Data Processing Addendum

1. Scope and roles

This DPA governs our processing of “Customer Personal Data” — personal data contained in messages and contact details of your end customers that we process to provide the Service. You are the Controller and remain responsible for the lawfulness of the data and for having any necessary consents. We act as your Processor and process Customer Personal Data only on your documented instructions, which include your use and configuration of the Service.

2. Nature and purpose of processing

  • Purpose: to receive, understand (including transcribing voice notes), and respond to messages from your end customers, and to store conversation history and related records for you.
  • Categories of data: WhatsApp phone numbers and profile names, message content (text, voice, images, documents), transcriptions, and metadata such as timestamps.
  • Data subjects: your end customers and other individuals who message your WhatsApp.
  • Duration: for the term of your subscription and until data is deleted as described below.

3. Our obligations

  • Process Customer Personal Data only on your instructions and to provide the Service.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (see below).
  • Assist you, taking into account the nature of processing, with data subject requests and with your security, breach-notification, and impact-assessment obligations.
  • Notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.
  • On termination, delete or return Customer Personal Data as described in section 7.
  • Make available information reasonably necessary to demonstrate compliance with this DPA.

4. Security measures

We maintain measures appropriate to the risk, including access controls and role separation, encryption of data in transit, access-restricted database rules, tenant isolation so one customer cannot access another’s data, and (where enabled) encryption of stored WhatsApp access tokens. We review and improve these measures over time.

5. Sub-processors

You authorise us to engage the sub-processors listed below to process Customer Personal Data to provide the Service. We impose data-protection obligations on each sub-processor and remain responsible for their performance. We will give notice of intended changes to this list so you can object on reasonable grounds.

Sub-processorPurposeLocation
Meta Platforms, Inc. (WhatsApp Business Platform)Message delivery over WhatsAppUnited States / global
Twilio Inc.Fallback message deliveryUnited States
Google LLC (Firebase & Google Cloud)Authentication, database, file storage, AI (message understanding, transcription, and text-to-speech)United States / global
Vercel Inc.Application hosting and content deliveryUnited States / global
PayPal Holdings, Inc.Subscription payment processingUnited States / global
Zoho Corporation (ZeptoMail)Transactional and notification email deliveryRegional data centres

6. International transfers

Sub-processors may process data outside your country. Where required by law, transfers are made under appropriate safeguards such as standard contractual clauses or equivalent mechanisms.

7. Return and deletion

You can delete Customer Personal Data at any time through the Service. On termination of your account, or on your written request, we will delete or return Customer Personal Data within a reasonable period, except where retention is required by law. See our Data Deletion & Requests page.

8. Data subject rights

As Processor, we will assist you in responding to requests from your end customers to access, correct, or delete their data. If an end customer contacts us directly, we will refer them to you as the Controller, and assist you as needed.

9. Liability and precedence

Liability under this DPA is subject to the limitations in our Terms of Service. If there is a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA prevails.

10. Contact

For DPA or data-protection matters, contact chatmunshi@senithu.lk.