Data Processing Agreement

1

Definitions

The following terms, as used in this DPA, have the meanings ascribed to them in Article 4 of the GDPR (Regulation (EU) 2016/679) and the UK GDPR:

Controller The natural or legal person who determines the purposes and means of processing of personal data — in this context, you (the WapBizSuite customer).

Processor The natural or legal person that processes personal data on behalf of the Controller — in this context, [Your Company Name] operating WapBizSuite.

Data Subject An identified or identifiable natural person whose personal data is processed — in this context, your customers and contacts.

Personal Data Any information relating to an identified or identifiable natural person, including name, phone number, email address, message content, and IP address.

Processing Any operation performed on personal data, including collection, storage, transmission, use, modification, and deletion.

GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) and, where applicable, the UK GDPR as retained in UK law.

2

Scope and Roles

This DPA applies to the processing of personal data that arises from your use of WapBizSuite, specifically:

Personal data of your customers and contacts (phone numbers, names, email addresses, message content) stored in WapBizSuite
Personal data received from your connected e-commerce platform (Shopify, WooCommerce) via the store integration
Message content and conversation history generated through the platform

You — Data Controller

You determine why and how your customers' personal data is processed. You decide which contacts to import, what messages to send, and which integrations to enable.

[Your Company Name] — Data Processor

We process personal data only on your documented instructions to provide the WapBizSuite service. We do not process your customers' data for our own purposes.

3

Our Obligations as Processor (Article 28 GDPR)

[Your Company Name], acting as Processor, shall:

Process personal data only on documented instructions from you (the Controller), including with regard to transfers of personal data to a third country, unless required to do so by applicable law; in such cases we will inform you of that legal requirement before processing, unless prohibited from doing so
Ensure that persons authorised to process personal data on our behalf are subject to an appropriate obligation of confidentiality, whether contractual or statutory
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR (see Section 7 of this DPA)
Not engage any sub-processor without your prior written authorisation, and ensure any sub-processor is bound by data protection obligations no less protective than those set out in this DPA (see Section 5 for the current list of sub-processors; by accepting these Terms, you provide general written authorisation for the listed sub-processors)
Assist you, insofar as reasonably possible, in fulfilling your obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (see Section 6)
Assist you in ensuring compliance with your obligations under Articles 32–36 GDPR (security, breach notification, data protection impact assessments, and prior consultation)
At your choice, delete or return all personal data to you after the end of the provision of processing services, and delete existing copies unless applicable law requires retention
Make available to you all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits and inspections conducted by you or an auditor mandated by you, subject to reasonable advance notice and confidentiality obligations

4

Your Obligations as Controller

As the Data Controller, you are responsible for:

Ensuring you have a valid lawful basis for every processing activity under Article 6 GDPR (e.g., consent, contract, legitimate interest) before uploading personal data to WapBizSuite or using the platform to process it
Obtaining valid, specific, and documented consent from your customers before sending them marketing or promotional WhatsApp messages, where consent is the chosen lawful basis
Providing data subjects with clear, transparent information about how their data will be processed (including via WhatsApp), as required by Articles 13 and 14 GDPR
Responding to data subject rights requests within the GDPR timescales (generally 1 month), with our assistance as described in Section 6
Promptly notifying us if you become aware of any instructions you have given us that may infringe applicable data protection law
Maintaining records of processing activities as required by Article 30 GDPR
Ensuring that contact data imported into WapBizSuite was lawfully collected and that you have the right to process it for the purposes for which it is being used

5

Sub-processors

By accepting the Terms of Service (which incorporate this DPA), you provide general written authorisation for [Your Company Name] to engage the following sub-processors. We will notify you before adding or replacing any sub-processor, giving you reasonable opportunity to object.

Sub-processor	Location	Processing Purpose
Meta Platforms Ireland Ltd	Ireland / USA	WhatsApp message delivery infrastructure — all outbound and inbound WhatsApp messages are routed through Meta's Cloud API
Cloud Hosting Provider	[Region TBC]	Server, database, and file storage infrastructure on which WapBizSuite operates and customer data is stored
SMTP Provider (user-configured)	Varies	Email notification delivery — the SMTP server you configure in your account settings is used to send system and alert emails. You choose and control this provider.

Meta Platforms Ireland Ltd processes WhatsApp message data under their own Data Processing Terms, which form part of the WhatsApp Business Terms of Service you agree to when registering a WhatsApp Business Account.

