Logo

Data Processing Agreement (DPA)

Last updated: [20 Juin 2025]

Last Updated: [20 Juin 2025]

This Data Processing Agreement (“DPA”) is an addendum to and forms part of the Wazzap AI Terms of Service (or other applicable agreement, hereinafter the “Agreement”) between Customer (as defined in the Agreement) and WAZZAP AI LLC (the “Company”), a company with its principal business address at 1209 Mountain Road Pl NE Ste H, Albuquerque, NM 87110.

By using the Wazzap AI services or by agreeing to the Agreement, Customer enters into this DPA on behalf of itself and, if required under applicable Data Protection Laws, in the name and on behalf of its Affiliates. This DPA reflects the parties’ agreement with regard to the processing of Personal Data by Company on behalf of Customer in the course of providing the Services.

Interpretation: If not defined in this DPA, all capitalized terms have the meanings set forth in the Agreement. In case of any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail to the extent of the conflict. The term “including” means “including without limitation.”

1. Definitions

For the purposes of this DPA, the following terms and definitions apply:

1.1 “Affiliate” means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with a party, where “Control” means ownership of at least fifty percent (50%) of the equity or voting interests of the entity.

1.2 “Customer Personal Data” means any Personal Data that the Customer (or Customer’s end users) provides or submits to the Services, or that is collected by Company on Customer’s behalf, for processing under the Agreement. Customer Personal Data may include, for example, WhatsApp messages, chat transcripts, audio recordings, contact information of leads or customers (such as names and phone numbers), and other data relating to individuals with whom Customer interacts via the Services.

1.3 “Authorized Sub-Processor” means any third party (including any Company Affiliate) engaged by the Company to process Customer Personal Data in order to assist Company in fulfilling its obligations under the Agreement or this DPA. Authorized Sub-Processors current as of the effective date of this DPA are listed in Exhibit B or on a Company website as described in Section 4.2.

1.4 “Company Account Data” means Personal Data that relates to the Customer’s relationship with Company, which may include names and contact information of Customer’s personnel or representatives who are authorized to use or administer the Services, billing information, and other information necessary for account management and business operations. Company Account Data also includes any data Company must process for identity verification, fraud prevention, or compliance with legal obligations in managing its relationship with Customer.

1.5 “Company Usage Data” means data relating to Customer’s use of the Services collected by Company for the purpose of maintaining, monitoring, and improving the Services. Company Usage Data may include log files and metadata such as timestamps and message counts, usage metrics, performance data, and other technical information (e.g., IP addresses or device information) that does not necessarily identify individuals on its own. Company Usage Data is used to optimize and maintain service performance and security, and to prevent abuse of the Services.

1.6 “Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable: the EU General Data Protection Regulation 2016/679 (“EU GDPR”); the EU GDPR as incorporated into United Kingdom law (“UK GDPR”); the Swiss Federal Act on Data Protection; the California Consumer Privacy Act (“CCPA”) and its amendments (including the California Privacy Rights Act); and any other applicable data protection or privacy laws. The terms “Personal Data,” “Data Subject,” “processing,” “Controller,” “Processor,” “Personal Data Breach,” and other related terms shall have the meanings given to them in the GDPR, and the term “Service Provider” shall have the meaning given in the CCPA.

1.7 “Standard Contractual Clauses” or “SCCs” means collectively: (i) the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, approved by European Commission Decision 2021/914 of 4 June 2021 (the “EU SCCs”); and (ii) the UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office (the “UK Addendum”), which, together with the EU SCCs, forms the “UK SCCs.” References to the SCCs are to the modules and clauses appropriate for the relationship between the parties as set forth in Section 6 of this DPA.

1.8 “Services” means the Software-as-a-Service platform and related services provided by Company to Customer under the Agreement. In particular, Wazzap AI provides a SaaS platform enabling automated WhatsApp interactions for lead qualification, appointment scheduling, and customer support management (the “Wazzap AI Platform”).

Note: Additional definitions are provided throughout this DPA as needed.

2. Relationship of the Parties; Scope of Processing

2.1 Roles of Parties

As between the parties, with regard to the processing of Customer Personal Data, the parties acknowledge that Customer acts as a Data Controller (or as a Processor on behalf of another controller) and Company acts as a Data Processor on behalf of Customer. This means that Customer determines the purposes and means of the processing of Customer Personal Data, and Company processes such data only on Customer’s documented instructions, as described in this DPA and the Agreement. If Customer is a Processor on behalf of a third-party Controller, then Company is a sub-Processor to Customer, and Customer warrants that it is authorized by the relevant Controller(s) to appoint Company as sub-Processor and to enter into this DPA.

2.2 Customer’s Obligations

Customer shall, in its use of the Services, ensure that its instructions for processing Personal Data (including the instructions set out in this DPA and the Agreement) comply with all Data Protection Laws. Customer is responsible for obtaining any necessary consents or legal bases for the processing of Personal Data, for the accuracy and quality of the Personal Data provided to Company, and for ensuring that Customer’s use of the Services (including Company’s processing) will not cause Company to violate any applicable law. Customer shall not provide or make available to Company any Personal Data that is not necessary for use of the Services or that Customer is not legally permitted to share. Customer will indemnify Company for any claims or losses arising from processing of Personal Data in accordance with Customer’s instructions that infringe applicable laws or the rights of a third party.

2.3 Processor Obligations

Company shall process Customer Personal Data only for the following purposes:

  • (i) to provide, maintain, and support the Services in accordance with the Agreement (including to automate WhatsApp conversations, qualify leads, schedule meetings, and manage Customer’s interactions as instructed);
  • (ii) to fulfill Customer’s instructions and requests in connection with the Services; and
  • (iii) to comply with Company’s legal obligations.

Company will not process Customer Personal Data for any purpose other than those set forth in the Agreement, this DPA, or as otherwise instructed by Customer in documented form. In particular, Company will not “sell” or “share” Customer Personal Data as defined under CCPA, nor will Company use Customer Personal Data for its own purposes (such as marketing or profiling) or for the training of artificial intelligence models except as strictly necessary and permitted to provide and improve the Services and only with Customer’s authorization. Company acknowledges and agrees that it is prohibited from further using or disclosing Customer Personal Data for any purpose other than providing the Services in accordance with the Agreement and this DPA.

