WSO2 logo
CONTACT

WSO2 Data Processing Agreement

Last updated date: March 31, 2026

Purpose

  • This Data Processing Agreement (“DPA”) governs WSO2’s processing of Personal Data on behalf of the Subscriber in connection with the Products under the Agreement. 
  • WSO2 will process Personal Data only to the extent necessary for providing the Products, in accordance with the Agreement and this DPA. 
  • The Subscriber acts as the Controller, and WSO2 will be the  Controller or the Processor as explained in Annex A. 
  • WSO2 Privacy Policy (https://wso2.com/privacy-policy) applies and is incorporated by reference.

Any notice served by a Party pursuant to this DPA shall be served in accordance with the procedure mentioned in the Agreement.  

Subscribers  are required to send their queries regarding data protection by email to [email protected].

1. Definitions

In this DPA, unless otherwise defined in the Agreement, the following terms have the meanings below:

  • "Agreement" shall mean the agreement and/ or any order forms or SOWs executed or accepted by the Subscriber for the Products subscribed by the Subscriber from WSO2.
  • "Product" shall mean the WSO2 products and services subscribed by the Customer under the Agreement.
  • "Subprocessor" means any third party engaged by WSO2 in its capacity as a Processor, to process Personal Data on behalf of the Subscriber, excluding WSO2 employees for the purposes of delivering the Products purchased by the Subscriber .
  • "Applicable Laws" means laws and regulations applicable to processing of Personal Data in the mentioned in Annex B.
  • "Standard Contractual Clauses" or "SCCs" means the European Commission’s standard contractual clauses for data transfers (as updated from time to time) when used as an appropriate safeguard as mentioned in Annex B.
  • "EU-U.S. Data Privacy Framework" (DPF) means the framework under which WSO2 is certified to transfer Personal Data from the European Union / UK/ Switzerland to the U.S.
  • Controller, Data Subject, Personal Data, Processing, Processor and Special Categories of Personal Data shall have the same meaning as in the Applicable Laws (or where not defined in Applicable Laws, shall have the meaning as in the EU GDPR), and in each case construed accordingly.
  • "EUGDPR" means the European Union Regulation 2016/679 and includes any relevant implementing measure in each relevant Member State.
  • “Security Breach” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed which relates to the subscriber.

2. Role and Scope

The Subscriber remains the Controller of their Personal Data. WSO2 will be the Processor when Processing Subscriber’s Personal Data for the Products purchased under the Agreement. However, WSO2 will be the Controller in relation to operational matters such as account management, fraud detection, security screenings and other marketing activities as detailed in Annex B.

Each Party will comply with the Applicable Laws binding on it in the performance of this DPA.

3. Subscriber Instructions

Where WSO2 is the Processor, WSO2 shall Process Personal Data:

  • only in accordance with Subscriber’s documented instructions, this DPA, and Applicable Law
  • and shall without undue delay notify the Subscriber if WSO2 becomes aware that any instructions of the Subscriber appear unlawful.

Additional processing requirements requested by the Subscriber must be mutually agreed in writing and may incur additional costs. WSO2 will cooperate with the Subscriber to erase or rectify inaccurate or outdated Subscriber data transferred to WSO2 by providing the service controls that the Subscriber can use to erase or rectify Subscriber Personal Data. Otherwise, the Subscriber shall write to [email protected] and request the change, for the service that they have obtained.

In the event that WSO2 is acting as the Processor, the Subscriber bears sole responsibility for the accuracy, quality, and legality of Subscriber Personal Data and for ensuring their collection complies with Applicable Laws. Subscriber specifically acknowledges and agrees that its use of the WSO2 Products will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Subscriber Personal Data, to the extent applicable under the Applicable Laws. In the event WSO2 is the Controller, WSO2 will implement reasonable measures to ensure that the Personal Data provided by the Data Subject is accurate. This shall include the option for the Data Subject to review and correct their Personal Data through the Service portal or by getting in touch with WSO2.

4. WSO2 Personnel and Data Protection Officer

WSO2 Personnel. WSO2 will ensure that its personnel engaged in the Processing of Subscriber Personal Data are informed of the confidential nature of the Subscriber Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. WSO2 will also: (a) take commercially reasonable steps to ensure the reliability of any WSO2 personnel engaged in the processing of Subscriber Personal Data; and (b) ensure that WSO2’s access to Subscriber Personal Data is limited to those personnel performing the services in accordance with the Agreement.

