Data Processing Agreement
Between Aquila Labs, Inc. ("Wonder," "we," "us") and the Customer identified in the Agreement ("Customer," "you")
Last updated: April 25, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Wonder and Customer for the provision of the Wonder service (the "Agreement"). It reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws. Defined terms not defined here have the meaning given in the Agreement. In the event of conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data.
1. Definitions
"Customer Personal Data" means Personal Data that Wonder Processes on behalf of Customer in connection with the provision of the Service.
"Data Protection Laws" means all applicable laws and regulations relating to the Processing of Personal Data, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and the California Consumer Privacy Act as amended ("CCPA/CPRA").
"Personal Data," "Processing," "Controller," "Processor," and "Data Subject" have the meanings given in the GDPR.
"Service" means the Wonder design platform and related services provided by Wonder under the Agreement.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision 2021/914.
"Subprocessor" means any third party engaged by Wonder to Process Customer Personal Data on its behalf.
2. Roles of the parties
2.1 The parties acknowledge that, with respect to the Processing of Customer Personal Data, Customer is the Controller, Wonder is the Processor, and Wonder will engage Subprocessors under Section 6.
2.2 Each party will comply with its respective obligations under Data Protection Laws.
3. Processing of Customer Personal Data
3.1 Scope and instructions. Wonder will Process Customer Personal Data only (a) to provide the Service in accordance with the Agreement, (b) as further documented in Customer's use of the Service, and (c) as otherwise instructed by Customer in writing, provided such instructions are consistent with the Agreement.
3.2 Compliance with laws. Wonder will notify Customer if, in Wonder's opinion, an instruction from Customer infringes Data Protection Laws, unless prohibited from doing so by law.
3.3 Details of Processing. The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Annex I.
4. Security
4.1 Wonder will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A description of these measures is set out in Annex II.
4.2 Wonder ensures that personnel authorized to Process Customer Personal Data have committed themselves to confidentiality.
5. Personal Data breaches
5.1 Wonder will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer Personal Data.
5.2 The notification will include, to the extent known at the time, the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
5.3 Wonder will reasonably cooperate with Customer's investigation and remediation of any breach.
6. Subprocessors
6.1 General authorization. Customer provides general authorization for Wonder to engage Subprocessors, subject to this Section 6. A current list of Subprocessors is available at wonder.design/subprocessors.
6.2 Notification of changes. Wonder will provide at least 30 days' notice of any new Subprocessor before authorizing that Subprocessor to Process Customer Personal Data. Customers may subscribe to notifications by emailing hello@wonder.so.
6.3 Objection right. Customer may object to the engagement of a new Subprocessor on reasonable, documented grounds related to Data Protection Laws by notifying Wonder in writing within the notice period. If the parties cannot resolve the objection, Customer may terminate the portion of the Service that cannot be provided without the objected-to Subprocessor.
6.4 Flow-down obligations. Wonder will enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those in this DPA. Wonder remains liable to Customer for the performance of each Subprocessor's obligations.
7. International transfers
7.1 To the extent Customer Personal Data originating in the EEA, UK, or Switzerland is transferred to a country not subject to an adequacy decision, the transfer will be governed by the Standard Contractual Clauses, which are incorporated into this DPA by reference.
7.2 For EEA transfers, Module 2 (Controller to Processor) applies, with Wonder as the data importer and Customer as the data exporter. The optional clauses and docking clause apply. Clause 17 is governed by the laws of Ireland. Clause 18(b) designates the courts of Ireland.
7.3 For UK transfers, the UK International Data Transfer Addendum to the SCCs applies.
7.4 For Swiss transfers, references to GDPR are deemed references to the Swiss FADP, and the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
8. Assistance to Customer
8.1 Data subject requests. Taking into account the nature of the Processing, Wonder will provide reasonable assistance to Customer, by appropriate technical and organizational measures, to fulfill Customer's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws.
8.2 DPIAs and consultations. Wonder will provide Customer with reasonable assistance in carrying out data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of Processing and information available to Wonder.
9. Audits
9.1 Wonder will make available to Customer, on request, information reasonably necessary to demonstrate compliance with this DPA, including Wonder's most recent SOC 2 report (once available) and responses to industry-standard questionnaires such as CAIQ.
