Jan 30, 2026
Last updated: January 29, 2026
This Data Processing Addendum (this "DPA") forms part of, and is incorporated into, the agreement between (i) the customer identified in the applicable Order Form or other written agreement ("Customer") and (ii) Walter (together with its affiliates, "Walter") governing Customer’s access to and use of Walter’s services (the "Agreement"). This DPA forms part of the Terms (as defined in the Agreement).
If there is any conflict between this DPA and the Agreement (including any Order Form), this DPA will control to the extent of the conflict with respect to the parties’ data protection obligations.
Customer and Walter will each comply with their respective obligations under applicable Data Protection Law.
1. Data processing roles
1.1 Controller/processor. As between Customer and Walter, Customer is the Data Controller (or, where applicable, “business”) and Walter is the Data Processor (or, where applicable, “service provider”), processing DPA Data on Customer’s behalf.
1.2 Sub-processor scenario. To the extent Walter processes Personal Data on Customer’s behalf as a sub-processor (for example, where Customer is itself a processor), Customer represents and warrants that it has obtained all authorizations necessary for Walter to process such Personal Data in accordance with this DPA.
2. Processing details
2.1 Subject matter and purpose. Walter will process DPA Data solely to provide, maintain, and support the Services, and otherwise as set out in the Agreement, and in accordance with Instructions.
2.2 Nature of processing. Processing activities may include collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating, restricting, erasing, and destroying DPA Data, as necessary to perform the Services.
2.3 Categories of data subjects. Individuals identified in Customer Data and Content, which may include users of Customer’s applications and Customer’s clients.
2.4 Categories of personal data. Personal data contained in Customer Data and Content, which may include identity data, contact data, communications, and other information submitted to the Services by or on behalf of Customer.
2.5 Duration. Subject to Section 11 (Return and deletion) and the Agreement, Walter will Process DPA Data for the term of the Agreement and thereafter only as permitted by this DPA.
3. Instructions
3.1 Customer instructions. Walter will process DPA Data on Customer’s behalf:
· in accordance with Customer’s documented instructions; and
· only as necessary to perform the Services.
3.2 Instructions via use of the Services. Customer’s use of the Services in accordance with the documentation constitutes Instructions.
3.3 Unlawful instructions. Walter will promptly inform Customer if, in Walter’s opinion, an instruction infringes Data Protection Law.
3.4 Inability to comply. Walter will promptly notify Customer in writing if it cannot comply with this DPA.
4. Confidentiality
4.1 Walter will ensure that persons authorized by Walter to process DPA Data are subject to appropriate confidentiality obligations (whether contractual or statutory).
5. Subprocessors
5.1 Authorization. Customer grants Walter a general written authorization to engage Subprocessors to process DPA Data in order to provide the Services.
5.2 Subprocessor list and notice. Walter will make available a list of its then-current Subprocessors (the "Subprocessor List") located at https://getwalter.com/legal/subprocessors and will provide notice of any intended material changes to the Subprocessor List, including the addition or replacement of a Subprocessor, at least thirty (30) days before the change takes effect.
5.3 Objection right. Customer may object to a new Subprocessor on reasonable grounds relating to the protection of DPA Data by providing written notice to Walter within fifteen (15) days after receipt of notice under Section 5.2 (an "Objection").
5.4 Cure process. If Customer provides an Objection, Walter may, at its option, use commercially reasonable efforts to address the Objection by:
· offering an alternative to provide the relevant portion of the Services without the objected-to Subprocessor;
· taking commercially reasonable corrective steps requested by Customer; or
· ceasing to provide (or Customer agreeing not to use), whether temporarily or permanently, the aspect or feature of the Services that would require the Subprocessor.
If the parties cannot resolve the Objection within thirty (30) days after Walter receives the Objection, then either party may terminate the affected subscriptions, Order Forms, or usage relating to the Services for cause, and Customer will be refunded any prepaid but unused fees for the terminated portion covering periods after the termination date.
5.5 Flow-down obligations and liability. Walter will enter into written agreements with Subprocessors requiring them to provide no less than the level of protection for DPA Data required under this DPA, and Walter remains responsible for the performance of each Subprocessor to the extent the Subprocessor fails to fulfill its data protection obligations. Walter will use contractual or other means to ensure that each Subprocessor provides a comparable level of protection for Personal Data while it is processed by that Subprocessor.
6. Assistance to Customer; audit rights
6.1 Assistance. Upon Customer’s written request, Walter will provide reasonable assistance to Customer in relation to:
· responding to a Data Subject Request relating to Walter’s processing;
· data protection impact assessments and, where required, prior consultation with a supervisory authority; and
· providing information necessary to demonstrate compliance with this DPA, to the extent required by Data Protection Law.
6.2 Audit framework. Customer may audit Walter’s compliance with this DPA no more than once in any twelve (12) month period, unless Customer has clear reasons to believe Walter has materially breached this DPA.
