Data Processing Addendum

Need a signed copy?

If your legal team needs a counter‑signed copy of this DPA on WhatAReply letterhead, email legal@whatareply.com. We'll send a DocuSign within one business day at no charge.

1. Roles

You (the "Customer") are the Controller of the personal data you upload, send and receive through WhatAReply. We (WhatAReply Inc.) are the Processor, acting only on your documented instructions.

2. Subject matter & duration

We process personal data on your behalf for the limited purpose of providing the WhatAReply service, for as long as your subscription is active.

3. Categories of data & data subjects

Data subjects: your end customers and prospects who message your WhatsApp Business number, plus your team members who use the workspace.

Categories: contact identifiers (name, phone, email, address); message content (text, media, voice); metadata (timestamps, delivery status); and authentication data (login IP, session).

4. Our obligations

Process personal data only on your documented instructions.
Ensure everyone who handles your data is bound by confidentiality.
Use the security measures described in our Security page (encryption, access controls, logging).
Help you respond to data‑subject requests (access, deletion, etc.) within reasonable time and at no extra charge for normal volume.
Notify you within 72 hours of becoming aware of a personal data breach affecting your data.
Delete or return your data within 30 days of contract termination.
Make audit reports available on request (SOC 2 once issued, security questionnaire any time).

5. Sub-processors

You authorise us to engage the sub-processors listed in our Privacy Policy (currently DigitalOcean, Meta, OpenAI/Anthropic/Google, Stripe, Mailtrap/SES). We'll give you 30 days' notice before adding a new one and you can object in writing.

6. International transfers

Where personal data is transferred outside the EEA, UK or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) and (where required) the UK Addendum. By accepting this DPA you consent to those clauses being incorporated by reference.

7. Data residency

Default storage: United States. Business plan customers can request EU (Frankfurt) or India (Bangalore) residency by emailing legal@whatareply.com — at no extra charge.

8. Liability

The liability cap and exclusions in our Terms of Service apply to this DPA, except where required otherwise by data‑protection law (GDPR, UK GDPR, equivalent).

9. Conflict

If anything in this DPA conflicts with the Terms of Service or a separate signed agreement, this DPA controls — but only for matters of personal‑data processing.

10. Acceptance

This DPA is automatically accepted when you start using WhatAReply with EU, UK, Swiss or California-resident end users. If you need a counter‑signed PDF, just ask.