2.4 Documented Instructions

By entering into this DPA, Customer instructs Company to process Customer Personal Data only in accordance with the Agreement, this DPA, and any applicable Order or written instructions provided by Customer. If Company believes any Customer instruction infringes Data Protection Laws, it shall promptly inform Customer (unless prohibited by law). Customer’s initial instructions to Company for the processing of Personal Data are set forth in this DPA, including Exhibit A. Thereafter, Customer may provide additional instructions in writing to Company, and the parties shall work together in good faith to confirm and implement such instructions as appropriate.

2.5 Details of Processing

The subject-matter and duration of the processing, the nature and purpose of the processing, the types of Personal Data, and categories of Data Subjects involved in the processing under this DPA are further described in Exhibit A (Details of Processing). The parties agree that Exhibit A accurately reflects the scope of processing of Customer Personal Data by Company under the Agreement.

2.6 Deletion or Return of Data

Upon termination or expiration of the Agreement, or upon Customer’s written request, Company shall cease processing Customer Personal Data and, at Customer’s choice, either delete or return to Customer all Customer Personal Data in Company’s possession or control (including any copies), within a reasonable timeframe unless applicable law requires storage of the Personal Data. If return or deletion of certain data is technically or legally infeasible (for example, if backups are archived to a secure storage required for legal compliance), Company shall (i) inform Customer of the reasons and (ii) ensure the confidentiality of such data and cease any active processing, and will promptly delete such data when possible. Upon Customer’s request, Company will provide a certification of deletion of Personal Data (for example, the certification required by Clause 8.5 of the EU SCCs).

2.7 Compliance with Law

Each party will comply with all Data Protection Laws applicable to it in its role under this DPA. Customer shall have sole responsibility for the lawfulness of the processing and for the accuracy and legality of the Customer Personal Data provided to Company. Company will inform Customer if it is of the opinion that an instruction from Customer violates applicable law (without obligation to perform legal review of Customer’s activities).

2.8 CCPA Service Provider Terms

Insofar as the CCPA (California Consumer Privacy Act) applies to any Customer Personal Data, the parties acknowledge and agree that Company is a Service Provider to Customer, and Customer is a Business (or a Service Provider to a third-party Business) with respect to such data. Company certifies it shall not sell Customer Personal Data or share it for cross-context behavioral advertising, and shall not retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Services or as otherwise permitted by the CCPA. Company shall not combine Customer Personal Data with personal information it receives from other sources, except as allowed under the CCPA. Company understands and will comply with the restrictions and obligations imposed on Service Providers under the CCPA.

3. Confidentiality

3.1 Confidentiality Obligations

Company shall ensure that any person it authorizes to process Customer Personal Data (including Company’s employees, agents, and subcontractors) is subject to a duty of confidentiality (whether by contract or by statutory obligation) with respect to such data. Company will limit access to Customer Personal Data strictly to those individuals who need access to perform the Services and who are bound by such confidentiality obligations.

3.2 Restricted Disclosures

Company will not disclose Customer Personal Data to any third party except to the extent that doing so is necessary for providing the Services (and permitted under Section 4 of this DPA regarding Sub-Processors), or as required by law or regulation. In the event a law or legal order requires Company to disclose Customer Personal Data, Company will (to the extent not prohibited from doing so) inform Customer before making such disclosure and comply with Section 8.5 of this DPA.

3.3 Permitted Disclosures

Notwithstanding the foregoing, Customer agrees that Company may disclose Customer Personal Data on a limited basis to Company’s legal, financial, or professional advisors (e.g., attorneys, auditors) only to the extent such disclosure is necessary for Company to obtain advice or protections related to the Services or to enforce its rights, provided that such advisors are under professional obligations or written duties of confidentiality.

4. Authorized Sub-Processors

4.1 Use of Sub-Processors

Customer authorizes Company to engage Authorized Sub-Processors to Process Customer Personal Data in connection with the performance of the Services, provided that:

  • (a) Company will enter into a written agreement with each Authorized Sub-Processor imposing data protection obligations comparable to those imposed on Company under this DPA; and
  • (b) Company remains liable for the acts and omissions of its Sub-Processors to the same extent Company would be liable if performing the Services directly.

By this DPA, Customer provides general written authorization to Company to engage sub-processors as needed for the provision of the Services.

4.2 Current Sub-Processor List

Company maintains a current list of its Authorized Sub-Processors (the “Sub-Processor List”), which may include Company’s Affiliates and third-party service providers, and will make this list available to Customer (e.g., via Company’s website or Exhibit B to this DPA). As of the DPA’s effective date, Customer acknowledges that Company utilizes certain third-party tools and providers as sub-processors to deliver the Services – for example: cloud hosting/infrastructure providers, providers of WhatsApp communication or telephony APIs, AI or transcription service providers for processing audio conversations, and scheduling/calendar integration services. The Sub-Processor List will include the identities of Sub-Processors and their functions.

4.3 Notification of New Sub-Processors

Company will provide a mechanism for Customer to receive notice of any intended additions or changes to the Sub-Processor List. Company may fulfill this obligation by either (i) sending an email notification to Customer’s registered contact, or (ii) posting the updated Sub-Processor List on a website and providing a method for Customer to subscribe to updates. Company will notify Customer at least ten (10) days in advance before authorizing any new Sub-Processor to process Customer Personal Data (save for urgent replacements required for continuity of service, in which case notice will be given as soon as practicable).

4.4 Customer’s Right to Object

If Customer has a reasonable, good-faith basis to believe that a new Sub-Processor’s processing of Customer Personal Data would cause Customer to violate applicable Data Protection Laws or would materially harm Customer’s legitimate interests, Customer may object to Company’s use of that Sub-Processor by notifying Company in writing within ten (10) days after receipt of Company’s notice about the new Sub-Processor. Customer’s objection shall include the grounds for the objection. The parties will then discuss in good faith to address Customer’s concerns, which may include Company:

  • (a) providing additional assurances or information about the Sub-Processor’s safeguards;
  • (b) offering an alternative Sub-Processor; or
  • (c) allowing Customer to opt out of the particular aspect of Service involving the Sub-Processor (if feasible).