6.3 Audit conditions. Any audit must be:
· conducted by an independent and reputable auditor;
· subject to confidentiality obligations; and
· limited so that it does not include access to information pertaining to other customers of Walter.
6.4 Costs. Unless otherwise required by Data Protection Law, Customer is responsible for audit costs, except that if an audit concludes a material breach by Walter, Walter will reimburse Customer for reasonable and verified audit costs.
6.5 Confidential information. Reports and documentation provided by Walter under this Section 6 are Walter’s confidential information.
7. Notice to Customer
7.1 Government and authority requests. To the extent legally permitted, Walter will notify Customer if Walter receives:
· any legally binding request for disclosure of DPA Data by a law enforcement authority;
· any notice, inquiry, or investigation by a supervisory authority with respect to DPA Data; or
· any complaint or request from a Data Subject relating to DPA Data.
7.2 Data subject requests. Walter will not respond to a Data Subject Request except to request further information, confirm identity, or identify the Data Subject, unless Customer provides prior written authorization.
8. Personal data breach
8.1 Notification. Walter will notify Customer without undue delay after becoming aware of a Personal Data Breach and will provide information required under Data Protection Law.
8.2 Cooperation. Walter will cooperate with Customer’s reasonable requests for information and assistance in relation to the Personal Data Breach.
8.3 Assistance with Canadian breach reporting. Upon Customer’s request, Walter will provide reasonable information and assistance to help Customer determine whether a Personal Data Breach poses a real risk of significant harm and to support Customer’s reporting and notification obligations under applicable Canadian privacy laws.
8.4 Incident records. Walter will provide Customer with information reasonably required for Customer to maintain any required incident register or record under applicable privacy laws.
9. Security
9.1 Security program. Walter will implement and maintain reasonable security arrangements and safeguards, including a written information security program with appropriate technical and organizational measures, designed to protect DPA Data against unauthorized or accidental access, loss, alteration, disclosure, or destruction. Security measures are described in the Security Addendum at https://getwalter.com/legal/security-addendum.
9.2 Personnel access controls. Walter will take appropriate steps to confirm that Walter personnel and other authorized persons or entities processing DPA Data on Walter’s behalf protect the security, privacy, and confidentiality of DPA Data consistent with this DPA.
10. Cross-border data transfers
10.1 Transfers. Customer acknowledges that Walter may process and store DPA Data in locations necessary to provide the Services, including through remote access. Walter will only store DPA Data in the locations necessary to provide the Services and in the Region(s) approved by Customer on the executed Order Form.
10.2 Transfer mechanism. To the extent any transfer of DPA Data constitutes a transfer requiring a Data Transfer Mechanism, the parties will implement an appropriate mechanism in accordance with Data Protection Law. The Data Transfers Addendum (if applicable) is located at https://getwalter.com/legal/data-transfers-addendum.
10.3 Standard Contractual Clauses. If the parties rely on Standard Contractual Clauses, the applicable SCC module(s) will apply as required by the parties’ roles (including, where applicable, module 2 (controller to processor) or module 3 (processor to processor)).
10.4 Québec transfers. Where Customer is subject to Québec privacy law and the Processing involves communicating Personal Data outside Québec (including by granting access from outside Québec), Customer is responsible for conducting any required privacy impact assessment and determining that the Personal Data will receive adequate protection. Upon Customer’s request, Walter will provide reasonable cooperation and information to support Customer’s assessment and to implement reasonable contractual safeguards.
11. Return and deletion
11.1 Retention period. This DPA shall remain in effect until (i) the Services are terminated and (ii) Walter no longer processes DPA Data on Customer’s behalf.
11.2 Return and deletion. Customer may retrieve DPA Data from the Services prior to deletion. Within thirty (30) days following termination of the Services or upon Customer’s reasonable request, Walter shall, and shall direct each Subprocessor to, delete the DPA Data from production systems, unless Walter is required by law to retain DPA Data.
11.3 Backup retention acknowledgement. Customer acknowledges that, in accordance with widely accepted industry best practices for backups and ransomware risk mitigation, DPA Data may be retained in disaster and ransomware-proof backups held by Subprocessors until the automatic expiry of these complete system backups even after deletion from production systems. These encrypted backups are inaccessible to the production environment once made and are held in logically isolated environments with one-way transmission logical controls.
11.4 Impracticability / legal holds. If return or deletion is impracticable or prohibited by applicable law, Walter will (i) inform Customer, (ii) block the DPA Data from further processing (except to the extent necessary for permitted retention), and (iii) continue to protect it in accordance with this DPA.
12. Québec service provider requirements
12.1 Use limitation and confidentiality. Walter will use Personal Data only to perform the Services and in accordance with Instructions, and will take measures to protect the confidentiality of Personal Data.
12.2 Notice of confidentiality incident. Walter will notify Customer without undue delay of any actual or suspected unauthorized access to, use of, disclosure of, or loss of Personal Data (including attempted unauthorized access), to the extent Walter becomes aware.
