How to accept:
Please review the agreement below for accuracy. Once you click "Submit" to digitally sign, we'll email the fully executed agreement to the address you provided.
Last updated: 2026-04-28
This Data Processing Addendum ("DPA") forms part of the Agreement between Uncanny Owl Inc. ("Uncanny Owl") and the entity identified as "Customer" in the signature block ("Customer") and is effective on the date both parties execute this DPA (the "Effective Date"). All capitalized terms not defined in this DPA have the meanings set out in the Agreement.
1. Definitions
"Affiliate" means an entity that directly or indirectly Controls, is Controlled by, or is under common Control with an entity, where "Control" means an ownership, voting, or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question.
"Agreement" means Uncanny Owl's Terms & Conditions, which govern the provision of the Services to Customer, as updated from time to time.
"CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations.
"Customer Personal Data" means any Personal Data that Uncanny Owl Processes on behalf of Customer as a Processor in the course of providing the Services. Customer Personal Data includes, where applicable, Inputs and Outputs processed by Uncanny Agent on Customer's behalf.
"Data Protection Laws" means all data protection and privacy laws applicable to the Processing of Personal Data under the Agreement, including, where applicable: (a) the GDPR; (b) the UK GDPR and the UK Data Protection Act 2018 ("UK Data Protection Law"); (c) the Swiss Federal Act on Data Protection ("Swiss FADP"); (d) the CCPA; (e) Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25 ("Quebec Law 25"); and (f) any other applicable national, federal, state, provincial, or local data protection or privacy law.
"Controller," "Processor," "Personal Data," "Process," "Processing," "Data Subject," and "Supervisory Authority" have the meanings given in the GDPR (or the equivalent terms in any other applicable Data Protection Law, such as "Business," "Service Provider," "Personal Information," and "Consumer" under the CCPA).
"EEA" means the European Economic Area.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
"Inputs" and "Outputs" have the meanings given to them in §9.4 of the Agreement.
"Personal Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
"Restricted Transfer" means a transfer of Customer Personal Data from the EEA, the United Kingdom, or Switzerland to a country that has not been the subject of an adequacy decision under the applicable Data Protection Law.
"Services" means the products and services provided by Uncanny Owl to Customer pursuant to the Agreement, including the Uncanny Automator plugin, Uncanny Agent, and any related hosted services, APIs, support, and updates.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended, replaced, or superseded.
"Subprocessor" means any Processor engaged by Uncanny Owl or its Affiliates to assist in providing the Services.
"UK Addendum" means the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018.
2. Relationship with the Agreement
2.1 This DPA replaces any prior data processing addendum the parties may have entered into in connection with the Services.
2.2 Except for the changes made by this DPA, the Agreement remains in full force and effect. If there is a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict. If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.
2.3 Claims brought under or in connection with this DPA are subject to the terms and limitations of the Agreement, including the limitations of liability in §5 of the Agreement, except where Data Protection Laws require otherwise.
2.4 Claims against Uncanny Owl or its Affiliates under this DPA must be brought solely against the entity that is a party to the Agreement.
2.5 No one other than a party to this DPA, its successors, and permitted assignees has any right to enforce its terms, except as expressly provided in the Standard Contractual Clauses.
2.6 This DPA is governed by the governing-law and jurisdiction provisions of the Agreement, except where Data Protection Laws require otherwise (including, in respect of the Standard Contractual Clauses, the law specified in the Clauses themselves).
3. Scope and Applicability
3.1 This DPA applies where, and only to the extent that, Uncanny Owl Processes Customer Personal Data on behalf of Customer as a Processor in the course of providing the Services.
3.2 The provisions of this DPA apply from the Effective Date.
4. Roles and Processing
4.1 Roles. As between Uncanny Owl and Customer, Customer is the Controller (or Business, under the CCPA) of Customer Personal Data, and Uncanny Owl Processes Customer Personal Data only as a Processor (or Service Provider, under the CCPA) acting on Customer's behalf.
4.2 Customer Obligations. Customer agrees that: (a) it will comply with its obligations as a Controller under Data Protection Laws in respect of its Processing of Customer Personal Data and any Processing instructions it issues to Uncanny Owl; and (b) it has provided notice and obtained (or will obtain) all consents and rights necessary under Data Protection Laws for Uncanny Owl to Process Customer Personal Data and provide the Services.
4.3 Uncanny Owl Processing. Uncanny Owl will Process Customer Personal Data only for the purposes described in this DPA and only in accordance with Customer's documented lawful instructions. The Agreement and this DPA constitute Customer's complete and final instructions to Uncanny Owl. Processing outside the scope of these instructions requires the parties' prior written agreement. If Uncanny Owl believes that an instruction infringes Data Protection Laws, it will inform Customer without undue delay.
