Data Processing Addendum
Effective: 13 July 2026Last updated: 13 July 2026
This Data Processing Addendum (“DPA”) forms part of our Terms of Service and applies where Senithu Software Solutions (“ChatMunshi”, “Processor”) processes personal data of your end customers on your behalf. In that processing, you (the business) are the Controller and we are the Processor.
1. Scope and roles
This DPA governs our processing of “Customer Personal Data” — personal data contained in messages and contact details of your end customers that we process to provide the Service. You are the Controller and remain responsible for the lawfulness of the data and for having any necessary consents. We act as your Processor and process Customer Personal Data only on your documented instructions, which include your use and configuration of the Service.
2. Nature and purpose of processing
- Purpose: to receive, understand (including transcribing voice notes), and respond to messages from your end customers, and to store conversation history and related records for you.
- Categories of data: WhatsApp phone numbers and profile names, message content (text, voice, images, documents), transcriptions, and metadata such as timestamps.
- Data subjects: your end customers and other individuals who message your WhatsApp.
- Duration: for the term of your subscription and until data is deleted as described below.
3. Our obligations
- Process Customer Personal Data only on your instructions and to provide the Service.
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (see below).
- Assist you, taking into account the nature of processing, with data subject requests and with your security, breach-notification, and impact-assessment obligations.
- Notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.
- On termination, delete or return Customer Personal Data as described in section 7.
- Make available information reasonably necessary to demonstrate compliance with this DPA.
4. Security measures
We maintain measures appropriate to the risk, including access controls and role separation, encryption of data in transit, access-restricted database rules, tenant isolation so one customer cannot access another’s data, and (where enabled) encryption of stored WhatsApp access tokens. We review and improve these measures over time.
5. Sub-processors
You authorise us to engage the sub-processors listed below to process Customer Personal Data to provide the Service. We impose data-protection obligations on each sub-processor and remain responsible for their performance. We will give notice of intended changes to this list so you can object on reasonable grounds.
| Sub-processor | Purpose | Location |
|---|---|---|
| Meta Platforms, Inc. (WhatsApp Business Platform) | Message delivery over WhatsApp | United States / global |
| Twilio Inc. | Fallback message delivery | United States |
| Google LLC (Firebase & Google Cloud) | Authentication, database, file storage, AI (message understanding, transcription, and text-to-speech) | United States / global |
| Vercel Inc. | Application hosting and content delivery | United States / global |
| PayPal Holdings, Inc. | Subscription payment processing | United States / global |
| Zoho Corporation (ZeptoMail) | Transactional and notification email delivery | Regional data centres |
6. International transfers
Sub-processors may process data outside your country. Where required by law, transfers are made under appropriate safeguards such as standard contractual clauses or equivalent mechanisms.
7. Return and deletion
You can delete Customer Personal Data at any time through the Service. On termination of your account, or on your written request, we will delete or return Customer Personal Data within a reasonable period, except where retention is required by law. See our Data Deletion & Requests page.
8. Data subject rights
As Processor, we will assist you in responding to requests from your end customers to access, correct, or delete their data. If an end customer contacts us directly, we will refer them to you as the Controller, and assist you as needed.
9. Liability and precedence
Liability under this DPA is subject to the limitations in our Terms of Service. If there is a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA prevails.
10. Contact
For DPA or data-protection matters, contact chatmunshi@senithu.lk.
Questions about this document? Contact chatmunshi@senithu.lk. This document relates to the ChatMunshi service operated by Senithu Software Solutions, No. 295/A/1, Nedagamuwa, Kotugoda, Sri Lanka.