Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the Wonderthrough Terms of Service (the “Agreement”) between Wonderthrough, Inc., a Delaware corporation (“Wonderthrough” or “Processor”) and the customer identified in the signature block below (“Customer” or “Controller”). By executing this DPA, the parties agree that Wonderthrough will Process Personal Data on behalf of the Controller in connection with the Services, subject to the terms set out below.
This DPA applies only where the Controller uses the Services on behalf of end users whose Personal Data the Controller is responsible for under applicable Data Protection Laws. Where an individual uses the Services solely for their own personal creative work, this DPA does not apply and the Terms of Service and Privacy Policy govern the relationship directly.
In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA controls.
1. Definitions
Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. The following definitions apply:
- “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” (and its cognates), “Personal Data Breach”, and “Sub-processor” have the meanings given in Article 4 of the GDPR, or the equivalent meanings under other applicable Data Protection Laws. In this DPA, “Personal Data” refers specifically to Personal Data that Wonderthrough Processes on behalf of the Controller under the Agreement.
- “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including, where applicable: (a) Regulation (EU) 2016/679 (the “GDPR”); (b) the United Kingdom General Data Protection Regulation and the UK Data Protection Act 2018 (together, “UK GDPR”); (c) the Swiss Federal Act on Data Protection; (d) the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”); and (e) any other applicable privacy or data protection law in any jurisdiction where the Services are provided or where Data Subjects are located. Terms such as “Business”, “Service Provider”, “Consumer”, “Sale”, and “Sharing” used in connection with the CCPA/CPRA have the meanings given in that law.
- “EEA” means the European Economic Area.
- “Privacy Policy” means Wonderthrough’s then-current privacy policy, published at
https://wonderthrough.com/legal/privacy. - “Services” means the Wonderthrough creative writing product and related services provided by Wonderthrough to the Controller under the Agreement, including the desktop application, web application, supporting backend services, and any AI-assisted features.
- “Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj. - “Sub-processor List” means the then-current list of authorized Sub-processors published at
https://wonderthrough.com/legal/sub-processorsand summarized in Appendix A. - “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office under section 119A of the UK Data Protection Act 2018, as amended or replaced from time to time.
2. Scope and Roles
2.1 Roles of the parties
With respect to Personal Data Processed under this DPA, the Controller is the controller (or, where applicable, the business) and Wonderthrough is the processor (or, where applicable, the service provider). Each party will comply with its respective obligations under applicable Data Protection Laws.
2.2 Subject matter, duration, and purpose
The subject matter of the Processing is the provision of the Services to the Controller and its authorized end users. This DPA applies for the term of the Agreement and for any period thereafter during which Wonderthrough continues to Process Personal Data on behalf of the Controller, subject to the retention and deletion terms in Section 3.8.
Wonderthrough Processes Personal Data in order to: (a) provide, maintain, and improve the Services; (b) operate AI-assisted writing and analysis pipelines on the Controller’s instructions; (c) administer accounts, authentication, subscriptions, and billing; (d) deliver service-related communications; (e) provide support; (f) detect and prevent fraud, abuse, and security incidents; and (g) comply with legal obligations.
2.3 Categories of Personal Data and Data Subjects
The categories of Personal Data Processed under this DPA are summarized in Appendix C. The Data Subjects are the Controller’s authorized end users of the Services, who may include (depending on the Controller’s use case) students, staff, writers, editors, workshop participants, or other individuals whose Personal Data the Controller makes available to Wonderthrough through use of the Services.
3. Processor Obligations (GDPR Article 28)
3.1 Processing on documented instructions
Wonderthrough will Process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do otherwise by applicable law. The Controller’s instructions for the Processing of Personal Data are set out in the Agreement, this DPA, the Privacy Policy, and any additional written instructions the Controller provides from time to time in connection with the Controller’s use of the Services.
Wonderthrough will inform the Controller if, in Wonderthrough’s opinion, an instruction infringes applicable Data Protection Laws. Wonderthrough will not be required to comply with an instruction that is unlawful or materially changes the scope of the Services.
Wonderthrough will not:
- Sell Personal Data or Share Personal Data for cross-context behavioral advertising (as those terms are defined under the CCPA/CPRA);
- Retain, use, or disclose Personal Data for any purpose other than the specific purpose of performing the Services and as otherwise permitted by the Agreement, this DPA, and applicable Data Protection Laws;
- Retain, use, or disclose Personal Data outside of the direct business relationship between the parties, except as permitted by applicable Data Protection Laws; or
- Combine Personal Data received from the Controller with Personal Data received from or on behalf of another person, except as permitted by applicable Data Protection Laws.
3.2 Content ownership and AI training
Consistent with the Agreement, the Controller and its Data Subjects retain all rights to the content they create using the Services, including manuscript text, worldbuilding data, entity profiles, notes, scene metadata, and any analysis outputs generated by Wonderthrough’s AI pipelines. Wonderthrough claims no ownership of Controller content.
