Data Processing Agreement (DPA)
DATA PROCESSING AGREEMENT (DPA)
Last updated: October 10, 2025
Owner: World Delete LLC
FEI/EIN: 30-1251788
Registered address: 4300 Biscayne Blvd, Suite 203, Miami, FL 33137, USA
Contact email: [email protected]
1. Subject matter and purpose
This Data Processing Agreement (hereinafter, the "Agreement" or "DPA") governs the processing of personal data that World Delete LLC (hereinafter, the "Processor") carries out on behalf of the Client (hereinafter, the "Controller") during the provision of the contracted services, in accordance with the provisions of Regulation (EU) 2016/679 (GDPR) and the Florida Digital Privacy Act (FDPA). The Processor undertakes to process personal data only in accordance with the Controller's documented instructions and for the performance of the main contract for digital reputation, content removal and data protection services.
2. Duration
This Agreement shall remain in force for as long as there is processing of personal data arising from the contractual relationship between the parties.
Once said relationship has ended, the data will be returned or deleted as established in section 10 of this Agreement.
3. Nature and type of data processed
The processing may include the following categories:
- Identifying data: first name, surname, address, telephone, email, identity document.
- Financial or billing data: banking or payment information.
- Digital reputation data: links, articles, URLs or online publications linked to the client.
- Technical data: IP addresses, metadata or access logs.
- KYC/AML verification data: facial images and official documents.
4. Obligations of the Processor (World Delete)
World Delete undertakes to:
- Process personal data only in accordance with the documented instructions of the Controller.
- Ensure that the personnel authorized to process data are subject to contractual confidentiality.
- Implement appropriate technical and organizational measures in accordance with ISO 27001:2022 and ISO 9001:2015, to ensure the security, integrity and availability of the data.
- Assist the Controller in handling data subject rights requests (access, rectification, erasure, objection, restriction or portability).
- Notify without undue delay any security breach of personal data and cooperate in its mitigation.
- Not transfer personal data to third parties or sub-processors without the prior authorization of the Controller, except for essential legal or technical reasons.
- Maintain an up-to-date record of processing activities, available for inspection by the competent authorities.
5. Authorized sub-processors
The Controller expressly authorizes the Processor to engage the following sub-processors, solely for technical or operational purposes:
Provider / Sub-processor | Purpose of processing | Location / Privacy policy |
Amazon Web Services (AWS) | Cloud infrastructure and storage. | https://aws.amazon.com/privacy/ |
Contabo GmbH | Secondary hosting and backups. | |
Cloudflare, Inc. | Security, DDoS mitigation and CDN. | https://www.cloudflare.com/privacypolicy/ |
Microsoft Corporation | Analytics tools (Clarity) and reputational AI systems. | https://privacy.microsoft.com |
Google LLC | Web analytics, Tag Manager, performance and advertising. | https://policies.google.com/privacy |
Automattic Inc. (WordPress) | CMS, plugins and forms. | https://automattic.com/privacy/ |
Markets Prolive 360, S.L. (Didit.me) | KYC/AML verification and identity validation. | https://didit.me/privacy-policy |
World Delete will ensure that all sub-processors comply with obligations equivalent to those established in this DPA.
6. International data transfers
Any transfer outside the European Economic Area will be carried out under the Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent adequacy mechanisms. In the case of providers established in the USA, adherence to the EU-US Data Privacy Framework will be verified, where applicable.
7. Security measures
World Delete applies technical and organizational security measures based on its ISO 27001 and ISO 9001 certifications, including:
- Encryption of data in transit and at rest (TLS 1.3 / AES-256).
- Access control and multi-factor authentication.
- Encrypted and redundant backups.
- Internal audits and penetration testing (Netitude).
- Logging and monitoring of access to critical systems.
8. Assistance to the Controller
World Delete will assist the Controller with:
- Notifications of security breaches.
- Impact assessments (DPIA).
- Compliance with audits or regulatory requirements.
The costs arising from extraordinary requests or those outside the contractual scope may be invoiced subject to the written approval of the Controller.
9. Audits and verifications
The Controller may request a documentary verification or audit of the technical and organizational measures adopted. World Delete may provide its ISO certifications, Netitude reports or compliance documentation as sufficient evidence. On-site audits will require prior coordination with at least 30 days' notice and must be carried out without interfering with security operations.
10. Return or deletion of data
Once the contractual relationship has ended, World Delete will proceed, as instructed by the Controller, to:
- Delete all personal data processed, or
- Return it securely in a structured and readable format.
Deletion will be carried out by means of certified secure erasure (3-pass wipe) in accordance with ISO 27040, keeping documentary evidence of the operation.
11. Confidentiality
All information, documentation or data to which World Delete has access will be considered confidential. The Processor will ensure that all its personnel and sub-processors maintain professional secrecy duties indefinitely, even after the termination of the contract.
12. Applicable law and jurisdiction
This Agreement will be governed by the laws of the State of Florida (USA), without prejudice to the mandatory rules of Regulation (EU) 2016/679 (GDPR). The parties submit to the courts of Miami-Dade County, Florida, waiving any other venue. In the event of a conflict of interpretation, the English version of the document shall prevail.