If the parties cannot resolve the objection to mutual satisfaction and Company chooses to retain the Sub-Processor, Customer may as a sole remedy terminate the affected Service by providing written notice to Company within a further reasonable time (no more than 30 days) and receive a pro-rata refund of any prepaid fees for the period after termination, provided that the objection was based on reasonable data protection grounds.

4.5 No Waiver

If Customer does not object to a new Sub-Processor within the ten-day period, Customer is deemed to have accepted the Sub-Processor. Company may continue to use existing Sub-Processors already engaged as of the effective date of this DPA, which Customer hereby accepts.

4.6 Liability and Compliance

Company will ensure that all Authorized Sub-Processors perform their data processing obligations in compliance with Company’s obligations under this DPA and Data Protection Laws. Company shall be responsible for any acts, errors or omissions of its Sub-Processors that cause Company to breach any of its obligations under this DPA, as if the act, error or omission were Company’s own.

4.7 Copies of Sub-Processor Agreements

To the extent required by applicable law (for example, Clause 9(c) of the EU SCCs), Company will, upon Customer’s request, provide the Customer with copies of its data processing agreements with Authorized Sub-Processors. Customer agrees that such copies may be redacted by Company to remove any sensitive commercial information or information not relevant to compliance with the SCCs.

4.8 Standard Contractual Clauses

Where the SCCs apply, the Customer’s acceptance of this DPA will be deemed to constitute Customer’s prior written consent to the engagement of Company’s Sub-Processors, and to Company’s onward sub-processing of Personal Data to those Sub-Processors, as required by Clause 9 of the EU SCCs (general written authorization). The Sub-Processor List (including updates notified to Customer pursuant to this Section 4) shall satisfy the requirements of Annex III of the EU SCCs for the onward sub-processor list.

5. Security of Personal Data

5.1 Security Measures

Company shall implement and maintain appropriate technical and organizational measures to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, as required by Article 32 of the GDPR and other applicable laws. In assessing the appropriate level of security, Company will take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk to Data Subjects. At a minimum, Company’s information security program will include the measures set forth in Exhibit C (Technical and Organizational Security Measures), which include, among other things: encryption of Personal Data in transit (e.g., via TLS/SSL) and at rest, use of firewalls and network security controls, access controls and authentication mechanisms (including multi-factor authentication for administrative access), regular data backups, and internal policies for incident response. These measures are aimed at ensuring the ongoing confidentiality, integrity, availability, and resilience of Company’s processing systems and services.

5.2 Confidentiality of Processing

Company ensures that any person acting under its authority who has access to Customer Personal Data is subject to appropriate confidentiality obligations (see Section 3.1) and is trained in the proper handling of Personal Data. Where applicable, Company’s sub-processor contracts will include similar obligations to protect Personal Data.

5.3 Personal Data Breach Notification

In the event that Company becomes aware of a Personal Data Breach (as defined in the GDPR) that affects Customer Personal Data, Company will notify Customer without undue delay and in any event within 72 hours of confirming the breach. Such notice may be delivered to Customer’s designated contact by email or other direct communication and shall include, to the extent known at the time, all available information reasonably required to help Customer meet any obligations to notify regulatory authorities or affected Data Subjects, including: a description of the nature of the breach, the categories and approximate volume of data concerned, the identified and potential consequences, and the measures taken or proposed by Company to address the breach. Company shall promptly take reasonable steps to contain, investigate, and mitigate any Personal Data Breach. At Customer’s request, Company will cooperate in good faith with Customer and assist in Customer’s efforts to notify any competent Supervisory Authority and/or affected Data Subjects, as required by law. The obligations in this Section 5.3 shall not apply to incidents that are caused by Customer or anyone acting on Customer’s behalf.

5.4 No Acknowledgment of Fault

Company’s notification of or response to a Personal Data Breach under this Section will not be construed as an acknowledgment by Company of any fault or liability with respect to the breach.

5.5 Additional Security

Customer is responsible for reviewing the information made available by Company relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations. Customer is also responsible for properly configuring and using the Services and taking its own steps to maintain appropriate security and access control in use of the Services (for example, protecting account credentials, using secure networks to access the Services, and properly managing integrations or configurations under Customer’s control).

6. International Data Transfers

6.1 Data Hosting and Transfer

Customer acknowledges that Company is based in the United States and that providing the Services may involve transfers of Customer Personal Data to the United States and other jurisdictions outside the European Economic Area (EEA), United Kingdom, or Switzerland. In particular, the primary processing operations for the Wazzap AI Services take place in the United States. Company shall ensure that any such cross-border data transfers are made in compliance with Data Protection Laws. Specifically, Company will not transfer (nor permit access to) Customer Personal Data from the EEA, UK, or Switzerland to any country or recipient not recognized as providing an adequate level of protection for Personal Data, unless it first takes all such measures as are necessary to ensure the transfer is in compliance with Data Protection Laws. Such measures may include (without limitation) transferring such data pursuant to the Standard Contractual Clauses as set forth in this Section 6, or transferring under an appropriate derogation or exemption under the GDPR.