Wonderthrough does not use Controller content to train artificial intelligence models, and does not authorize its Sub-processors to use Controller content to train artificial intelligence models. Wonderthrough’s current AI provider Sub-processors (Anthropic, OpenAI, and Google, as listed in Appendix A) do not train on API-submitted content under the commercial terms Wonderthrough has accepted with each of them. Wonderthrough will notify the Controller in accordance with Section 3.4 before engaging any new Sub-processor whose terms would permit such training.
Wonderthrough does not sell Personal Data and does not Share Personal Data for cross-context behavioral advertising.
3.3 Confidentiality
Wonderthrough will ensure that all personnel authorized to Process Personal Data are bound by appropriate obligations of confidentiality, whether through written employment agreements, contractor agreements, or other enforceable confidentiality commitments. Access to Personal Data is limited to personnel and contractors who need access in order to perform their role in providing or supporting the Services.
3.4 Security measures
Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Wonderthrough will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32. Wonderthrough’s current measures include:
- Encryption. All client-to-server and server-to-Sub-processor communication is protected by HTTPS/TLS. Server-side databases are encrypted at rest using the infrastructure Sub-processor’s default encryption. Bring-your-own AI provider API keys, where stored on Wonderthrough’s servers, are additionally encrypted at rest using AES-256-GCM with a server-held encryption key, and are never transmitted from the server to a Data Subject’s device in decrypted form. Locally-cached entitlement state in the Wonderthrough desktop application, and any locally-stored BYO API keys on the desktop, are encrypted using
safeStoragebacked by the operating system’s platform keychain (macOS Keychain, Windows DPAPI, or Linux libsecret). Passwords are hashed and salted by the authentication Sub-processor and never received in plaintext by Wonderthrough. - Access controls. Production database access is protected by row-level security policies, service-role credentials are held in restricted environment configurations, and administrative actions are recorded in an audit trail. Access to Personal Data is limited to personnel whose role requires it.
- Content transit minimization. Wonderthrough’s AI proxy component Processes pipeline requests in memory without persisting the request or response body. Server-side usage logs capture billing and reliability metadata only; manuscript prose is not stored in server-side analytics tables.
- No content scanning. Wonderthrough does not scan, read, or automatically review private user content for any purpose, including content moderation. This is a deliberate product commitment reflected in Wonderthrough’s Acceptable Use Policy.
- Incident response. Wonderthrough maintains written incident-response procedures and will notify the Controller of Personal Data Breaches in accordance with Section 5.
- Personnel practices. All personnel and contractors with access to Personal Data are bound by confidentiality obligations and receive guidance on handling Controller data.
A fuller statement of technical and organizational measures, sufficient to satisfy Annex II of the Standard Contractual Clauses, is set out in Appendix B.
Wonderthrough does not currently hold SOC 2, ISO/IEC 27001, HIPAA, FedRAMP, or equivalent third-party certifications. On written request, and no more than once per calendar year except where more frequent requests are required by a competent supervisory authority, Wonderthrough will make reasonable written security documentation available to the Controller in support of the Controller’s own compliance obligations. Wonderthrough may update its security measures from time to time, provided that any such update does not materially degrade the overall level of protection afforded to Personal Data.
3.5 Sub-processor engagement
The Controller provides a general authorization for Wonderthrough to engage Sub-processors to Process Personal Data on the Controller’s behalf, subject to the following conditions.
-
Current Sub-processors. The Sub-processors Wonderthrough engages as of the effective date of this DPA are listed in Appendix A. The current list is also maintained at
https://wonderthrough.com/legal/sub-processors. -
Flow-down of obligations. Wonderthrough will impose data protection obligations on each Sub-processor by written contract that are no less protective than those set out in this DPA, in particular the obligations to provide sufficient guarantees to implement appropriate technical and organizational measures.
-
Notice of changes. Wonderthrough will notify the Controller in writing (which may include by email or by updating the public Sub-processor list and contemporaneously notifying customers with an executed DPA) at least thirty (30) days before engaging a new Sub-processor or replacing an existing Sub-processor with a new one.
-
Right to object. Within thirty (30) days after receiving notice of a proposed change under Section 3.5(3), the Controller may object to the change in writing on reasonable data-protection grounds. The parties will discuss the objection in good faith. If Wonderthrough is unable to reasonably accommodate the Controller’s objection, the Controller may, as its sole and exclusive remedy, terminate the portion of the Agreement that cannot be performed without the objected-to Sub-processor, without penalty, by providing written notice to Wonderthrough within thirty (30) days after Wonderthrough confirms that it cannot accommodate the objection. Wonderthrough will refund any prepaid fees for the terminated portion of the Services covering the period after termination, subject to the retention carve-outs in Section 3.8.
