Data Processing Addendum (DPA)

Last updated: 2026-05-01. Operated by ConsultingWhiz LLC.

This DPA forms part of the Terms of Service between ConsultingWhiz LLC ("Processor") and the customer ("Controller") using LoopWebinar to process personal data on behalf of webinar attendees, registrants, or other end users ("Data Subjects"). This DPA applies whenever the customer's use of the Service involves personal data subject to GDPR, UK GDPR, CCPA/CPRA, or other applicable data-protection laws.

Quick context: if you are an individual host using LoopWebinar for your own marketing webinars, this DPA is mostly housekeeping — your attendees are your contacts. If you are an agency, B2B SaaS, or enterprise running webinars on behalf of clients, this DPA defines our obligations as a sub-processor.

1. Roles & scope

You (Customer) are the Controller of personal data you upload, import, or collect through LoopWebinar — including registrant lists, attendee names & emails, chat messages, poll responses, and CTA click data. ConsultingWhiz LLC acts as Processor, processing that data only on documented instructions from you (which include configuring the Service through the dashboard and these Terms).

2. Categories of data & data subjects

  • Identifiers: registrant name, email address, optional company.
  • Behavioral data: session join/leave timestamps, watch time, drop-off offset, chat content, poll responses, CTA impressions/clicks.
  • Account data (Customer side): host name, email, hashed password, organization settings, and billing or redemption status. Payment methods are handled by the marketplace or payment processor.
  • Data subjects: webinar attendees, registrants, hosts, and team members.

3. Sub-processors

We use the following sub-processors, each under data-protection contracts that match or exceed our obligations to you:

  • Supabase (Postgres database + auth) — US/EU regions per project.
  • Cloudflare R2 (video storage).
  • Resend (transactional email).
  • Marketplace/payment processors (purchase and refund handling — we do not store card numbers).
  • DigitalOcean (compute, US region).
  • Sentry (error monitoring — we scrub PII from breadcrumbs where possible).
  • Daily.co (live video rooms — only if you enable hybrid live).
  • Calendly (registration sync — only if you connect your account).

You consent to our use of the above sub-processors. We will give 30 days' notice before adding or replacing a sub-processor by updating this page; you may terminate the affected service if you object in writing within 30 days.

4. Security measures

  • Transport: TLS 1.2+ on every public endpoint (loopwebinar.com is HTTPS-only).
  • At rest: Postgres + R2 encrypt data at rest by default.
  • Tenant isolation: row-level security policies in the database scope every read/write to the caller's organization. Verified by a 7/7 cross-tenant isolation test suite.
  • Secrets: API keys are stored as bcrypt hashes; only a 6-char prefix is retrievable for display.
  • Access: internal access to production data is limited to founding personnel with 2FA on GitHub + Supabase.
  • Audit log: sensitive admin actions (org deletion, member changes, API key issuance) are logged for the customer to review.

5. Data subject rights

You can fulfill data subject access, correction, and deletion requests directly from the dashboard. If you need our help — for example, deleting all data tied to a specific email across multiple webinars — email contact@loopwebinar.com from the email on file. We will respond within 30 days.

6. Data retention & deletion

While your organization is active, we retain data indefinitely so you can analyze historical webinars. When you delete your organization (Settings → Danger Zone), we begin a 30-day cooling-off period during which the deletion can be cancelled. After 30 days, all webinar data, attendee data, video files, and analytics are permanently deleted. Backups roll off within an additional 30 days.

7. International transfers

Data may be transferred to or stored in the United States, where our primary infrastructure lives. For Customers in the EU/UK/Switzerland, transfers rely on the EU Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, which are deemed incorporated into this DPA. If you require a signed paper copy of the SCCs for your records, email contact@loopwebinar.com.

8. Breach notification

If we become aware of a personal data breach affecting your data, we will notify you without undue delay and in any case within 72 hours, including (a) the nature of the breach, (b) categories and approximate number of data subjects affected, (c) likely consequences, and (d) measures taken or proposed.

9. Audits

You may request, no more than once per 12-month period, a written summary of our security posture and sub-processor list. Onsite audits are not generally accommodated for self-serve plans; enterprise customers may negotiate audit terms separately.

10. Term & termination

This DPA remains in force as long as you are processing personal data through LoopWebinar. On termination, the data-deletion timeline in §6 applies.

11. Order of precedence

If this DPA conflicts with the Terms of Service on data-protection matters, this DPA controls.

Contact (data protection): contact@loopwebinar.com
Contact (legal): contact@loopwebinar.com

This DPA is provided as a self-serve, click-through contract — no signature required for individual / standard plans. Enterprise customers requiring a signed paper DPA, custom SCCs, or BAA-style addendums should contact contact@loopwebinar.com.