6.2 Transfers from the EEA

For transfers of Personal Data from the EEA (or that are otherwise subject to the EU GDPR) to Company in a country which is not deemed adequate by the European Commission, the parties agree that such data shall be transferred under the EU SCCs, which are hereby incorporated into this DPA by reference and deemed executed by the parties. The EU SCCs shall be completed as follows:

  • Module Two (Controller-to-Processor) (or Module Three (Processor-to-Processor), as applicable) of the EU SCCs shall apply. Module Two applies where Customer is a Controller of Customer Personal Data and Company is a Processor; Module Three applies where Customer is a Processor of Customer Personal Data on behalf of a third-party Controller and Company is a sub-Processor. For the avoidance of doubt, Module One (Controller-to-Controller) may apply only to Company Account Data and Company Usage Data under Section 9 below, and not to Customer Personal Data processed on Customer’s behalf.
  • In Clause 7 (Docking Clause), the optional language will not apply.
  • In Clause 9 (Use of sub-processors), Option 2 (General Written Authorization) applies. The “time period” for prior notice of sub-processor changes (Clause 9(a)) shall be the notice period stated in Section 4.3 of this DPA (at least 10 days).
  • In Clause 11 (Redress), the optional language will not apply.
  • In Clause 17 (Governing law), Option 1 applies. The parties select the law of Ireland (provided Ireland is an EU member state that allows for third-party beneficiary rights) as governing the SCCs.
  • In Clause 18 (Choice of forum and jurisdiction), the parties choose the courts of Ireland as the forum for disputes arising from the SCCs.
  • Annex I.A (List of Parties), Annex I.B (Description of Transfer), and Annex II (Technical and Organizational Measures) of the EU SCCs are set forth in Exhibit B and Exhibit C to this DPA, respectively.
  • Annex I.C (Competent Supervisory Authority): The supervisory authority of the EU Member State in which the Customer (as Data Exporter) is established (or, if the Customer is not established in the EEA, the supervisory authority specified in GDPR Article 27 per Customer’s location of representative) shall act as the competent Supervisory Authority.

By entering into this DPA, the parties are deemed to have mutually signed the EU SCCs, including the Annexes.

6.3 Transfers from the UK

For transfers of Personal Data from the United Kingdom (UK) or that are otherwise subject to UK GDPR, to Company in a country not deemed adequate by UK authorities, the EU SCCs (Module Two or Three, as appropriate, as specified in Section 6.2) shall also apply in accordance with Section 6.2, but as modified and interpreted by the UK Addendum issued under Section 119A of the UK Data Protection Act 2018 (“UK Addendum”). In particular, the parties acknowledge that: (a) Table 1 of the UK Addendum is deemed completed with the parties’ details and key contacts as set forth in Exhibit B; (b) Table 2 is deemed completed by referencing the EU SCCs as set out in Section 6.2 (the “Approved EU SCCs”); (c) Table 3 is deemed completed with the information from Exhibits B and C of this DPA (which contain the information required by Annex 1A, 1B, and II of the EU SCCs); and (d) for Table 4, the parties select “Neither Party” (i.e., the Addendum will terminate when the Approved EU SCCs terminate). The UK Addendum, thus completed, is deemed executed by the parties as of the effective date of this DPA, and incorporated herein. By entering into this DPA, the parties are deemed to have reviewed and accepted the UK Addendum as issued by the ICO, which is hereby attached as Exhibit D for reference.

6.4 Transfers from Switzerland

For transfers of Personal Data from Switzerland (subject to the Swiss FADP), the parties agree that the EU SCCs (Module Two or Three, as appropriate) as incorporated by Section 6.2 above shall also apply with the following modifications: (a) references to “GDPR” shall be understood as references to the Swiss FADP with respect to data subject rights and overruled clauses; (b) references to “EU”, “Member State” and “Supervisory Authority” shall be interpreted to include Switzerland and the Swiss Federal Data Protection and Information Commissioner (to the extent the transfers are governed by the FADP); and (c) the governing law and forum for disputes for Swiss transfers shall be the law and courts of Switzerland.

6.5 Additional Transfer Measures

In addition to the SCCs, Company will implement supplementary measures as necessary to ensure that any Personal Data transferred under this Section 6 is afforded a level of protection essentially equivalent to that guaranteed by the GDPR. Such measures may include encryption of Personal Data in transit and at rest, access restrictions, and policies for handling government requests for data access in compliance with Clause 15 of the EU SCCs. Company will also make available information about its data transfer practices on request and will reasonably assist Customer in any required transfer impact assessments.

6.6 Disclosure of SCCs

If the Customer’s Data Protection Authority requests a copy of the SCCs or this DPA, the parties agree that Company may disclose those to the Authority to the extent required.

6.7 Hierarchy

In the event of conflict between any portion of this DPA and the SCCs (as applicable under this Section 6), the SCCs shall prevail in respect of the transfer of Personal Data.

7. Data Subject Rights

7.1 Data Subject Requests

Taking into account the nature of the Services and the processing, Company shall assist Customer, by appropriate technical and organizational measures and insofar as possible, in fulfilling Customer’s obligations to respond to requests from individuals to exercise their rights under Data Protection Laws (such as rights of access, rectification, erasure, restriction, objection, or data portability, as applicable). In the event that Company directly receives any request from an individual (a “Data Subject Request”) regarding Personal Data that is Customer Personal Data, Company will (i) promptly notify Customer of the request, and (ii) refrain from responding to the request directly (unless required by applicable law, in which case Company will inform Customer of that requirement prior to responding, unless legally prohibited from doing so).

7.2 Assistance and Timing

To the extent Customer does not have the ability to address a Data Subject Request on its own via the use of the Services, Company shall, upon Customer’s request, provide reasonable additional assistance to facilitate Customer’s response to the Data Subject Request. Company will provide such assistance in a timely manner, taking into account any response deadlines imposed by Data Protection Laws. Customer shall be responsible for any reasonable costs arising from Company’s provision of such assistance, to the extent permitted by law (for example, if the effort required is substantial and beyond the normal functionality of the Services).

8. Cooperation, Audits, and Compliance

8.1 Data Protection Impact Assessments

Upon Customer’s request, Company shall reasonably assist Customer (at Customer’s cost) with necessary data protection impact assessments (“DPIAs”) and prior consultations with Supervisory Authorities that Customer is required to carry out under GDPR Articles 35 and 36, in each case solely in relation to processing of Customer Personal Data by Company and taking into account the nature of the processing and information available to Company. Company will provide relevant information from its privacy and security practices, and any other reasonably required information, to the extent Customer does not otherwise have access to that information (e.g., via documentation or this DPA).