-
Liability for Sub-processors. Wonderthrough remains responsible for the acts and omissions of its Sub-processors to the same extent that Wonderthrough would be liable if performing the services of each Sub-processor directly under this DPA, subject to the limitations of liability in the Agreement.
3.6 Assistance with Data Subject rights
Taking into account the nature of the Processing, Wonderthrough will assist the Controller by appropriate technical and organizational measures, insofar as reasonably possible, in fulfilling the Controller’s obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction of Processing, portability, objection, and rights relating to automated decision-making.
The Controller is responsible in the first instance for responding to Data Subject requests. Wonderthrough will, on the Controller’s written request:
- Provide the Controller with a copy of the Personal Data Wonderthrough holds about the Data Subject in a structured, commonly used, and machine-readable format, to the extent such data is reasonably accessible to Wonderthrough through its administrative tooling;
- Correct, delete, or restrict Processing of Personal Data as directed by the Controller, subject to the retention carve-outs in Section 3.8;
- Assist the Controller in responding to the Data Subject within the timeframes required by applicable Data Protection Laws.
Wonderthrough will respond to Controller requests for Data Subject assistance within two (2) business days of receipt of a complete request, and will use commercially reasonable efforts to complete fulfillment within the statutory response period applicable to the Controller (for example, thirty (30) days under GDPR Article 12(3) or forty-five (45) days under CCPA/CPRA).
If Wonderthrough receives a Data Subject request directly from an individual who identifies themselves as a Data Subject of the Controller, Wonderthrough will promptly forward the request to the Controller and will not respond to the Data Subject directly except to confirm receipt and redirect the request, unless required to do so by applicable law.
3.7 Assistance with GDPR Articles 32–36
Taking into account the nature of Processing and the information available to Wonderthrough, Wonderthrough will provide reasonable assistance to the Controller in ensuring compliance with the Controller’s obligations under Articles 32 through 36 of the GDPR (and equivalent provisions of other applicable Data Protection Laws), including:
- Ensuring the security of Processing (Article 32);
- Notifying Personal Data Breaches to the competent supervisory authority (Article 33) and communicating Personal Data Breaches to Data Subjects (Article 34);
- Conducting data protection impact assessments (Article 35); and
- Engaging in prior consultation with supervisory authorities (Article 36).
Wonderthrough may charge the Controller reasonable fees for assistance that falls materially outside the standard operation of the Services, provided that Wonderthrough notifies the Controller of such fees in advance and the Controller confirms its willingness to proceed.
3.8 Return or deletion of Personal Data
Upon termination or expiration of the Agreement, or on the Controller’s earlier written request, Wonderthrough will, at the Controller’s election, return to the Controller or delete all Personal Data Processed under this DPA, unless applicable law requires continued storage of the Personal Data.
Wonderthrough will complete such return or deletion within thirty (30) days of the Controller’s request or the effective date of termination, except as set out below.
Retention carve-outs. Notwithstanding the foregoing, Wonderthrough will retain the following categories of Personal Data for the periods specified, as permitted or required by applicable law, including US Internal Revenue Service rules and California state tax requirements:
- Billing and financial records (including Stripe customer records, subscription records, invoice history, credit allowance and debit logs, and processed webhook event ledgers) — retained for seven (7) years from the relevant transaction date for US tax and financial audit compliance.
- AI pipeline usage metadata (
ai_usage_logtable) — retained for seven (7) years measured from each row’s own creation date as billing support data. This metadata does not contain manuscript prose; it contains task type, model, token counts, cost, and (where the Controller’s privacy settings allow) foreign-key references to project, book, character, and result IDs. The seven-year clock is per-row, not per-account-deletion. - Anonymized project stubs (for projects that have been deleted) — retained alongside the billing records during the same seven-year window so the records have a stable target. Each stub contains the project’s ID, deletion timestamp, owner reference, and an anonymized label (e.g., “Deleted Project · abc12345”). The original project name is replaced with the anonymized label when the project’s thirty (30) day grace window ends; no user-authored content is retained.
- Consent records demonstrating compliance under Article 7(1) GDPR — retained for approximately three (3) years post-anonymization to support supervisory inquiries.
- Records required to demonstrate compliance with the Agreement, this DPA, or applicable law, for as long as such records are reasonably necessary for that purpose.
Anonymization on account deletion. When the Data Subject’s account is processed for deletion (see Section 4.3), records retained under carve-outs (1)–(4) above have their user identifier replaced with a freshly generated anonymous identifier before the original account row is deleted. Aggregate financial reporting against the retained data remains possible; per-Data-Subject attribution after account deletion is irrecoverable by design. Wonderthrough retains an access-restricted operator audit record linking the deleted account identifier to the anonymous identifier for six (6) years for legal-hold capability, after which the audit record is destroyed and the unlinking is final.