12.3 Return/deletion. Walter will not keep Personal Data after expiration or termination of the Agreement except as permitted or required by law and as described in Section 11 (Return and deletion).
12.4 Verification. Walter will make information available as reasonably necessary for Customer to verify compliance with this DPA, subject to reasonable confidentiality and security restrictions.
13. US state privacy law obligations (if applicable)
13.1 To the extent applicable under US state privacy laws (including the CCPA, as amended), Walter certifies that it understands and will comply with its obligations to:
· process DPA Data only for the purposes set out in this DPA, the Agreement, or as otherwise permitted by law;
· not “sell” or “share” (as defined by applicable law) DPA Data;
· not retain, use, or disclose DPA Data outside of the direct business relationship with Customer except as required or permitted by law;
· not combine DPA Data with personal data obtained from other sources except as permitted by law; and
· allow Customer to take reasonable and appropriate steps to help ensure and verify that Walter uses DPA Data consistent with applicable law and to stop and remediate unauthorized use of DPA Data.
13.2 Deidentified data. Walter will not attempt to reidentify deidentified data provided by Customer except as necessary to test whether the deidentification processes comply with Data Protection Law.
14. Customer obligations
14.1 Rights and instructions. Customer represents, warrants, and covenants that it has and will maintain all rights, consents, and authorizations necessary to provide DPA Data to Walter and to authorize Walter’s processing as contemplated by this DPA.
14.2 Compliance. Customer will comply with Data Protection Law applicable to Customer.
14.3 Secure transfer mechanisms. Customer will transfer DPA Data to Walter using secure, reasonable, and appropriate mechanisms.
14.4 No unsecured channels. Customer will not provide DPA Data to Walter through unsecured or non-agreed mechanisms (for example, by including DPA Data in support tickets or sending DPA Data by email), except as expressly agreed in writing.
15. Future regulations (AI-specific laws)
15.1 If new legislation or regulations specifically govern the use of artificial intelligence solutions, the parties will review this DPA in good faith to ensure compliance.
15.2 If substantial modifications are required to render this DPA or the parties’ performance under it compliant with such new regulations, the parties will negotiate in good faith to make necessary amendments.
15.3 If new regulations render continued provision of the Services infeasible or unlawful, either party may terminate by written notice effective after a reasonable notice period.
15.4 Termination under this Section 15 does not relieve either party of outstanding obligations or liabilities incurred prior to termination.
16. Governing law; liability; precedence
16.1 Governing law and disputes. This DPA is governed by and construed in accordance with the governing law and dispute resolution provisions of the Agreement, except as otherwise required by applicable Data Protection Law.
16.2 Liability. The liability provisions and limitations set out in the Agreement apply to this DPA.
17. Defined terms
For purposes of this DPA:
· "Applicable Data Protection Laws" means all applicable privacy and data protection laws, regulations, and binding guidance, as amended from time to time.
· "Data Controller" means the person or entity that determines the purposes and means of Processing Personal Data (including equivalent concepts such as “business”).
· "Data Processor" means the person or entity that Processes Personal Data on behalf of a Data Controller (including equivalent concepts such as “service provider”).
· "Data Protection Authority" means a supervisory authority or other governmental authority authorized to enforce Applicable Data Protection Laws.
· "Data Protection Law" means Applicable Data Protection Laws applicable to the processing of DPA Data in connection with the Services.
· "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
· "Data Subject Request" means a request by a Data Subject to exercise rights under Data Protection Law (including access, correction, deletion, restriction, objection, or portability).
· "Data Transfer Mechanism" means a lawful transfer mechanism enabling cross-border transfers of Personal Data under Data Protection Law, including Standard Contractual Clauses, the UK International Data Transfer Addendum, and other mechanisms recognized under Data Protection Law.
· "DPA Data" means Customer Data or Customer content provided through the Services that constitutes Personal Data.
· "Personal Data" means any information relating to an identified or identifiable natural person that is protected under Data Protection Law.
· "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
· "Processing" (and "Process", "Processes", "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means.
· "Restricted Transfer" means any transfer of Personal Data that requires a Data Transfer Mechanism.
· "Services" means the services provided by Walter under the Agreement.
· "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for transfers of personal data to third countries, as updated or replaced from time to time.
· "Subprocessor" means an entity engaged by Walter to Process DPA Data on Walter’s behalf.
· "Data Transfers Addendum" means the Walter data transfers addendum available at https://getwalter.com/legal/data-transfers-addendum.
· "Security Addendum" means the security addendum describing Walter’s technical and organizational measures available at https://getwalter.com/legal/security-addendum.
· "Subprocessor List" means the list of Walter’s then-current Subprocessors available at https://getwalter.com/legal/subprocessors.
· "Supervisory Authority" means an independent public authority established pursuant to applicable Data Protection Law.
· "UK International Data Transfer Addendum" means the international data transfer addendum to the SCCs issued by the UK Information Commissioner’s Office, as updated or replaced from time to time.