8.2 Cooperation with Authorities

Company shall cooperate with any reasonable requests or inquiries from a competent Data Protection Supervisory Authority in relation to the processing of Customer Personal Data under the Agreement. If any Supervisory Authority or law enforcement agency makes a demand of Company for Customer Personal Data (e.g. through a subpoena or court order), Company shall, unless prohibited by law, inform Customer of the demand and cooperate in addressing it (for example, by providing the data to Customer to produce, or by legally challenging over-broad demands).

8.3 Records of Processing

Company will maintain records of its processing activities as required by GDPR Article 30 and other Data Protection Laws, and will make such records available to competent authorities upon request. At Customer’s written request, Company will provide a summary of relevant records or certifications to demonstrate compliance with this DPA.

8.4 Audits

Company shall allow for and contribute to audits or inspections of its data processing facilities and procedures, in the following manner: Upon at least 30 days’ prior written request by Customer, Company will either (i) provide third-party audit certifications or reports (e.g., ISO 27001, SOC 2, or similar) that Company has attained to evidence its compliance with this DPA and adequate security measures; or (ii) if such reports are not available or not sufficient to address Customer’s obligations, permit Customer or its authorized representative (bound by appropriate confidentiality obligations) to conduct an on-site audit of Company’s procedures relevant to the protection of Customer Personal Data. Any on-site audit shall be conducted no more than once annually, during regular business hours, with reasonable advance notice to Company, and in a manner that does not interfere unreasonably with Company’s operations. Customer shall be responsible for all costs of any such audit. Before the commencement of any on-site audit, Customer and Company shall mutually agree upon the audit’s scope, timing, and duration, and Customer shall execute (or ensure its auditor executes) an appropriate confidentiality agreement. Company will promptly address any confirmed material findings of the audit by taking corrective actions within a reasonable timeframe.

8.5 Customer Instructions and Legal Requirements

Company will promptly notify Customer if Company becomes aware that Customer’s instructions regarding processing of Personal Data conflict with any legal requirement to which Company is subject (unless such notification is prohibited by the law in question). In such event, Company shall be entitled to cease following the conflicting instruction (without liability) while such conflict is unresolved, or to make reasonable modifications to the processing under the instruction as needed to comply with applicable law, after consulting with Customer.

8.6 Breach and Incident Response

(See Section 5.3 above for breach notification obligations.) Company maintains an incident response program in line with industry standards to address security incidents or Personal Data Breaches. Company will document the facts relating to any Personal Data Breach, its effects, and remedial actions taken, and will provide such documentation to Customer upon request.

8.7 Limitation

The parties agree that Company’s assistance obligations under Sections 7 and 8 (and elsewhere in this DPA) shall be provided to the extent Customer does not otherwise have access to the relevant information or capability through the Services or other means, and to the extent such assistance is required for Customer’s compliance with Data Protection Laws. Any additional services or assistance beyond the standard functionality of the Services may be subject to separate fees.

9. Company as Independent Controller (Account Data and Usage Data)

9.1 Independent Controller Role

Notwithstanding any contrary provisions in this DPA, the parties acknowledge that with respect to Company Account Data and Company Usage Data (as defined in Section 1 above), Company will act as an independent Controller for such data, determining the purposes and means of processing, separate from the Customer’s role. In other words, Company is not acting as a Processor when it processes Company Account Data and Company Usage Data, as these data categories are used by Company for legitimate business activities related to the provision of the Services and the operation of Company’s business.

9.2 Purposes of Company’s Processing

Company may process Company Account Data for purposes such as:

  • (i) account setup, billing and subscription management, and maintaining Customer’s account in the Services;
  • (ii) communicating with Customer about the Services (service announcements, support, billing notifications, etc.);
  • (iii) enforcing the Agreement and investigating prevention of fraud, abuse, or security incidents;
  • (iv) complying with legal obligations, such as record-keeping, auditing, tax, and compliance with law enforcement requests; and
  • (v) other legitimate business purposes related to the management and improvement of the Services, as described in Company’s Privacy Policy.

Company may process Company Usage Data to analyze and improve the Services’ functionality and performance, to develop new features, and to ensure the security and integrity of the Services. When processing as a Controller, Company shall ensure it has a valid legal basis for such processing and shall comply with applicable Data Protection Laws regarding notice to data subjects and, where required, obtaining any necessary consents.

9.3 Privacy Policy

Any Personal Data that Company processes as a Controller shall be processed in accordance with the Wazzap AI Privacy Policy (available at https://[your-company-url]/en/privacy) and not pursuant to this DPA. Company will maintain a publicly accessible privacy notice that fulfills the requirements of Data Protection Laws for its controller processing activities, and will respect data subject rights with regard to such processing.

9.4 No Impact on Processor Obligations

For clarity, this Section 9 does not affect Company’s obligations to Customer under the other provisions of this DPA with respect to Customer Personal Data processed as a Processor on Customer’s behalf. Company’s status as an independent Controller for certain limited data (Account Data and Usage Data) is separate from, and does not reduce, its duties as a Processor for Customer Personal Data.

10. General Provisions

10.1 Conflicts

In the event of any conflict or inconsistency between this DPA and any other agreements between the parties (including the Agreement and the Privacy Policy), the provisions of the following documents (highest priority first) shall prevail: (1) the Standard Contractual Clauses (if applicable); (2) this DPA; (3) the Agreement; and (4) the Privacy Policy. Notwithstanding the foregoing, the Agreement’s provisions regarding liability (including any exclusions or limitations of liability) shall apply to this DPA with the same force as if they were set forth herein (i.e., any liability arising under this DPA or the SCCs will be subject to the same limitations and exclusions as those in the Agreement).

10.2 Governing Law

Except to the extent that the Standard Contractual Clauses or other Data Protection Laws require otherwise, this DPA shall be governed by the same law as the Agreement.

10.3 Termination

This DPA shall remain in effect for as long as Company Processes Customer Personal Data, notwithstanding the termination or expiration of the Agreement. Termination or expiration of the Agreement shall automatically terminate this DPA. Sections 3, 5, 8, 9, 10, and any other provisions that by their nature should survive, shall survive termination of this DPA.