These retention carve-outs are not negotiable features of the standard DPA; they reflect underlying legal obligations that apply regardless of the state of the Agreement. The retained records do not contain Controller manuscript content and are subject to the same security controls described in Section 3.4.
Stripe customer records created by the Controller’s use of the Services are retained by Stripe independently of this DPA in accordance with Stripe’s own data retention policies. On termination, Wonderthrough will remove its internal linkage to the Stripe customer record, but will not direct Stripe to delete the underlying financial record.
3.9 Audit rights
Wonderthrough will make available to the Controller, on reasonable written request and no more than once per calendar year (except in the event of a Personal Data Breach or a documented request from a competent supervisory authority), information reasonably necessary to demonstrate Wonderthrough’s compliance with this DPA. Such information will be provided in the form of written documentation and may include:
- A description of the technical and organizational measures in place (see Section 3.4 and Appendix B);
- Then-current Sub-processor inventory;
- The then-current Privacy Policy and this DPA;
- Summaries of any relevant independent security assessments, if and when such assessments exist;
- Written responses to a reasonable information-security questionnaire.
Wonderthrough will respond to audit requests within thirty (30) days of receipt of a complete request. The standard form of audit under this DPA is documentation review. On-site inspections are not offered under this standard DPA; where on-site inspection is required by a competent supervisory authority or by applicable law, the parties will negotiate in good faith reasonable arrangements for such inspection, including scope, scheduling, non-disclosure protections, and cost allocation.
Information provided under this Section 3.9 is Wonderthrough’s confidential information and may be used by the Controller only for compliance purposes and only disclosed to persons under a duty of confidentiality.
4. Data Subject Requests Procedure
The Controller is responsible in the first instance for responding to requests from its Data Subjects under Data Protection Laws. Wonderthrough provides the following tooling and procedures to support the Controller, in addition to the general assistance obligations in Section 3.6:
- Access and portability. On the Controller’s written request, Wonderthrough will produce a ZIP archive of the Personal Data Wonderthrough holds about a specified Data Subject, to the extent such data is reasonably accessible through Wonderthrough’s administrative tooling. The archive is delivered by email or signed download URL.
- Rectification. Data Subjects can correct most account information directly within the Services. For fields that are not user-editable, the Controller may request correction on the Data Subject’s behalf.
- Erasure. Erasure may be initiated either by the Data Subject from within the Services (the “Delete all cloud data” flow in privacy settings, with an opt-in checkbox for full account deletion) or by emailing Wonderthrough’s designated support address. In either case, Wonderthrough sends a confirmation email containing a one-click cancellation link and a copy of the Data Subject’s data. The Data Subject has forty-eight (48) hours from the confirmation to cancel the request — by clicking the link, by cancelling from an in-app banner shown on every authenticated page during the window, or by replying to support. After the reversal window elapses, the Data Subject’s account row is deleted and records held under the retention carve-outs in Section 3.8 have their user identifier replaced with a freshly generated anonymous identifier (“reassigned-user-id anonymization”). Aggregate financial reporting against the retained data remains possible; per-Data-Subject attribution post-anonymization is irrecoverable. Wonderthrough retains an access-restricted operator audit record linking the deleted account to the anonymous identifier for six (6) years for legal-hold purposes, after which the link is destroyed.
- Restriction and objection. Wonderthrough will restrict Processing of a Data Subject’s Personal Data on the Controller’s written request, to the extent technically feasible without terminating the Data Subject’s account.
- Automated decision-making. The Services do not use Personal Data to make decisions that produce legal or similarly significant effects on Data Subjects within the meaning of GDPR Article 22.
5. Personal Data Breach Notification
Wonderthrough will notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Controller Personal Data. The notification will be sent to the Controller’s designated data protection contact (or, absent such designation, to the Controller’s primary billing contact) and will include, to the extent known at the time of notification:
- A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
- The name and contact details of the Wonderthrough point of contact from whom more information can be obtained;
- A description of the likely consequences of the Personal Data Breach; and
- A description of the measures taken or proposed to be taken by Wonderthrough to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
If the required information is not available within the initial notification window, Wonderthrough will provide it to the Controller in phases as it becomes available, without further undue delay.
Wonderthrough will cooperate with the Controller, and provide reasonable assistance, to investigate, mitigate, and remediate any Personal Data Breach, and to support the Controller in meeting its own breach notification obligations to supervisory authorities and Data Subjects.
Notification of or response to a Personal Data Breach by Wonderthrough is not, and should not be interpreted as, an admission by Wonderthrough of fault or liability.