9.2 If the information made available under Section 9.1 is insufficient to demonstrate compliance, Customer may request an on-site audit no more than once per calendar year, on at least 30 days' prior written notice, during business hours, at Customer's expense, subject to reasonable confidentiality and security requirements. Audits triggered by a documented material breach are not subject to the once-per-year limit or cost allocation.
10. Return and deletion of Customer Personal Data
10.1 Upon termination or expiration of the Agreement, Wonder will, at Customer's option, delete or return all Customer Personal Data in its possession, other than Customer Personal Data retained in routine backup systems. Backups will be deleted on their ordinary rotation schedule, not to exceed 90 days.
10.2 Wonder may retain Customer Personal Data to the extent required by applicable law, provided such data remains subject to the confidentiality and security obligations of this DPA.
11. Liability
11.1 Each party's liability arising out of or related to this DPA, whether in contract, tort, or any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Agreement. Any reference in such limitations to the liability of a party means the aggregate liability of that party under the Agreement and this DPA.
12. CCPA-specific terms
12.1 For Customer Personal Data subject to the CCPA, Wonder acts as Customer's "service provider" within the meaning of the CCPA. Wonder will not (a) sell or share Customer Personal Data, (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement, or (c) combine Customer Personal Data with personal information from other sources except as permitted under the CCPA.
13. Miscellaneous
13.1 This DPA may not be modified except by a written amendment signed by both parties.
13.2 If any provision of this DPA is held invalid or unenforceable, the remainder will remain in full force and effect.
13.3 This DPA is governed by the law and jurisdiction specified in the Agreement, except as expressly modified by the SCCs.
Annex I — Details of Processing
A. List of parties
- Data exporter / Controller: Customer, as identified in the Agreement.
- Data importer / Processor: Aquila Labs, Inc. (Wonder), San Francisco, California, United States.
B. Description of transfer
| Item | Details |
|---|---|
| Categories of Data Subjects | Customer's authorized users (employees, contractors, collaborators) and any individual whose Personal Data Customer uploads to or generates within the Service. |
| Categories of Personal Data | Account identifiers (name, email, authentication identifiers); user-generated content (design files, prompts, comments, project metadata); usage and product analytics data; support communications. |
| Sensitive data | The Service is not intended for the Processing of special categories of Personal Data. Customer should not upload sensitive data as defined in Article 9 of the GDPR. |
| Frequency of the transfer | Continuous, for the duration of the Agreement. |
| Nature of the Processing | Hosting, storage, transmission, analysis, and AI-assisted generation performed in connection with the Service. |
| Purpose of the Processing | Providing the Service to Customer, including AI-assisted design and code generation, collaboration, and support. |
| Retention period | For the duration of the Agreement, plus the backup retention period set out in Section 10.1. |
| Subprocessors | As set out at wonder.design/subprocessors. |
C. Competent supervisory authority
For the purposes of the SCCs, the competent supervisory authority is the Irish Data Protection Commission.
Annex II — Technical and organizational measures
Wonder implements the following measures.
- Encryption. TLS 1.2 or higher in transit; AES-256 at rest via managed cloud encryption.
- Access control. Role-based access, least privilege, mandatory 2FA for production access, access review on a periodic basis.
- Authentication. Customer authentication via WorkOS, with support for SSO (SAML, OIDC) on applicable plans.
- Network security. Segregated production environment, DDoS protection and WAF.
- Logging and monitoring. Centralized application and infrastructure logging, anomaly alerting.
- Application security. Peer code review, automated dependency and static analysis scanning, planned annual third-party penetration testing.
- Backups and resilience. Encrypted backups on scheduled rotation; documented recovery procedures.
- Personnel. Confidentiality agreements, security awareness training on onboarding, background checks for production access consistent with local law.
- Incident response. Documented plan covering detection, triage, containment, notification, and postmortem.
- Vendor management. Subprocessor review prior to onboarding, flow-down contractual obligations.
Execution. This DPA is incorporated into and forms part of the Agreement. By accepting the Agreement, or by continuing to use the Service after the effective date of this DPA, Customer agrees to the terms of this DPA. No additional signature is required for this DPA to take effect. Customers requiring a countersigned copy may contact hello@wonder.so.