10.4 Amendments

This DPA may be modified only by a written amendment signed by both parties, except that if any provision of this DPA is deemed invalid or ineffective under Data Protection Laws, the parties shall negotiate in good faith a valid, legal and enforceable substitute provision that most nearly achieves the original intent.

10.5 Severability

If any provision of this DPA is found by a competent authority to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that this DPA otherwise remains in full force and effect and enforceable.

10.6 Entire Agreement

Except as supplemented by this DPA, the Agreement remains in full force and effect. This DPA and the Agreement (including all exhibits or attachments) constitute the entire agreement between the parties with respect to the subject matter herein and supersede all prior representations, understandings, or agreements, whether written or oral, regarding the same.

10.7 Signature

By executing or accepting the Agreement, or any document that incorporates this DPA, each party’s authorized representative is deemed to have signed this DPA as of the effective date of the Agreement, and no further signature is required.

EXHIBIT A – Details of Processing of Customer Personal Data

A. Subject Matter

The subject matter of the processing is the provision of the Wazzap AI Platform and related services to Customer, as described in the Agreement. This includes enabling automated WhatsApp or other messaging interactions for Customer’s business purposes (lead qualification, appointment scheduling, customer support, etc.), and related processing of Personal Data as necessary to provide those services.

B. Duration of Processing

Company will process Customer Personal Data for the duration of the Agreement, until deletion of all Customer Personal Data as described in Section 2.6 of the DPA. Some data may be retained for a limited period after termination, solely as necessary for legal, compliance, or backup purposes, after which it will be deleted or anonymized. By default, personal data is retained only as long as necessary to fulfill the purposes of processing and to comply with legal obligations, and Customer may request deletion of certain data at any time.

C. Nature and Purpose of Processing

Company will process Customer Personal Data as a data Processor, by automated and (in certain cases) manual means of collection, analysis, use, storage, and deletion. The processing operations include, but are not limited to:

  • Collecting and Receiving Data: Receiving messages, inquiries, or calls from Customer’s end-users via WhatsApp or integrated channels on behalf of Customer; importing or recording lead contact information; retrieving calendar availability from Customer’s integrated calendar (e.g., Google Calendar) for scheduling.
  • Storing and Organizing Data: Hosting conversation transcripts, chat logs, and related data in databases for Customer’s access and review; maintaining records of interactions and scheduled appointments.
  • Analyzing and Responding: Utilizing natural language processing and AI models to analyze incoming messages and generate automated responses per Customer-defined scripts and AI instructions; this may include transmitting text or audio content to third-party NLP or transcription engines to process and understand the content (e.g., sending voice notes to a speech-to-text service, under encryption and secure channels).
  • Communicating: Sending responses, notifications, or reminders to end-users as instructed by Customer (via WhatsApp messages or phone calls), which necessitates using end-user contact information (e.g., phone numbers) through communication service providers. For example, Company may use secure third-party WhatsApp API providers or telephony APIs to deliver messages and connect calls.
  • Lead Qualification & Scheduling: Processing Personal Data provided by end-users (such as their name, contact info, desired appointment time) to qualify leads and automatically schedule meetings on Customer’s behalf (including creating calendar events in Customer’s integrated calendar system).
  • Support and Improvement: Monitoring the performance of the AI conversations and, as authorized, using conversation transcripts and interaction history to improve response accuracy and Service quality over time. (Any such use for improvement of AI models is done solely to benefit the Customer and the Service, and data is not shared or used for training generalized AI models outside the scope of the Services.) Company may also process data as needed to provide customer support to the Customer (e.g., accessing conversation logs to handle support tickets).
  • Deletion and Return: Erasing or returning Personal Data upon Customer’s request or upon termination as described in the DPA.

All processing is carried out on Customer’s behalf for the purpose of providing the Services and fulfilling Customer’s legitimate business needs in managing communications with its end-users, as further instructed by Customer in its use of the Platform.

D. Types of Personal Data

The Customer Personal Data processed may include the following categories of data, as determined and provided by Customer or by end-users via the Services:

  • Identification and Contact Data: end-users’ names, phone numbers (including WhatsApp numbers), and potentially email addresses or other contact details if volunteered in chat.
  • Communication Content: the content of messages sent by end-users via WhatsApp or other channels, chat transcripts, images or media if shared in the conversation, voice messages or call audio recordings (if the service includes voice interactions) and their transcriptions.
  • Lead/Customer Data: information provided by end-users about themselves or their inquiries, which could include their company, role, needs or preferences regarding Customer’s products/services, and scheduling details (preferred appointment date/time).
  • Business Information Provided by Customer: information about Customer’s business, offers, and FAQs that Customer inputs into the Platform for the AI to use in conversations (this may contain Personal Data if, for example, it includes names of staff or references to specific individuals, though typically it is business-oriented content).
  • Calendar and Scheduling Data: dates and times of appointments scheduled, and any attendee information involved in scheduling (which might include names or emails of Customer’s staff who will meet the end-user, if applicable).
  • Technical Data: metadata such as message timestamps, IP addresses and device information of end-users interacting (to the extent captured in logs), and general usage logs. (Note: Company’s systems may collect IP address and device type of an admin user logging into the Wazzap AI dashboard, or possibly end-users if required for service delivery, e.g., to identify location for routing, though typically WhatsApp handles end-to-end encryption and metadata might be limited).
  • Audio Data: if Customer enables voice interactions, audio recordings of calls or voice notes and their content, which are processed for transcription and analysis.

Company does not intentionally collect or require any special categories of personal data (e.g., sensitive data such as health, biometric, credit card numbers, etc.) for the provision of the Services, and Customer is instructed not to use the Service to solicit or collect such data. Any sensitive personal data that is nonetheless communicated by end-users is considered incidental and processed only as part of the general conversation content without specific use or targeting.