6. International Transfers
6.1 Transfer mechanism
All of Wonderthrough’s current Sub-processors Process Personal Data primarily in the United States (see Appendix A). Where the Controller is established in the EEA, Switzerland, or the United Kingdom, or where Data Subjects are located in those jurisdictions, Wonderthrough’s Processing of Personal Data on behalf of the Controller may involve transfers of Personal Data to the United States or other third countries.
For such transfers, the parties agree that the Standard Contractual Clauses, together with any applicable country-specific addendum, are incorporated into this DPA by reference and apply as follows:
- EEA transfers. The Standard Contractual Clauses apply, with Module Two (Controller to Processor) governing transfers from the Controller to Wonderthrough, and Module Three (Processor to Processor) governing onward transfers from Wonderthrough to its Sub-processors.
- UK transfers. The UK Addendum applies in addition to the Standard Contractual Clauses for transfers subject to UK GDPR.
- Swiss transfers. The Standard Contractual Clauses apply for transfers subject to Swiss data protection law, with references to the GDPR construed as including the Swiss Federal Act on Data Protection and references to the competent supervisory authority construed as including the Swiss Federal Data Protection and Information Commissioner.
6.2 Module selections and optional clauses
For the purposes of the Standard Contractual Clauses:
- In Clause 7, the docking clause is included.
- In Clause 9, Option 2 (general written authorization) applies; the time period for prior notice of Sub-processor changes is thirty (30) days as specified in Section 3.5(3) of this DPA.
- In Clause 11, the optional redress clause is not used.
- In Clause 17, Option 1 applies and the Standard Contractual Clauses are governed by the law of Ireland.
- In Clause 18(b), disputes are resolved before the courts of Ireland.
- Annex I.A (List of Parties), Annex I.B (Description of Transfer), Annex II (Technical and Organizational Measures), and Annex III (List of Sub-processors) are deemed completed by reference to the signature block of this DPA and to Appendices A, B, and C, as further described in Appendix B.
6.3 Supplementary measures
In light of the Schrems II jurisprudence, Wonderthrough has assessed the risk of government access requests in the United States and has implemented supplementary technical and organizational measures to reduce that risk, including encryption in transit and at rest, access controls, and internal procedures to review and, where lawful, challenge government access requests. Wonderthrough will notify the Controller if Wonderthrough becomes subject to a legally binding request by a public authority to disclose Personal Data Processed under this DPA, unless prohibited by law from doing so, and will challenge any such request where Wonderthrough reasonably considers it to be unlawful.
7. Liability and Indemnification
Each party’s liability under this DPA is subject to the exclusions and limitations of liability set out in the Agreement. To the extent the Agreement contains an aggregate cap on liability, that cap applies to the parties’ combined aggregate liability under the Agreement and this DPA.
Each party will defend, indemnify, and hold harmless the other party against third-party claims, losses, and damages to the extent arising from the indemnifying party’s material breach of this DPA, subject to (and counted against) the limitations of liability in the Agreement.
Nothing in this DPA excludes or limits the rights of Data Subjects under applicable Data Protection Laws, or excludes or limits any liability that cannot be excluded or limited under applicable law.
8. Term and Termination
This DPA takes effect on the date last signed below (the “Effective Date”) and continues in effect for so long as Wonderthrough Processes Personal Data on behalf of the Controller under the Agreement. Termination or expiration of the Agreement automatically terminates this DPA, except that the provisions of this DPA that by their nature are intended to survive termination (including Sections 3.8, 3.9, 5, 6, 7, and 9) will survive.
On termination, Wonderthrough will return or delete Personal Data in accordance with Section 3.8.
9. Governing Law and Jurisdiction
This DPA is governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws principles, and the parties consent to the exclusive jurisdiction of the state and federal courts located in Delaware for any dispute arising out of or relating to this DPA, except that the Standard Contractual Clauses and the UK Addendum, where they apply, are governed by the law and subject to the forum specified in those instruments and in Section 6.2 of this DPA. Nothing in this Section 9 limits the rights of Data Subjects under applicable Data Protection Laws or the rights of supervisory authorities to enforce those laws.
The dispute resolution provisions of the Agreement (including any arbitration provisions, to the extent they apply to the parties) are incorporated into this DPA by reference.
10. Miscellaneous
- Entire agreement. This DPA, together with the Agreement, the Privacy Policy, and the Sub-processor list, constitutes the entire agreement between the parties with respect to the Processing of Personal Data and supersedes any prior agreements on that subject matter.
- Amendments. Wonderthrough may update this DPA from time to time to reflect changes in applicable Data Protection Laws, Sub-processor engagements, or Wonderthrough’s security practices. Material updates that adversely affect the Controller’s rights will be notified to the Controller at least thirty (30) days in advance and, where required by applicable Data Protection Laws, will be subject to the Controller’s agreement.
- Notices. Notices under this DPA must be in writing and are effective when received. Notices to Wonderthrough should be sent to the email or mailing address specified on Wonderthrough’s legal information page or in the signature block below. Notices to the Controller will be sent to the email address on file for the Controller’s account.