Data Processing Agreement
Between Aquila Labs, Inc. ("Wonder," "we," "us") and the Customer identified in the Agreement ("Customer," "you")
Last updated: April 25, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Wonder and Customer for the provision of the Wonder service (the "Agreement"). It reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws. Defined terms not defined here have the meaning given in the Agreement. In the event of conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data.
1. Definitions
"Customer Personal Data" means Personal Data that Wonder Processes on behalf of Customer in connection with the provision of the Service.
"Data Protection Laws" means all applicable laws and regulations relating to the Processing of Personal Data, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and the California Consumer Privacy Act as amended ("CCPA/CPRA").
"Personal Data," "Processing," "Controller," "Processor," and "Data Subject" have the meanings given in the GDPR.
"Service" means the Wonder design platform and related services provided by Wonder under the Agreement.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision 2021/914.
"Subprocessor" means any third party engaged by Wonder to Process Customer Personal Data on its behalf.
2. Roles of the parties
2.1 The parties acknowledge that, with respect to the Processing of Customer Personal Data, Customer is the Controller, Wonder is the Processor, and Wonder will engage Subprocessors under Section 6.
2.2 Each party will comply with its respective obligations under Data Protection Laws.
3. Processing of Customer Personal Data
3.1 Scope and instructions. Wonder will Process Customer Personal Data only (a) to provide the Service in accordance with the Agreement, (b) as further documented in Customer's use of the Service, and (c) as otherwise instructed by Customer in writing, provided such instructions are consistent with the Agreement.
3.2 Compliance with laws. Wonder will notify Customer if, in Wonder's opinion, an instruction from Customer infringes Data Protection Laws, unless prohibited from doing so by law.
3.3 Details of Processing. The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Annex I.
4. Security
4.1 Wonder will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A description of these measures is set out in Annex II.
4.2 Wonder ensures that personnel authorized to Process Customer Personal Data have committed themselves to confidentiality.
5. Personal Data breaches
5.1 Wonder will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer Personal Data.
5.2 The notification will include, to the extent known at the time, the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
5.3 Wonder will reasonably cooperate with Customer's investigation and remediation of any breach.
6. Subprocessors
6.1 General authorization. Customer provides general authorization for Wonder to engage Subprocessors, subject to this Section 6. A current list of Subprocessors is available at wonder.design/subprocessors.
6.2 Notification of changes. Wonder will provide at least 30 days' notice of any new Subprocessor before authorizing that Subprocessor to Process Customer Personal Data. Customers may subscribe to notifications by emailing hello@wonder.so.
6.3 Objection right. Customer may object to the engagement of a new Subprocessor on reasonable, documented grounds related to Data Protection Laws by notifying Wonder in writing within the notice period. If the parties cannot resolve the objection, Customer may terminate the portion of the Service that cannot be provided without the objected-to Subprocessor.
6.4 Flow-down obligations. Wonder will enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those in this DPA. Wonder remains liable to Customer for the performance of each Subprocessor's obligations.
7. International transfers
7.1 To the extent Customer Personal Data originating in the EEA, UK, or Switzerland is transferred to a country not subject to an adequacy decision, the transfer will be governed by the Standard Contractual Clauses, which are incorporated into this DPA by reference.
7.2 For EEA transfers, Module 2 (Controller to Processor) applies, with Wonder as the data importer and Customer as the data exporter. The optional clauses and docking clause apply. Clause 17 is governed by the laws of Ireland. Clause 18(b) designates the courts of Ireland.
7.3 For UK transfers, the UK International Data Transfer Addendum to the SCCs applies.
7.4 For Swiss transfers, references to GDPR are deemed references to the Swiss FADP, and the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
8. Assistance to Customer
8.1 Data subject requests. Taking into account the nature of the Processing, Wonder will provide reasonable assistance to Customer, by appropriate technical and organizational measures, to fulfill Customer's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws.
8.2 DPIAs and consultations. Wonder will provide Customer with reasonable assistance in carrying out data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of Processing and information available to Wonder.
9. Audits
9.1 Wonder will make available to Customer, on request, information reasonably necessary to demonstrate compliance with this DPA, including Wonder's most recent SOC 2 report (once available) and responses to industry-standard questionnaires such as CAIQ.
