Data Processing Addendum
Last updated 18 July 2026
This addendum applies when you use BA | Wisp to process personal data of others in the course of your work, making you the controller and us your processor.
It should be read with our Privacy Policy and the Subprocessors list, and reviewed by your legal team before you rely on it.
Scope and roles
You are the data controller for content you send. Aletheia Tech Ltd is the processor. We process only on your instructions, which for this service means: store the ciphertext, enforce the lifetime and read limits you set, anchor the hash if you asked, and delete on expiry, exhaustion, revocation, or valid takedown.
A processor that cannot read the data
The service is architected so that we process content only in encrypted form. We cannot access the plaintext of the personal data you send, which materially limits the categories of processing we can perform and the exposure of that data to us and to any subprocessor.
This does not apply to the optional label, which is unencrypted; do not place personal data in it.
Security, subprocessors, deletion
Content is encrypted in transit and at rest, and additionally end-to-end encrypted by you before it reaches us. We engage the subprocessors listed on the Subprocessors page and will give notice of changes.
On expiry or on your instruction we delete ciphertext from our systems. We cannot delete a published on-chain hash; it contains no readable personal data.