- Severability. If any provision of this DPA is held to be invalid or unenforceable, that provision will be enforced to the maximum extent permitted by law, and the remaining provisions of this DPA will remain in full force and effect.
- No third-party beneficiaries. Except for Data Subjects’ rights to the extent expressly provided by applicable Data Protection Laws, this DPA does not confer any rights on any third party.
- Counterparts. This DPA may be executed in counterparts, including by electronic signature or by exchange of signed PDF copies, each of which is deemed an original and all of which together constitute one instrument.
Signatures
CONTROLLER (Customer):
- Entity name: _________________________________________
- Name: _________________________________________
- Title: _________________________________________
- Email: _________________________________________
- Date: _________________________________________
- Signature: _________________________________________
PROCESSOR (Wonderthrough, Inc.):
- Entity name: Wonderthrough, Inc.
- Name: _________________________________________
- Title: _________________________________________
- Email: _________________________________________
- Date: _________________________________________
- Signature: _________________________________________
Appendix A — List of Sub-processors
Wonderthrough engages the following Sub-processors in the provision of the Services. The current list is maintained at https://wonderthrough.com/legal/sub-processors; in the event of any conflict between this Appendix and the public list, the public list (together with any change notice given under Section 3.5(3)) controls.
| # | Sub-processor | Role | Primary region |
|---|---|---|---|
| 1 | Stripe | Payment processing, subscription lifecycle, Customer Portal | United States (global processing) |
| 2 | Supabase | Authentication, Postgres database, edge functions, storage, realtime | United States (AWS us-east-1) |
| 3 | Anthropic (Claude) | Primary AI provider for most writing and analysis pipelines | United States |
| 4 | OpenAI | Secondary AI provider, including GPT text models and DALL-E image generation | United States (global processing) |
| 5 | Optional AI provider (Gemini) and OAuth sign-in | United States (global processing) | |
| 6 | PostHog | Product analytics and feature flags for the app and the marketing site (event metadata only; marketing-site analytics cookies are consent-gated in the EU/EEA/UK/CH) | United States (PostHog Cloud) |
| 7 | Sentry | Error tracking and reliability monitoring | United States (Sentry Cloud) |
| 8 | Vercel | Marketing website hosting and content delivery | United States with global CDN |
| 9 | Craft | Feedback collection backend | United States (pending confirmation) |
Each Sub-processor processes only the categories of Personal Data necessary for its role. None of the Sub-processors listed above is authorized to use Controller content to train artificial intelligence models, and Wonderthrough has confirmed this position with each current AI provider Sub-processor (Anthropic, OpenAI, Google) under the commercial terms Wonderthrough has accepted.
The Controller may review the then-current Sub-processor list, including role descriptions, regions, and links to each Sub-processor’s own data processing terms, at https://wonderthrough.com/legal/sub-processors.
Appendix B — Standard Contractual Clauses
The Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, are hereby incorporated into this DPA by reference and apply to any transfer of Personal Data from the EEA, Switzerland, or the United Kingdom to a third country that does not benefit from an adequacy decision under applicable Data Protection Laws.
Module Two (Controller to Processor) governs transfers from the Controller to Wonderthrough. Module Three (Processor to Processor) governs onward transfers from Wonderthrough to its Sub-processors. The module selections and optional clauses are set out in Section 6.2 of this DPA.
For purposes of the Standard Contractual Clauses, the Annexes are deemed completed as follows:
- Annex I.A — List of Parties. The data exporter is the Controller identified in the signature block of this DPA. The data importer is Wonderthrough, Inc., a Delaware corporation.
- Annex I.B — Description of Transfer. The subject matter, duration, nature and purpose of Processing, categories of Personal Data, categories of Data Subjects, frequency of transfer, and retention periods are those described in Section 2 and Appendix C of this DPA.
- Annex II — Technical and Organizational Measures. The measures are those set out in Section 3.4 of this DPA and in the “Technical and Organizational Measures” section below.
- Annex III — List of Sub-processors. The Sub-processors are those listed in Appendix A of this DPA.
Technical and Organizational Measures (Annex II)
Wonderthrough implements and maintains the following technical and organizational measures, which may be updated from time to time provided that the overall level of protection is not materially reduced.