9.2 If the information made available under Section 9.1 is insufficient to demonstrate compliance, Customer may request an on-site audit no more than once per calendar year, on at least 30 days' prior written notice, during business hours, at Customer's expense, subject to reasonable confidentiality and security requirements. Audits triggered by a documented material breach are not subject to the once-per-year limit or cost allocation.
10. Return and deletion of Customer Personal Data
10.1 Upon termination or expiration of the Agreement, Wonder will, at Customer's option, delete or return all Customer Personal Data in its possession, other than Customer Personal Data retained in routine backup systems. Backups will be deleted on their ordinary rotation schedule, not to exceed 90 days.
10.2 Wonder may retain Customer Personal Data to the extent required by applicable law, provided such data remains subject to the confidentiality and security obligations of this DPA.
11. Liability
11.1 Each party's liability arising out of or related to this DPA, whether in contract, tort, or any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Agreement. Any reference in such limitations to the liability of a party means the aggregate liability of that party under the Agreement and this DPA.
12. CCPA-specific terms
12.1 For Customer Personal Data subject to the CCPA, Wonder acts as Customer's "service provider" within the meaning of the CCPA. Wonder will not (a) sell or share Customer Personal Data, (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement, or (c) combine Customer Personal Data with personal information from other sources except as permitted under the CCPA.
13. Miscellaneous
13.1 This DPA may not be modified except by a written amendment signed by both parties.
13.2 If any provision of this DPA is held invalid or unenforceable, the remainder will remain in full force and effect.
13.3 This DPA is governed by the law and jurisdiction specified in the Agreement, except as expressly modified by the SCCs.
Annex I — Details of Processing
A. List of parties
- Data exporter / Controller: Customer, as identified in the Agreement.
- Data importer / Processor: Aquila Labs, Inc. (Wonder), San Francisco, California, United States.
B. Description of transfer
| Item | Details |
|---|---|
| Categories of Data Subjects | Customer's authorized users (employees, contractors, collaborators) and any individual whose Personal Data Customer uploads to or generates within the Service. |
| Categories of Personal Data | Account identifiers (name, email, authentication identifiers); user-generated content (design files, prompts, comments, project metadata); usage and product analytics data; support communications. |
| Sensitive data | The Service is not intended for the Processing of special categories of Personal Data. Customer should not upload sensitive data as defined in Article 9 of the GDPR. |
| Frequency of the transfer | Continuous, for the duration of the Agreement. |
| Nature of the Processing | Hosting, storage, transmission, analysis, and AI-assisted generation performed in connection with the Service. |
| Purpose of the Processing | Providing the Service to Customer, including AI-assisted design and code generation, collaboration, and support. |
| Retention period | For the duration of the Agreement, plus the backup retention period set out in Section 10.1. |
| Subprocessors | As set out at wonder.design/subprocessors. |
C. Competent supervisory authority
For the purposes of the SCCs, the competent supervisory authority is the Irish Data Protection Commission.
Annex II — Technical and organizational measures
Wonder implements the following measures.
- Encryption. TLS 1.2 or higher in transit; AES-256 at rest via managed cloud encryption.
- Access control. Role-based access, least privilege, mandatory 2FA for production access, access review on a periodic basis.
- Authentication. Customer authentication via WorkOS, with support for SSO (SAML, OIDC) on applicable plans.
- Network security. Segregated production environment, DDoS protection and WAF.
- Logging and monitoring. Centralized application and infrastructure logging, anomaly alerting.
- Application security. Peer code review, automated dependency and static analysis scanning, planned annual third-party penetration testing.
- Backups and resilience. Encrypted backups on scheduled rotation; documented recovery procedures.
- Personnel. Confidentiality agreements, security awareness training on onboarding, background checks for production access consistent with local law.
- Incident response. Documented plan covering detection, triage, containment, notification, and postmortem.
- Vendor management. Subprocessor review prior to onboarding, flow-down contractual obligations.
Execution. This DPA is incorporated into and forms part of the Agreement. By accepting the Agreement, or by continuing to use the Service after the effective date of this DPA, Customer agrees to the terms of this DPA. No additional signature is required for this DPA to take effect. Customers requiring a countersigned copy may contact hello@wonder.so.