6

Data Subject Rights

As Processor, we will assist you in fulfilling data subject rights requests. You remain responsible for communicating with data subjects and for making final decisions on all rights requests.

Upon receipt of a verified data subject rights request from you:

We will provide the requested technical assistance within 5 business days
Access requests: you can export a contact's full data (profile, message history, consent records) using the data export feature in the platform
Rectification: contact data can be edited directly via the Contacts module
Erasure: individual contacts and their associated data can be permanently deleted via the platform. Account-wide deletion is available upon account termination.
Restriction and objection: we will assist with temporary processing restrictions where technically feasible upon documented request
Portability: contact data is exportable in CSV format; message history is exportable in JSON format

Most data subject rights requests can be fulfilled directly by you using the built-in tools in WapBizSuite without needing to contact us. If a request requires actions beyond what the platform supports, please contact [contact@yourdomain.com].

7

Security Measures (Article 32 GDPR)

We have implemented the following technical and organisational security measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks to data subjects:

Encryption at Rest

All sensitive credentials (API tokens, access keys, integration secrets) are encrypted using AES-256-CBC before storage in the database. Passwords are stored as one-way cryptographic hashes.

Encryption in Transit

All data transmitted between your browser and our servers, and between our servers and external APIs, uses TLS 1.2 or higher. Unencrypted HTTP connections are automatically redirected to HTTPS.

Access Controls

Role-based access controls with 5 defined permission levels restrict access to data and configuration based on the principle of least privilege. Administrative functions are limited to designated admin roles.

Brute-force and Account Protection

Repeated failed login attempts trigger temporary account lockout. Two-factor authentication is available for all accounts. Session tokens have limited lifespans.

Audit Logging

Significant actions (logins, credential changes, data exports, user management changes) are logged with timestamp and actor identity to support security monitoring and incident investigation.

Regular Security Reviews

We conduct periodic reviews of our security practices, access controls, and infrastructure configuration to identify and address vulnerabilities proactively.

8

Personal Data Breach (Articles 33 & 34 GDPR)

In the event of a personal data breach affecting your data, [Your Company Name] will:

Notify you within 72 hours of becoming aware of the breach, without undue delay, by email to your account's registered address
Provide details of the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it
Cooperate with your investigation and provide all reasonably available information to assist you in fulfilling your own notification obligations under Article 33 (to your supervisory authority) and Article 34 (to affected data subjects)

You, as the Controller, are responsible for assessing whether the breach requires notification to your supervisory authority (within 72 hours of becoming aware) and whether affected data subjects must be notified directly. We will assist you in making these assessments.

9

International Transfers

Where personal data is transferred outside the European Economic Area or the United Kingdom to a country or territory that does not benefit from an adequacy decision, [Your Company Name] relies on the following appropriate safeguards:

Standard Contractual Clauses (SCCs): transfers to sub-processors in non-adequate countries are governed by the Standard Contractual Clauses adopted by the European Commission (2021/914/EU), or the equivalent UK International Data Transfer Agreements (IDTAs) for UK transfers
Meta Platforms: WhatsApp message data transferred to Meta in the United States is covered by Meta's Data Processing Terms, which rely on SCCs and/or the EU-US Data Privacy Framework as applicable

A copy of the applicable transfer mechanism can be provided on request by contacting [contact@yourdomain.com].

10

Term and Termination

This DPA shall remain in force for the duration of the Terms of Service between you and [Your Company Name] and for as long as we process personal data on your behalf.

Upon termination of the Terms of Service for any reason:

You may request an export of your data within 30 days of the termination date
We will securely delete all personal data processed on your behalf within 90 days of the termination date, unless applicable law requires us to retain it for a longer period (in which case we will inform you)
We will confirm in writing that deletion has been completed upon your request

11

Governing Law

This DPA is governed by GDPR (Regulation (EU) 2016/679) and applicable EU data protection law. Where a customer is established in the United Kingdom, the UK GDPR and the Data Protection Act 2018 apply instead, and references to the GDPR shall be read as references to the UK GDPR accordingly.

In the event of any conflict between this DPA and the Terms of Service, the terms of this DPA shall prevail with respect to data protection matters.

12

Contact for Data Protection Queries

For all queries, requests, and notices relating to this DPA or our data processing practices, please contact:

[Your Company Name] — Data Protection Contact

[Your Address]

Email: [contact@yourdomain.com]

Subject line: "DPA / Data Protection Request"

We aim to acknowledge all data protection queries within 2 business days and to provide a substantive response within 5 business days.