-
Encryption. All client-to-server and server-to-Sub-processor communications are protected by HTTPS/TLS. The server-side database is encrypted at rest using the infrastructure Sub-processor’s default encryption. Bring-your-own AI provider API keys, where stored on Wonderthrough’s servers, are additionally encrypted at rest using AES-256-GCM with a server-held encryption key and are never transmitted from the server to a Data Subject’s device in decrypted form. Locally-cached entitlement state and any locally-stored BYO API keys in the Wonderthrough desktop application are encrypted using
safeStoragebacked by the operating system’s platform keychain (macOS Keychain, Windows DPAPI, or Linux libsecret). Passwords are hashed and salted by the authentication Sub-processor and are never received in plaintext by Wonderthrough. -
Pseudonymization. When a Data Subject’s privacy settings reduce the Briefing Detail level below “Robust” (which the Service exposes as the “Setting 3” control), foreign-key references in AI usage metadata are stripped at source so that usage logs cannot be correlated back to specific books, characters, or results. AI calls using bring-your-own keys (BYO) or a local model follow the Data Subject’s routing setup: on the desktop app with Cloud Sync off for the active project, BYO and local-model calls go directly from the device to the provider, bypassing Wonderthrough’s infrastructure, and usage metadata stays on the device unless “Sync activity between desktop and web” is also enabled. On the desktop app with Cloud Sync enabled, or on the web app, BYO calls transit Wonderthrough’s AI proxy briefly so that the encrypted key can be resolved server-side, and the usage metadata is logged on Wonderthrough’s servers as part of that call. On account deletion, retained billing rows have their user identifier replaced with a freshly generated anonymous identifier (see Section 3.8); consent records are pseudonymized via a non-reversible hash of the original identifier.
-
Access controls and confidentiality. Production database access is protected by row-level security policies enforced by the infrastructure Sub-processor. Service-role credentials are restricted to authorized personnel and held in secured environment configuration. Administrative actions performed through Wonderthrough’s support tooling are recorded. Access to Personal Data is limited to personnel and contractors whose role requires such access, all of whom are bound by confidentiality obligations.
-
Content transit minimization and no content scanning. Wonderthrough’s AI proxy component Processes pipeline requests in memory without persisting the request or response body. Server-side usage logs contain billing and reliability metadata only; they do not contain manuscript prose. Wonderthrough does not scan, read, or automatically review private user content for any purpose.
-
Availability, resilience, and recovery. The Services rely on the infrastructure Sub-processor’s backup, replication, and disaster recovery capabilities. Wonderthrough maintains operational procedures to restore access to Personal Data in the event of a physical or technical incident, to the extent dependent on the infrastructure Sub-processor’s capabilities.
-
Session management. Authentication sessions follow the authentication Sub-processor’s default lifecycle; sessions are revoked on account deletion.
-
Testing and evaluation. Changes to production code are reviewed before deployment. Wonderthrough periodically reviews its security posture and the configuration of its Sub-processors and maintains an internal log of manual verification steps (including confirming that AI provider training opt-outs remain in effect). Wonderthrough conducts periodic internal privacy audits of the Processing flows implemented in code.
-
Incident response. Wonderthrough maintains written incident response procedures. Personal Data Breaches are notified to the Controller in accordance with Section 5 of this DPA.
-
Certifications. Wonderthrough does not currently hold SOC 2, ISO/IEC 27001, HIPAA, FedRAMP, or equivalent third-party certifications. On written request, Wonderthrough will make reasonable written security documentation available to the Controller in accordance with Section 3.9 of this DPA.
Where transfers are subject to UK GDPR, the UK Addendum is incorporated by reference and takes effect alongside the Standard Contractual Clauses with the modifications set out in the UK Addendum and in Section 6.1(2) of this DPA.
Appendix C — Categories of Personal Data and Data Subjects
Categories of Data Subjects
The Controller’s authorized end users of the Services, which may include students, staff, writers, editors, workshop participants, or other individuals whose Personal Data the Controller makes available to Wonderthrough through use of the Services.
Categories of Personal Data
Wonderthrough Processes the following categories of Personal Data on behalf of the Controller, as further described in Wonderthrough’s internal data flow documentation and the Privacy Policy:
-
Creative content
- Manuscript prose (scene body text)
- Entity profiles (characters, locations, lexicon items, props, and other worldbuilding entities)
- Project and book metadata (titles, descriptions, genre, configuration settings)
- AI pipeline results (synthesis outputs, enrichment findings, arc analysis, trajectory inference, crystallization cards, session briefings, and related generated content)
-
Account and authentication data
- Email address, display name, avatar URL
- Password hash (stored only by the authentication Sub-processor)
- OAuth identity links (where a Data Subject signs in with Google)
- Session tokens and authentication credentials
- Terms of Service acceptance records and consent metadata
- Account-level Cloud Sync preference (whether the account is configured to mirror selected projects, BYO keys, and routing preferences to Wonderthrough’s servers)
-
Billing data
- Stripe customer identifiers and subscription identifiers
- Subscription state, tier, trial start and end dates
- Invoice history and payment intent identifiers
- Credit allowance, debit log, and top-up purchase records
-
AI pipeline usage metadata
- Task type, model, token counts (input, output, cache creation, cache read)
- Estimated and charged cost in USD
- Key source (platform key, bring-your-own key, or local model)
- Duration, caller identifier, key owner identifier
- Foreign-key references to project, book, character, and result identifiers (preserved at the “Robust” Briefing Detail level; stripped at source at “Minimal” / “Off” levels; not transmitted at all when the AI call uses the Data Subject’s own keys or a local model with cross-device sync disabled — in those cases the row stays on the device)
- The Briefing Detail level in effect on the device at the moment the row was written is recorded on the row itself, and the sync layer respects that recording: switching levels later does not retroactively change how the row is treated
-
Bring-your-own (BYO) AI provider credentials
- Encrypted API key blobs for Anthropic, OpenAI, and Google providers, stored in the
user_api_keystable when a Data Subject saves a key on the web app or on the desktop app with Cloud Sync enabled. Keys are encrypted at rest using AES-256-GCM with a server-held encryption key. - Masked preview strings (visible-prefix plus visible-suffix only, used to render the key in the user interface)
- Last-validation timestamp and update timestamp
- Provider identifier (anthropic, openai, or google)
- Wonderthrough does not transmit decrypted key values from the server back to a Data Subject’s device; new devices re-enter their keys on first launch.