4.4 Details of Processing
| Item |
Details |
| Subject matter |
Provision of the Services to Customer. |
| Duration |
The term of the Agreement, plus the retention periods set out in §11 of this DPA and §9.2 of the Agreement. |
| Nature and purpose |
Provision of the Uncanny Automator plugin, Uncanny Agent, and related Services, including AI-assisted automation, recipe configuration, integration with third-party services, and customer support. |
| Categories of Data Subjects |
Customer's personnel and end users; individuals whose data is processed by Customer's Automator recipes or Uncanny Agent conversations; site visitors interacting with Customer's WordPress site through Automator. |
| Categories of Personal Data |
Identification and contact data; account and authentication data; usage and configuration data; data passed through Automator recipes and Uncanny Agent Inputs and Outputs (the contents of which are determined by Customer); IP addresses and technical metadata. |
| Special-category data |
Customer is responsible for not submitting special-category data (GDPR Art. 9) or sensitive personal information (CCPA) through the Services unless Customer has a lawful basis to do so. |
4.5 Uncanny Owl as Controller for Operational Data. Customer acknowledges that Uncanny Owl is a Controller (and not a Processor) of data relating to billing, account management, technical support, security monitoring, product development, and direct sales and marketing to Customer. Uncanny Owl Processes that data in accordance with its Privacy Policy.
4.6 AI Processing. Where Customer uses Uncanny Agent, Inputs and Outputs are Customer Personal Data and are subject to this DPA. Uncanny Agent's use of third-party AI subprocessors (Anthropic and Google Cloud Vertex AI) is subject to §5 (Subprocessors) and §9.2 of the Agreement, and is conducted under those providers' commercial enterprise terms (under which Inputs and Outputs are not used to train provider foundation models).
5. Subprocessors
5.1 General Authorization. Customer provides general authorization for Uncanny Owl to engage Subprocessors to Process Customer Personal Data, subject to this §5. The current list of Subprocessors is set out in Annex A and published at https://automatorplugin.com/subprocessors/.
5.2 Subprocessor Obligations. Uncanny Owl will: (a) enter into a written agreement with each Subprocessor imposing data-protection terms substantially equivalent to those in this DPA, including terms appropriate to the Subprocessor's role; and (b) remain liable to Customer for any acts or omissions of a Subprocessor that cause Uncanny Owl to breach this DPA.
5.3 Notice and Right to Object. Uncanny Owl will provide at least thirty (30) days' advance notice of the addition or replacement of any Subprocessor by updating the published Subprocessor list and, where Customer has subscribed to notifications, by email. Customer may object to a new Subprocessor on reasonable data-protection grounds within thirty (30) days of notice, by writing to [email protected]. If the parties cannot resolve the objection in good faith, Customer may, as its sole remedy, terminate the affected Service and receive a pro-rated refund of any prepaid, unused fees for that Service.
6. Security
6.1 Security Measures. Uncanny Owl will implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data against Personal Data Breaches and to preserve its security and confidentiality, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing. The Security Measures are described in Annex B.
6.2 Confidentiality of Personnel. Uncanny Owl will ensure that any person authorized to Process Customer Personal Data is subject to an appropriate obligation of confidentiality.
6.3 Updates. Uncanny Owl may update or modify the Security Measures from time to time, provided that updates do not result in a material degradation of the security of the Services.
6.4 Customer Responsibilities. Customer is responsible for: (a) the secure use of the Services, including securing account credentials and License Keys; (b) the configuration and security of its WordPress site, including backups; and (c) the security and lawful use of any third-party services Customer connects to the Services.
7. Personal Data Breaches
7.1 Uncanny Owl will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay of becoming aware of the Breach. The notice will include, to the extent reasonably available: (a) the nature of the Breach; (b) the categories and approximate number of Data Subjects and records affected; (c) likely consequences; (d) measures taken or proposed; and (e) a contact point for further information.
7.2 Uncanny Owl will reasonably cooperate with Customer in investigating and remediating a Personal Data Breach, including by providing additional information as it becomes available.
7.3 Uncanny Owl's notification of, or response to, a Personal Data Breach is not an acknowledgment of fault or liability.
8. Data Subject Rights and Cooperation
8.1 The Services provide Customer with controls to retrieve, correct, delete, restrict, or export Customer Personal Data, which Customer may use to assist it in responding to Data Subject requests.
8.2 To the extent Customer cannot independently fulfill a Data Subject request through the Services, Uncanny Owl will (at Customer's expense, save where the request relates to a Personal Data Breach caused by Uncanny Owl) provide reasonable cooperation to assist Customer in responding to the request.
8.3 If a Data Subject sends a request directly to Uncanny Owl relating to Customer Personal Data, Uncanny Owl will not respond directly (except to acknowledge receipt and direct the Data Subject to Customer) and will promptly forward the request to Customer, unless legally compelled to respond directly.
8.4 Uncanny Owl will, at Customer's expense, provide reasonably requested information to enable Customer to carry out data protection impact assessments and prior consultations with Supervisory Authorities required under Data Protection Laws.
9. Audits
9.1 Audit Reports. Upon Customer's reasonable written request and no more than once per year (except as required following a Personal Data Breach or by a Supervisory Authority), Uncanny Owl will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including any third-party audit reports or certifications Uncanny Owl maintains.