Data Protection Officer. WSO2 has appointed a data protection officer and may be reached at [email protected].

5. Sub-Processing

5.1. Authorized Sub-Processors

WSO2 may engage Subprocessors to carry out processing of Personal Data. Subscriber provides general authorization to WSO2’s use of sub-processors listed in the privacy policy in accordance with this Section.

5.2. Changes to the Sub-Processor List

In the event WSO2 wishes to add or replace a Subprocessor, WSO2 must notify the Data Controller 30 days in advance of such changes. Subscriber will have 14 days to raise any concerns prior to the changes on Sub-processors. If the Subscriber objects (for legitimate reasons), the Parties shall negotiate in good faith to resolve any concerns. If the Subscriber does not raise any objections within the said 14 days it will be deemed that the Subscriber has no concerns with the changes. Prior to any data processing, WSO2 will enter into a written agreement with the Sub-processor.

5.3. Liability

WSO2 remains liable for the acts and omissions of its Subprocessors to the same extent as if it had done the acts / omissions itself.

5.4. Sub-processor Obligations

When engaging Subprocessors, WSO2 shall impose on them contractual obligations at least as protective as those in this DPA, including confidentiality, security, and data subject rights obligations. WSO2 will restrict the Sub-processor’s access to Subscriber’s Personal Data only to what is necessary to provide or maintain the Products in accordance with the Agreements on agreed scope of services, and WSO2 will prohibit the Sub-processor from accessing/sharing Subscriber Personal Data for any other purpose subject to any disclosures to any regulatory body.

6. Cross-Border Transfers

WSO2 may transfer Personal Data internationally. Transfers are performed only under safeguards described in Annex B.

7. Data Subject Rights

7.1. Data Subject Rights

WSO2 ensures that Data Subjects may exercise their rights under Applicable Laws, including the rights of access, rectification, erasure, restriction of processing, data portability, and objection. WSO2 shall handle such requests in a timely and transparent manner, in accordance with the timelines and procedures prescribed by Applicable Law. If a Data Subject request is made by any party other than the Subscriber (except for those originating from regulators and government authorities and WSO2 is not permitted under the law to redirect the request to the Subscriber), those requests will be redirected to the Subscriber.

WSO2 maintains a defined process to facilitate the exercise of Data Subject Rights in accordance with Applicable Laws. Requests relating to access, correction, deletion, restriction, or data portability may be submitted via WSO2's official Data Privacy Protection Request form at Data Privacy Protection Request.

The Subscriber shall reimburse WSO2 for reasonable costs and expenses incurred in providing assistance, but only where such requests are manifestly unfounded or excessive (including due to their repetitive nature).

8. Breach Notification & Incident Response

8.1. Notification Obligations

  • WSO2 shall notify the Subscriber without undue delay after being aware of the Security Breach.
  • WSO2 shall provide the Subscriber with the relevant details (scope, categories of data, likely consequences, mitigation measures) related to the Security Breach.
  • WSO2 shall cooperate with the Subscriber to the extent mutually agreed between the Parties during the investigation and remediation.
  • For SaaS products, WSO2 aligns with the Security Incident Notification Process for SaaS at Security Incident Notification Process for SaaS.

WSO2 will make reasonable efforts to identify the cause of such Security Breach and take those steps as WSO2 deems necessary and reasonable in order to remediate the cause of such a Security Breach to the extent the remediation is within WSO2's reasonable control. The obligations herein will not apply to Security Breaches that are caused by Subscriber or Subscriber's Users or any other associate of the Subscriber.

8.2. Communication

Notifications may be delivered to the security contact point of the Subscriber mentioned in the Agreement. It is the responsibility of recipients (such as Subscribers, partners, or designated contacts) to ensure that WSO2 has up-to-date and accurate contact details to facilitate timely notification and secure communication.

9. Customer Audit Rights

9.1. Privacy Impact Assessments

Taking into account the nature of the Processing and the information available to WSO2, WSO2 will provide reasonable assistance to Subscribers in fulfilling their obligations under Applicable Laws. Such assistance shall be limited to information published on WSO2's website and publicly available documentation.

9.2. Customer Audits

WSO2 shall, upon the Subscriber’s written request and with reasonable prior notice, permit the Subscriber to review WSO2’s processes, policies and certification. Any such review, parties shall be subject to the parties’s prior written agreement on the scope, duration, frequency and any applicable costs.

