Data Processing Agreement (DPA)

Last Updated

This Data Processing Agreement ("DPA") is an addendum to and forms part of the WhatSetter Terms of Service (or other applicable agreement, hereinafter the "Agreement") between Customer (as defined in the Agreement) and WHATSETTER LTD, a company registered in the United Kingdom (the "Company").

Company data is hosted on secure servers located in the European Union (EU) to ensure full compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

By using WhatSetter's services or agreeing to the Agreement, Customer enters into this DPA on behalf of itself and, if required under applicable Data Protection Laws, on behalf of its Affiliates. This DPA reflects the parties' agreement regarding the processing of Personal Data by the Company on behalf of the Customer in the course of providing the Services.

If you have any questions, contact us at:

1. Definitions

Refer to the main Agreement and applicable Data Protection Laws (including GDPR, UK GDPR, CCPA, etc.).

2. Roles of the Parties

Customer:

Data Controller (or Processor on behalf of a Controller)

Company:

Data Processor (or sub-Processor)

3. Purpose and Scope of Processing

  • Provide, maintain, and support WhatSetter's AI platform and services
  • Automate WhatsApp-based communication workflows
  • Execute Customer instructions as per Agreement

4. Data Hosting & Transfers

  • All primary data is hosted in the EU
  • Any transfer outside the EEA, UK, or Switzerland will comply with SCCs or equivalent legal safeguards

5. Sub-Processors

  • Customer authorizes the use of sub-processors for service performance
  • Sub-Processors will be listed and updated with prior notification (min. 10 days)

6. Security Measures

  • Encryption at rest and in transit (TLS, AES-256)
  • Access controls, firewalls, regular audits, backups
  • Incident response policy and notification within 72h in case of data breach

7. Data Subject Rights

  • Assistance in responding to Data Subject requests (access, deletion, portability)
  • Prompt notice of any request received directly

8. Return or Deletion of Data

  • Upon termination or written request, all Customer Data will be deleted or returned
  • Backups retained securely and purged per policy

9. Audit Rights

  • Customer may request security audits or certifications
  • On-site audits possible once per year with 30-day notice

10. CCPA Compliance

  • Company acts as a Service Provider under CCPA
  • No sale or sharing of Customer Personal Data

11. Liability

Governed by the Agreement's limitation of liability provisions

12. Governing Law

This DPA is governed by the same jurisdiction as the main Agreement (UK Law, unless otherwise stated)

13. Contact

WHATSETTER LTD

Registered in the UK