- Encrypted API key blobs for Anthropic, OpenAI, and Google providers, stored in the
-
AI tool routing preferences
- User identifier and tool identifier
- Selected provider and model for that tool
- Stored in the
user_routing_overridestable to apply the same per-tool routing across the Data Subject’s devices
-
Product telemetry and error reports
- Essential telemetry events (authentication, billing, and crash events Essential data the Services)
- Optional product analytics events (subject to the Data Subject’s consent where required under applicable Data Protection Laws)
- Error messages, stack traces, and platform or environment tags
-
User-initiated submissions
- Feedback submissions (title, description, steps to reproduce, severity, automatic context metadata, optional user-captured screenshot)
-
Client-side preferences (per device)
- Atomic privacy settings (Cloud Sync, Sync activity between desktop and web, Briefing Detail level, and the AI key/model preference per tool) — set independently on each device or browser; can be configured via the “Standard”, “Private AI”, or “Local-only” presets, or individually
- Telemetry consent preferences (essential, optional)
- Locally-cached entitlement state (encrypted at rest on the user’s device)
- Locally-stored BYO API keys (where the desktop operating system keychain is available); these never transit Wonderthrough’s servers
-
Settings change history
- Timestamped records of changes to the Data Subject’s four atomic privacy settings (Allowed AI sources, Cloud Sync, Writing activity details, Sync activity between desktop and web)
- For each change: the new value, the previous value, the originating device class (
desktop-mac/desktop-win/desktop-linux/web-browser), and an opaque per-device identifier generated at first launch - Not a device fingerprint — no canvas, font, or hardware enumeration
- Stored in the
user_settings_historytable; Row Level Security restricts reads to the row owner - Retained for 24 months from each change’s timestamp; deleted on account deletion; not affected by the per-feature Manage your data controls described below
A more detailed mapping of origin, transit path, storage location, retention period, and deletion path for each category is maintained in Wonderthrough’s internal data flow documentation and reflected in the Privacy Policy.
Retention periods
Retention periods are set out in Section 3.8 and the Privacy Policy. In summary: account-linked Controller content is retained for the duration of the account plus a thirty (30) day soft-delete grace period; billing records and AI usage metadata are retained for seven (7) years; feedback submissions are retained for three (3) years; product analytics are retained for twenty-four (24) months; settings change history is retained for twenty-four (24) months from each change’s timestamp; error reports are retained for ninety (90) days; session tokens follow the authentication Sub-processor’s default lifecycle.
Deletion paths
A Data Subject can delete categories of Personal Data via the Wonderthrough application’s Settings → Privacy & Data → Manage your data surface. The surface supports per-category deletion across two layers: from Wonderthrough’s servers (the cloud layer) and, on the desktop application, from the Data Subject’s device’s local files (the local layer). The four categories the surface exposes are AI usage and spend history, Writing activity, World Search history, and BYO API keys. On the web application, all data lives on Wonderthrough’s servers and the Manage your data surface presents only cloud-layer deletion.
AI usage metadata corresponding to calls billed against Wonderthrough’s platform keys is retained for seven (7) years per Section 3.8 and cannot be deleted during that window; on account deletion such records are pseudonymized rather than deleted (see Section 3.8). Settings change history (category 10 above) is included only in the account-deletion sweep; it is not affected by the per-feature Manage your data controls.
Account-wide deletion (deletion of the Wonderthrough account itself) follows the process set out in the Privacy Policy, Section 9. The 48-hour reversal window, the 30-day grace period, and the 7-year billing-record carve-out described there apply equally for purposes of this DPA.
End of Data Processing Agreement.