Wrapped
Get the app
Wrapped

Legal

Data Processing Addendum

Ziora Labs LTD

6, Ifako-Ijaiye, Agege, Lagos, Nigeria

RC 8673143

Last updated: 12 May 2026 · Effective from: 12 May 2026

Contact: legal@wrapped.hive.spot

1. Roles

For Team-plan customers, the customer is the data controller and Wrapped (Ziora Labs LTD) is the data processor, acting only on documented instructions from the customer.

2. Subject-matter & duration

Wrapped processes account data and behavioural data to deliver the weekly wrap and run the service for the duration of the customer’s subscription, plus the 30-day deletion grace period after termination.

3. Sub-processors

We use the following sub-processors. Each is contractually bound to terms at least as protective as this DPA.

Clerk
Authentication and identity.
Paddle
Merchant of record, billing, tax, and receipts.
Anthropic
Card-text generation via Claude (no training on customer data, per API terms).
Vercel
Hosting and edge functions.
Neon
Postgres database.
Resend
Transactional and broadcast email delivery.
PostHog
Privacy-respecting analytics (consent-gated; anonymised after 90 days).
Sentry
Error monitoring (PII-scrubbed at source).
Cloudflare
CDN and bot protection.

4. Sub-processor changes

We will give 15 days’ written notice before adding or replacing a sub-processor that processes customer personal data. Customers may object on reasonable grounds; if we cannot resolve the objection, the customer may terminate without penalty.

5. Security measures

  • HTTPS-only on every public surface.
  • Encryption at rest in the Neon database and in object storage.
  • Least-privilege access controls and SSO-only employee access to production systems.
  • Quarterly security review of dependencies and infrastructure.
  • Incident-response plan with 72-hour breach-notification SLA.

6. International transfers

Personal data may be transferred to the US, EU, and Nigeria. Standard Contractual Clauses (SCCs) are in place with each sub-processor that processes EU-resident personal data outside the EEA. UK IDTA addendums apply to UK-resident data.

7. Customer rights

Customers may request a copy of our most recent SOC 2 report (once available) once per calendar year, under a mutual NDA. Customers may audit our processing of their personal data via questionnaire or, with reasonable notice, an on-site review limited to the data and systems used to process customer personal data.

8. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service.

9. Contact

DPA questions and DPA-execution requests: legal@wrapped.hive.spot. Entity details are in the page header.