9.2 On-Site Audits. If audit reports are insufficient to demonstrate compliance, Customer may, at Customer's expense and on at least thirty (30) days' written notice, conduct an on-site audit of Uncanny Owl's processing operations relevant to this DPA. The audit will be conducted during normal business hours, in a manner that does not unreasonably disrupt Uncanny Owl's operations, and subject to confidentiality obligations.
9.3 Supervisory Authority Audits. Uncanny Owl will cooperate with audits or inspections required by a competent Supervisory Authority.
10. International Transfers
10.1 Transfer Mechanism. Where Uncanny Owl's Processing of Customer Personal Data involves a Restricted Transfer, the parties agree that the transfer is subject to:
- For transfers from the EEA: the Module Two (Controller-to-Processor) Standard Contractual Clauses, which are incorporated into this DPA by reference and completed in writing between the parties.
- For transfers from the United Kingdom: the UK Addendum, which is incorporated into this DPA by reference and completed in writing between the parties.
- For transfers from Switzerland: the Standard Contractual Clauses with the Switzerland-specific adjustments, completed in writing between the parties in accordance with guidance from the Swiss Federal Data Protection and Information Commissioner.
10.2 Transfer Impact. Uncanny Owl has assessed and will continue to assess, in light of the legal landscape of the destination country, whether the Standard Contractual Clauses (in conjunction with any supplementary measures Uncanny Owl has adopted) provide an essentially equivalent level of protection to that guaranteed under EU Data Protection Law. Uncanny Owl will reasonably cooperate with Customer in conducting Transfer Impact Assessments where required.
10.3 Alternative Transfer Mechanism. If Uncanny Owl adopts an alternative transfer mechanism recognized under applicable Data Protection Law (such as Binding Corporate Rules or a future adequacy decision), the alternative mechanism applies in place of the Standard Contractual Clauses to the extent it covers the relevant transfers.
11. Return or Deletion of Data
11.1 Upon termination or expiration of the Agreement, Uncanny Owl will (at Customer's election) delete or return to Customer all Customer Personal Data in its possession or control within ninety (90) days, except: (a) to the extent Uncanny Owl is required by applicable law to retain some or all of the Customer Personal Data; (b) Customer Personal Data archived on backup systems, which Uncanny Owl will isolate and protect from active Processing and delete in accordance with its standard backup-rotation schedule; and (c) the minimal records described in §9.2 of the Agreement.
11.2 Uncanny Agent Inputs and Outputs are also subject to the retention and deletion provisions of §9.2 of the Agreement.
12. General
12.1 Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect.
12.2 Survival. §§ 7, 8, 9, 11, and 12 survive termination or expiration of this DPA.
12.3 Notices. Notices under this DPA must be sent to the contact addresses for legal notices set out in the Agreement, with a copy to [email protected].
Signatures
Uncanny Owl Inc.
By: ____
Name: Ken Young
Title: President and Co-founder
Date: ____
Customer
By: ____
Name: ____
Title: ____
Date: ____
Annex A — List of Subprocessors
Our current Subprocessors provide cloud hosting and storage; content delivery and edge security; AI model inference; payment processing; email delivery; analytics; and customer-support tooling. The current list is published at https://automatorplugin.com/subprocessors/.
Sometimes users connect third-party services ("Apps") to Uncanny Automator and Uncanny Agent and pass data to them. Data passed to those services is governed by the relevant service's own terms and privacy policy and is not within the scope of Uncanny Owl's Subprocessor obligations.
Annex B — Security Measures
The Security Measures applicable to the Services are described below and at https://automatorplugin.com/privacy-policy/, as updated from time to time in accordance with §6.3 of this DPA.
1. Information Security Program
Uncanny Owl maintains an information security program (including written policies and procedures) designed to: (a) help protect Customer Personal Data against accidental or unlawful loss, access, or disclosure; (b) identify reasonably foreseeable internal and external risks to security; and (c) minimize security risks through risk assessment and regular testing. Uncanny Owl designates one or more employees to coordinate and be accountable for the program.
2. Network and Application Security
Uncanny Owl maintains access controls and policies governing access to its production infrastructure, including: firewalls or functionally equivalent technology; authentication and authorization controls (including, where appropriate, multi-factor authentication); encryption of Customer Personal Data in transit using industry-standard protocols (TLS 1.2 or higher); and encryption at rest where supported by the underlying infrastructure provider.
3. Physical Security
Production infrastructure is hosted by reputable cloud infrastructure providers that maintain physical-security controls including barrier controls, access logs, video surveillance, and intrusion detection appropriate to commercial data-center environments.
4. Personnel
Uncanny Owl provides access to Customer Personal Data only to personnel with a legitimate business need. Access is revoked promptly when no longer needed. Personnel are subject to confidentiality obligations and receive periodic security awareness training.
5. Incident Response
Uncanny Owl maintains incident-response and corrective-action plans, including the breach-notification commitments set out in §7 of this DPA.
6. Continued Evaluation
Uncanny Owl periodically reviews the security of its infrastructure and the adequacy of its information security program against industry security standards and updates the program as needed.
Document version: 2026-04-28 (revised draft, supersedes 2021-08-09)