10. Deletion of Personal Data

Upon expiration or termination of the Agreement, Personal Data shall be handled as follows:

  • Support Services: In accordance with the WSO2 Support Services Policy.
  • SaaS Services: In accordance with the terms of the applicable SaaS Agreement.

In addition, upon documented instruction from the Subscriber, WSO2 shall promptly and securely delete the relevant Personal Data in accordance with the Subscriber’s request and Applicable Laws.

11. Termination of the DPA

This DPA remains in effect until the termination of the Agreement (the “Termination Date”).

12. Entire Agreement; Conflict

Except as amended by this DPA, the Agreement remains in full force and effect. Each Party’s liability and indemnity under this DPA is subject to the Agreement. In case of conflict between the Agreement and this DPA, the terms of this DPA will prevail in relation to any data privacy matters unless otherwise stated herein. The DPA shall be governed by the same law as the Agreement.

13. Changes & Amendments

WSO2 shall notify the Subscriber of any proposed amendments to this DPA by written notice to the Subscriber’s designated security contact as specified in the Agreement, no later than ten (10) working days prior to the proposed effective date of such amendments.

Any objections to the changes will need to be raised within the ten (10) working days. The Parties shall, in good faith, discuss and seek to resolve Subscriber’s objections prior to the effective date of the proposed amendments. If objections are not raised within the said period, the changes will take effect on the said effective date.

14. Reference to Privacy Policy

For further information on how WSO2 handles Personal Data, including transfers, processing, and data protection measures, see the WSO2 Privacy Policy.

Annex A - WSO2 Role as Controller or Processor

Subscriber will be the Controller of the Personal Data which is shared with WSO2 for the purposes of support, and other operational functions for which WSO2 Processes such Personal Data in relation to the Products purchased by the Subscriber

WSO2 as a Processor

Accountability

WSO2 processes personal data only in accordance with the documented instructions of the Subscriber and implements appropriate technical and organisational measures to protect the data, mentioned herein. WSO2 is responsible for maintaining the security and confidentiality of the Personal Data it processes.

On-Premises Services

For on-premises deployments, WSO2 does not access or Process Subscriber Personal Data hosted within the Subscriber’s environment and therefore WSO2 will not have access to such deployments or data hosted in those deployments. WSO2 may Process limited Personal Data as stated below strictly for support service purposes.

SaaS Services

For SaaS offerings, with respect to end-user Personal Data that the Subscriber chooses to upload, store, or otherwise Process within WSO2-managed infrastructure. The scope and nature of such Processing depend on the data submitted by the Subscriber through the subscribed services.

In addition, WSO2 Processes Subscriber contact details and related information for billing, and service delivery purposes.

Retention Period

As mentioned at Section 10.

Details of Data Processing

Duration

The duration of the Processing is determined by the Subscriber’s requirements and shall continue for as long as the Products are provided to the Subscriber.

Nature of Processing

Processing activities may include hosting, storage, computing, transmission, analytics, and related support services as described in applicable product documentation and service descriptions.

Type of Subscriber Personal Data

Subscriber Personal Data may include:

  • Personal Data uploaded to the Products subscribed by the Subscriber under the Agreement 
  • Personal Data submitted to, collected by, or transiting through the Products in connection with the Subscriber's use of the Products, which may include: API consumer identifiers (such as IP addresses, API keys, and authentication tokens); HTTP request and response metadata; API request and response body content; prompt content and AI model responses (where AI Gateway functionality is used); geolocation data; device and browser identifiers; and usage and behavioural data associated with identifiable API consumers
  • Billing contact details

Categories of Data Subjects

Data subjects may include:

  • Subscriber’s employees or authorised third parties who are registered for the WSO2; 
    • support accounts
    • SaaS Services
  • End users of the Subscriber’s applications, APIs, and digital services whose API traffic, requests, or interactions are processed through, routed by, or analysed by the Products;
  • Developers who access the Subscriber’s applications, APIs, and digital services through WSO2-managed developer portals, or subscription mechanisms; and
  • Other types of Personal Data made available by the Subscriber. It’s customers responsibility to sanitize, apply necessary controls on the data which they made available. 

WSO2 as a Controller

Accountability: WSO2 determines the purposes and means of Processing Personal Data and ensures that such Processing complies with the requirements of the Applicable Laws. WSO2 implements appropriate technical and organisational measures to protect Personal Data and ensures that any service providers involved in supporting the service Process Personal Data in line with Applicable Laws.