E. Categories of Data Subjects

Data Subjects include the individuals about whom Personal Data is processed under this DPA. This typically covers:

  • Customer’s end-users, prospects, or customers: individuals who interact with Customer via WhatsApp or other channels and whose communications are processed through the Wazzap AI Platform (e.g., people sending inquiries, leads responding to qualification questions, etc.).
  • Customer’s staff or agents (to a limited extent): individuals authorized by Customer to use the Wazzap AI Platform or who may be referenced in chats. For example, a sales representative or support agent of Customer might be mentioned by name in scripts or might take over a conversation from the AI. Additionally, if Customer’s staff use the platform’s interface to intervene in conversations, their actions (and possibly names/usernames) may be logged. However, Personal Data of Customer’s own employees provided to Company for account administration (user accounts, login credentials, etc.) is generally Company Account Data (processed as controller under Section 9, outside the scope of “Customer Personal Data” processing).
  • Third parties communicating with Customer: to the extent any third party’s personal information is shared by the end-user during conversations (for example, the end-user provides a colleague’s phone number or mentions another individual), such Personal Data is also processed incidentally.

F. Special Categories of Data

Company does not intentionally process any special categories of Personal Data (as defined in GDPR Art. 9) or data relating to criminal convictions (Art. 10) as part of the Services. The Services are not designed to collect or handle sensitive personal data such as health information, political opinions, genetic or biometric data, etc., and Customer agrees not to actively solicit such data via the platform. If any sensitive personal data is included by an end-user in a message (without Company’s knowledge or targeting), it will be processed in the same manner as other message content, but Company does not separately use or analyze it for any purpose.

G. Processing Frequency

Continuous or on-going basis – Customer Personal Data will be processed on an on-going, real-time basis during the term of the Agreement whenever end-users interact with the Services or as Customer transmits data to the Platform, and for routine activities such as data storage and backup, until deletion in accordance with the DPA.

H. Location of Processing

Primarily in the United States (Company’s headquarters and primary servers). Some data may be processed in other jurisdictions if Company engages Sub-Processors with infrastructure or support teams in other regions (e.g., within the EEA for certain services, or other countries as listed in the Sub-Processor List). All such processing will be subject to the transfer safeguards described in Section 6 of the DPA.

EXHIBIT B – EU/UK Standard Contractual Clauses: Parties and Transfer Description

This Exhibit forms part of the DPA and includes selected provisions required by Annex I of the EU SCCs and Table 1 & Annex 1A/1B of the UK Addendum.

1. List of Parties

Data Exporter (Customer):

  • Name: The Customer entity that is a party to the Agreement (as defined therein).
  • Address: Customer’s business address as specified in the Agreement or customer account details.
  • Contact Person & Contact Details: The contact details of the Customer’s representative for data protection matters shall be as set forth in the Customer’s account or as otherwise provided in writing for notice purposes (e.g., the email address of Customer’s data protection officer or legal contact).
  • Role: Data Controller (or Processor on behalf of a Controller, as applicable)
  • Signature & Date: By entering into the Agreement and this DPA, the Customer is deemed to have signed these SCCs as of the effective date of the Agreement.

Data Importer (Company):

  • Name: WAZZAP AI LLC (Trading as “Wazzap AI”).
  • Address: 1209 Mountain Road Pl NE Ste H, Albuquerque, NM 87110, USA.
  • Contact Person & Contact Details: Wazzap AI’s Data Protection Contact, email: contact@wazzap.ai.
  • Activities relevant to the data transferred: The provision of the Wazzap AI Services, as described in the Agreement and Exhibit A (automated WhatsApp messaging, lead qualification, scheduling, and related data processing on behalf of the Customer).
  • Role: Data Processor (or sub-Processor, as applicable – see Section 2 of the DPA for role details).
  • Signature & Date: By entering into the Agreement and this DPA, WAZZAP AI LLC is deemed to have signed these SCCs as of the effective date of the Agreement.

2. Description of Transfer (Categories of data and subjects)

  • Categories of Data Subjects: As detailed in Exhibit A, Section E, the data subjects include Customer’s end-users (prospects, leads, or customers) who communicate via the Services, and any other individuals whose Personal Data is submitted through the Service (including incidental third parties mentioned in communications).
  • Categories of Personal Data: As detailed in Exhibit A, Section D, the personal data transferred may include contact information (names, phone numbers, etc.), message content and conversation transcripts, scheduling and appointment details, and other communication data. No special category data is intentionally processed.
  • Sensitive Data: Not applicable. The parties do not intend to transfer special categories of data. Any such data transferred inadvertently shall be treated with appropriate protection (e.g., via encryption) but is not specifically requested or processed by Company.
  • Frequency of Transfer: Personal Data is transferred on a continuous, ongoing basis for the duration of the Agreement, whenever end-users interact with the Service or as otherwise needed to provide the Services (real-time processing of communications).
  • Nature of Processing: See Exhibit A, Section C. The processing includes automated collection, analysis (using AI algorithms for natural language understanding and response generation), transmission, and storage of communications and related data on behalf of Customer.
  • Purpose of Processing: To enable Customer to automate and manage communications with its end-users via WhatsApp and related channels, for lead qualification, customer support, scheduling, and other purposes as specified by Customer (see Exhibit A, Section C). Processing is conducted for the purpose of providing the contracted Services to Customer in accordance with the Agreement.
  • Duration of Processing: For the term of the Agreement and until deletion of Personal Data by Company in accordance with the DPA (see Exhibit A, Section B). Some data may be retained in backups or archives as required by law or for legitimate business continuity for a limited period after termination, subject to appropriate protections.
  • Retention Period (or criteria): Personal Data is retained by Company only as long as necessary to fulfill the purposes of processing and to comply with legal obligations. Upon termination, data will be deleted or returned as per DPA Section 2.6. Backups containing Personal Data are periodically purged in the ordinary course of data management (e.g., rotated backups). Customer may set specific retention periods via Service features where available, or request deletion of certain data, in which case Company will comply as per DPA terms.
  • Transfers to Sub-Processors: Personal Data may be onward transferred to Authorized Sub-Processors as necessary for the purposes above, consistent with the Sub-Processor list provided. Such Sub-Processors might be located in jurisdictions including the USA, EU, or other countries where Company or its vendors operate, always under the safeguard of the SCCs or other lawful transfer mechanism as described in the DPA.

