notification

Taking into account the nature of the processing, we assist you with data subject requests (access, erasure and the other rights in chapter III GDPR) and, where relevant, with your obligations under articles 32–36 GDPR, including data protection impact assessments. We notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information article 33(3) GDPR requires, so you can meet your own notification duties.

10. Deletion and return

When your subscription ends, you can export your reports from the portal. On request we delete the scan findings and reports we hold for you; in any event we delete or anonymize them in line with the retention terms in the privacy policy, except where EU or Dutch law requires us to keep specific data (such as invoices).

11. Audits

We make available the information reasonably necessary to demonstrate compliance with article 28 GDPR — this page, our security summary and our sub-processor agreements’ relevant commitments. You may audit once per contract year, on at least 30 days’ notice, during business hours, without access to other customers’ data, and at your own cost; where possible we fulfil audits through documentation first.

12. Liability and law

The liability arrangement in the terms applies to this DPA. Dutch law governs. This DPA exists in English and Dutch (https://wexlo.eu/nl/dpa); if the versions diverge, the version in the language in which you ordered prevails.