Purposes: WSO2 acts as an independent Controller where WSO2 collects, stores Personal Data of Subscriber’s employees for the purposes of:

  • account management for pre sales and post sales
  • Security monitoring and fraud prevention activities (including IP-based screening and compliance-related checks)
  • Financial and corporate processes such as auditing, accounting, regulatory reporting and legal purposes
  • Marketing activities, including campaigns, webinars, and conferences

These activities are further detailed in the WSO2 Privacy Policy.

Retention Period

As mentioned at Section 10.

Details of Data Processing

Duration

The duration of the Processing is determined by the Subscriber’s requirements and shall be retained in accordance with WSO2 retention periods and any statutory retention periods. 

Nature of Processing

Processing activities may include hosting, storage, computing and transmission

Type of Subscriber Personal Data

Subscriber Personal Data may include:

  • Contractual contact details
  • Account and authentication information required for access to WSO2 services

Categories of Data Subjects

Data Subjects may include:

  • Subscriber’s employees

Data Classification

Data Processed may fall within WSO2’s internal data classification framework, aligned with applicable legal and regulatory requirements, including:

  • Sensitive Information: Data requiring heightened protection, such as health information, financial data, authentication credentials, or other data classified as sensitive under applicable law.
  • Personally Identifiable Information (PII): Information that directly or indirectly identifies an individual, including names, email addresses, contact details, and identification numbers.

Security Measures

WSO2 shall implement appropriate technical and organizational measures to safeguard all categories of data in accordance with its Data Protection and Information Security Processes at https://security.docs.wso2.com/en/latest/security-processes and Annex C.

Processing Regions

Subscribers may specify the location(s) where WSO2 will process their Personal Data. Once a region is selected, WSO2 will not transfer Subscriber’s Personal Data outside the chosen region(s) except:

  • as reasonably necessary to perform and fulfil the Products requested by the Subscriber which may involve the engagement of a Sub-Processor, or

  • to comply with Applicable Law or a valid and binding order of a governmental authority.

Annex B - Applicable Regulations

Please refer to WSO2 Regional privacy laws for further information.

Annex C: Security, Confidentiality, and Technical & Organizational Measures

Confidentiality

WSO2 will ensure that only authorized personnel who need access to the Personal Data for the purposes of the Agreement may access it, and that these persons are under obligations of confidentiality. In the event that WSO2 receives a lawful request for disclosure of Personal Data from a governmental or regulatory authority, WSO2 shall, to the extent legally permissible:

  1. Referral to Customer: Where WSO2 has the technical or operational capacity to facilitate direct engagement, WSO2 will connect the requesting authority with the Customer to obtain the required information directly.
  2. Prior Notification: If direct referral is not feasible but sufficient time is available, WSO2 will notify the Customer prior to disclosing any Personal Data, to allow the Customer an opportunity to review or object to the disclosure where permitted by law.
  3. Immediate Disclosure: Where WSO2 is under a - regulatory obligation to disclose information without delay, WSO2 will provide the requested information to the governmental entity and promptly notify the Customer of such disclosure, unless prohibited by law.

These measures ensure that disclosures to regulators are handled transparently, proportionately, and in line with WSO2’s data protection and confidentiality obligations.

Security Measures

WSO2 maintains appropriate technical and organizational measures to protect the confidentiality, integrity, and availability of the Personal Data, taking into account the risks. 

The WSO2 Security Process is detailed at Security Processes and Programs Overview and WSO2’s organizational and technical security measures in protecting customer data is outlined at Security and Compliance

For managed cloud services, additional measures related to infrastructure, encryption, and access controls are detailed in the WSO2 Managed Cloud Security Policy.

Evaluation & Updates

WSO2 reviews and updates its security measures periodically, and ensures security measures keep pace with industry standards.

Annex D - Important Referrals on Data Protection at WSO2

Link
Purpose
WSO2 Privacy Policy Provides the overarching data-privacy obligations of WSO2.
Data Privacy Protection Request Addresses how data subjects or customers can exercise rights (access, erasure etc.).
Security & Compliance Overview Shows WSO2’s technical & organizational measures.
Managed Cloud Security Policy More detailed security policy specific to their Cloud offerings.
GDPR Compliance / Regulatory Compliance page Shows how WSO2 addresses GDPR‐specific obligations.
Public Cloud Data Protection FAQ Contains processing roles (controller vs processor) and data residency details.