This Data Processing Agreement ("DPA") supplements the Cloud Service Agreement or other agreement between Customer and WHYUSER, INC ("Provider") governing Customer's use of the Service (the "Agreement").
This DPA incorporates by reference the Common Paper DPA Standard Terms Version 1.1 ("DPA Standard Terms"). If there is any inconsistency between this page and the DPA Standard Terms, the terms on this page will control.
For enterprise engagements, WhyUser also offers a custom-negotiated Data Processing Addendum in the Bonterms framework (Bonterms DPA v1.0). Where a Bonterms DPA is executed between Customer and Provider, that DPA supersedes this public baseline DPA for the engagement between those parties.
| Service Provider Relationship | To the extent California Consumer Privacy Act, Cal. Civ. Code ยง 1798.100 et seq ("CCPA") applies, the parties acknowledge and agree that Provider is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement and detailed below (see Nature and Purpose of Processing), which constitutes a limited and specified business purpose. Provider will not sell or share any Personal Data provided by Customer under the Agreement. In addition, Provider will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Provider certifies that it understands the restrictions of this paragraph and will comply with all Applicable Data Protection Laws. Provider will notify Customer if it can no longer meet its obligations under the CCPA. |
|---|---|
| Provider Security Contact | security@whyuser.com |
| Governing Member State | EEA Transfers: Netherlands UK Transfers: England and Wales |
| Name | Location | Processing Task |
|---|---|---|
| Amazon Web Services, Inc. (AWS) | USA (us-west-2, us-east-1) | Cloud infrastructure (AWS Lightsail compute, AWS S3 storage) and encrypted data storage. |
| OpenAI, L.L.C. | USA | Provides foundational LLM processing via API for generating simulations. Data processed via API is not used for base model training and is subject to zero-day retention. |
| Google LLC | USA | Provides foundational LLM processing (Gemini) via API for generating simulations. Data processed via API is not used for base model training and is subject to zero-day retention. |
| Anthropic PBC | USA | Provides foundational LLM processing (Claude) via API for generating simulations. Data processed via API is not used for base model training and is subject to zero-day retention. |
| Service | WhyUser GTM Simulation Platform. A staging environment for B2B revenue teams to simulate End-Customer Buying Committee behavior on marketing assets and sales transcripts. |
|---|---|
| Categories of Data Subjects | Customer's end users or customers Customer's employees |
| Categories of Personal Data | Name Contact information such as email, phone number, or address Professional or biographic information such as resume or CV. Note: All transcripts are programmatically redacted for PII at the ingestion layer (in volatile memory) prior to simulation processing. |
| Special Category Data | No |
| Frequency of Transfer | Continuous |
| Nature and Purpose of Processing | Receiving data, including collection, accessing, retrieval, recording, and data entry. Holding data, including storage, organization, and structuring. Using data, including analysis, consultation, testing, automated decision making, and profiling. |
| Duration of Processing | Provider will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Section 2.2(a)-(d) of the Standard Terms; or (ii) by Applicable Laws. Raw customer data is processed ephemerally in volatile memory and never persisted to disk. Anonymized, extracted signals are retained for the duration of the Agreement plus up to 30 days. |
Provider will use commercially reasonable efforts to secure the Cloud Service from unauthorized access, alteration, or use and other unlawful tampering. A full description is published at whyuser.com/security.
All Personal Data is pseudonymized via programmatic PII redaction at the edge before being processed by simulation engines. Technical market signals are decoupled from individual identities, ensuring that simulation agents operate on anonymized intent vectors rather than raw personal data.
All data transmitted between the Customer environment and the WhyUser platform is encrypted using industry-standard Transport Layer Security (TLS 1.2 or higher). TLS is terminated at our edge reverse proxy. Secure API tunnels are used for all third-party integrations (e.g., Gong, Chorus). Outbound calls to LLM subprocessors use TLS 1.2+.
Raw sales transcripts and audio are never persisted to disk; these are processed in volatile memory and immediately purged following signal extraction. Anonymized, extracted signals and simulation outputs are persisted to AWS S3 with Server-Side Encryption using AES-256 (SSE-S3). S3 Block Public Access is enabled at the account and per-bucket level. Compute-instance block storage is encrypted.
WhyUser's platform is multi-tenant. Each Customer is assigned a unique tenant identifier (prefix "t-"); all
per-Customer data resides exclusively under that Customer's dedicated S3 prefix
(s3://bucket/t-{tenant_id}/) and is never co-mingled with other Customers' data. Application-level
scoping and IAM policies prevent cross-tenant access.
Least-privilege IAM is used for all application and human access to AWS resources. Multi-factor authentication is required for the AWS root account and all IAM console users. Administrative SSH access to compute instances requires key-based authentication; password authentication is disabled. Instance firewalls restrict inbound traffic to required ports only.
WhyUser employs an 'Extraction-Only' philosophy. Our ingestion engine surgically isolates only the specific business pain points, objections, and roles required for simulation calibration. All non-essential data, including names, contact details, and unrelated conversational filler, is programmatically discarded before the data enters our Context Graph.
Provider will notify Customer of any confirmed Personal Data Breach affecting Customer's data without undue delay, and in any event within 72 hours of confirming the breach. Notifications will be sent to Customer's designated security contact and will include the nature of the breach, likely consequences, mitigation measures taken, and a point of contact, to the extent known at the time. Disclosure is subject only to delays specifically required by law enforcement or legal process.
Provider uses continuous automated external vulnerability scanning (Intruder.io, integrated with Vanta) and GitHub Dependabot for dependency monitoring. Remediation targets: critical findings addressed as soon as practicable; high-severity findings within 30 days; medium within 90 days. An independent third-party manual penetration test is planned prior to General Availability.