Skip to main content

LEGAL · DRAFT FOR REVIEW

Data Processing Agreement

Draft as of April 25, 2026

Pre-launch — draft for review

WinsAbove is in active development and is not yet processing customer personal data in production. This document describes the intended processing posture once the platform ships and is published in draft form so prospective customers and their counsel can review the model in advance. It has not been countersigned with any customer and is not a binding contract until executed. Email legal@winsabove.com for the current revision.

This Data Processing Agreement ("DPA") supplements the WinsAbove Terms of Service and applies whenever WinsAbove processes personal data on behalf of a Customer ("you", "your") in connection with the Service. It is intended to satisfy the requirements of GDPR Article 28, the UK GDPR, and CCPA service-provider provisions. A countersigned copy is available on request to legal@winsabove.com.

1. Roles

For all personal data processed under this DPA:

  • You are the Data Controller.
  • WinsAbove is the Data Processor acting on documented instructions from you.

2. Scope and purpose of processing

WinsAbove processes personal data only as necessary to provide the Service: pulling closed-won deal records and engagement signals from your connected CRM via read-only OAuth, normalizing the data against peer-cohort benchmarks, computing the Alpha Score, and presenting it through the platform interfaces. We do not process personal data for any other purpose, and we do not sell personal data within the meaning of CCPA.

3. Categories of data subjects and personal data

Data subjects: your employees and contractors who connect their CRM credentials to the Service.

Categories of personal data processed:

  • Identification data (name, email, professional role, employer)
  • CRM-derived performance records (closed-won deals, stages, deal sizes, win/loss outcomes)
  • Engagement metadata (meeting and email counts and timestamps, no message contents)
  • Authentication credentials (OAuth tokens, password hashes)
  • Usage telemetry (IP, browser, session metadata)

4. Subprocessors

You authorize WinsAbove to engage the following subprocessors:

  • Cloudflare, Inc. — hosting, CDN, edge security (United States, global edge).
  • Merge.dev, Inc. — unified CRM API for read-only Salesforce and HubSpot integrations (United States).
  • Google LLC — anonymized analytics (Google Analytics 4) (United States).
  • Transactional email provider — outbound email delivery (United States).

Each subprocessor is bound by written contracts that impose data protection obligations no less protective than those in this DPA. We will notify you of any material change to this list at least 30 days before the change takes effect, giving you the opportunity to object on reasonable data protection grounds.

5. Security measures (target state)

WinsAbove is pre-launch and the operational security program described below is being built — it is not yet in place. Live controls and target controls are tracked separately on our security page.

Live today:

  • Transport encryption. TLS 1.3 in transit, terminated by Cloudflare.
  • Network controls. Cloudflare WAF and DDoS protection in front of every request.
  • Secrets management. Production credentials stored as Cloudflare Worker secrets, not in source.

Target controls — not yet operational:

  • Encryption at rest on Cloudflare storage primitives (D1, R2, KV) once a customer data store is provisioned.
  • Least-privilege role-based access and MFA on administrative accounts.
  • Audit logging of access to personal data.
  • Documented incident response procedures with breach notification commitments.
  • SOC 2 Type II audit. WinsAbove holds no third-party security attestations today.

Customers requiring formal attestations or operational SLAs today should treat WinsAbove as pre-attestation and decline pilot participation, or engage as a design partner aware of the pre-launch state.

6. International transfers

Personal data is stored at rest in the United States. Where Customer data subjects are located in the European Economic Area, the United Kingdom, or Switzerland, transfers are made under the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference.

7. Data subject rights

WinsAbove will provide reasonable assistance to help you respond to data subject requests (access, rectification, erasure, portability, restriction, objection). To submit a request, contact privacy@winsabove.com; we will respond within five business days. Self-service rights tooling in the dashboard is on the roadmap.

8. Personal data breach notification

Once WinsAbove is processing personal data on behalf of customers, we will notify the affected customer without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting their data. Notice will include the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and the measures taken or proposed to address it. As of the date of this draft, no customer personal data is being processed and no incident response runbook is in place yet.

9. Audit rights

Once per calendar year, on at least 30 days' written notice, you may request copies of WinsAbove's current security questionnaire responses and any third-party attestations then available (a SOC 2 Type II report is not yet available — see Section 5). Where a regulator requires further audit, the parties will agree on scope and cost in good faith.

10. Return and deletion

On termination of the Service, WinsAbove will delete or return all personal data within 30 days, unless retention is required by law. Backup copies are purged within 90 days under our standard backup rotation.

11. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data.

12. Contact

DPA execution and data protection inquiries: legal@winsabove.com.