3. Competent Supervisory Authority

For the purposes of Clause 13 of the EU SCCs, the competent Supervisory Authority will be determined as follows:

  • (a) Where Customer is established in an EU Member State, the Supervisory Authority with jurisdiction over Customer’s establishment (or lead supervisory authority, as applicable) shall act as competent authority;
  • (b) If Customer is not established in the EU but has appointed an EU representative, the Supervisory Authority of the Member State in which the representative is established shall be the competent authority;
  • (c) If Clause 13 of the EU SCCs applies in any other case, the Supervisory Authority of Ireland shall be deemed competent (given the choice of Ireland in Clause 17).

For data transfers from the UK, the Information Commissioner’s Office (ICO) will be the relevant authority. For data transfers from Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) will be the relevant authority.

4. Sub-Processors (Annex III)

As of the effective date of this DPA, the list of Authorized Sub-Processors is as provided by Company to Customer (e.g., on Company’s website or below). This typically includes categories such as: cloud infrastructure providers (hosting servers and databases), communication API providers (to interface with WhatsApp or telephony networks), analytics or error monitoring services, AI model providers (for language processing), and integrations like calendar services. A current list with identities of sub-processors is available via the mechanism described in Section 4.2 of the DPA. The parties agree that Annex III of the EU SCCs is populated by this reference to the then-current Sub-Processor List, which shall be maintained and updated by Company in accordance with the DPA. Customer consents to the sub-processors listed therein as of the effective date, and any updates will be managed pursuant to Section 4 of the DPA.

EXHIBIT C – Technical and Organizational Security Measures

The following is a description of the technical and organizational security measures implemented by Company (Wazzap AI) as Data Importer, as required by Annex II of the EU SCCs and applicable Data Protection Laws. These measures are aimed at protecting Personal Data against unauthorized processing and ensuring a level of security appropriate to the risk. Company regularly reviews and updates its security measures to adapt to evolving risks and industry best practices.

  • Encryption and Pseudonymization: All network communication between Customer (or end-users) and the Wazzap AI platform is encrypted in transit using strong protocols (such as TLS 1.2 or higher) to protect data from eavesdropping. Sensitive data at rest (including databases storing Personal Data, conversation logs, etc.) is encrypted using industry-standard encryption algorithms (e.g., AES-256). Company applies encryption or tokenization to personal identifiers where feasible to pseudonymize data, especially in non-production environments.
  • Access Control and Authentication: Access to systems that store or process Personal Data is limited to authorized personnel who require such access for their role. Company employs strict access controls following the principle of least privilege. Unique user IDs are assigned, and strong authentication (including multi-factor authentication) is enforced for administrative access. Where possible, Single Sign-On (SSO) is used to centralize and secure access management. Access rights are reviewed periodically and revoked promptly upon staff role changes or termination.
  • Physical Security: Wazzap AI uses reputable third-party cloud infrastructure providers (such as data centers with robust security certifications) to host its servers. These data center facilities have 24/7 security monitoring, access controls (e.g., badge or biometric entry), CCTV surveillance, fire suppression, and redundancy for power and cooling. For example, if hosted on a cloud like AWS, GCP, or Azure, those data centers maintain high standards of physical security compliance (SOC 2, ISO 27001, etc.). Any on-site office locations of Company do not store production Personal Data; they are secured with locks and restricted access as well.
  • Network Security and Firewalls: Company’s production systems are protected by network firewalls and security groups to ensure that only necessary network ports and protocols are open. Internal network traffic is segmented and monitored. Company utilizes intrusion detection and prevention systems as appropriate, and regularly updates system software and firmware to address security vulnerabilities. All remote access to servers is done through secure channels (e.g., VPN or SSH with keys) and logged.
  • User Activity Monitoring and Logging: Company logs access and actions on key systems handling Personal Data, including successful and failed login attempts, important configuration changes, and data access operations. Security logs are monitored and analyzed for anomalous activities. Automated alerts are set for certain suspicious events. Logs are protected from tampering and retained in a secure manner for analysis and audit purposes.
  • Malware Protection: Company employs anti-malware and anti-virus solutions on servers and endpoints where appropriate. Email and file uploads can be scanned for malicious content. Systems and software are kept up-to-date with security patches to reduce the risk of exploitation by malware or hackers.
  • Backup and Business Continuity: Personal Data in Company’s databases is routinely backed up (with at least daily backups for critical data). Backup copies are encrypted and stored securely, with regular tests of data restoration from backups to ensure backup integrity. Company maintains an appropriate disaster recovery plan: in case of a major incident, systems can be restored in a timely manner, and critical data can be recovered. The architecture is designed for high availability, with redundancy in components to avoid single points of failure, ensuring continuity of the Services.
  • Resilience and Availability: Company’s infrastructure is designed to be resilient, using cloud capabilities such as load balancing, clustering, and failover mechanisms. Regular capacity planning and performance monitoring help maintain service availability. Business continuity procedures are in place to handle events like power outages or network disruptions in data centers, including failover to backup servers if needed.
  • Change Management: Company follows a documented change management process for application and infrastructure changes. Changes (especially to code affecting Personal Data processing) are tested in non-production environments and reviewed (including security review) before deployment to production. Deployment to production is done using automated CI/CD pipelines which enforce consistency and minimize human error. Emergency changes are logged and reviewed retrospectively.
  • Personnel Training and Policies: All employees and contractors with access to Personal Data are bound by confidentiality agreements. Company provides regular training on data privacy, security practices, and awareness to its staff. Internal policies (including an information security policy and incident response plan) set forth the employees’ responsibilities to protect Personal Data and consequences for violations. Access to Personal Data is only granted to staff who have completed appropriate background checks and training.
  • Third-Party Vendor Management: Before engaging Sub-Processors or other vendors who may have access to Personal Data, Company conducts a security and privacy assessment of those vendors. Company ensures that each Authorized Sub-Processor enters into a Data Processing Agreement with Company, including commitments to implement appropriate security measures similar to those stated in this Exhibit. Company monitors its vendors’ compliance and contractually requires them to adhere to standards no less protective than Company’s obligations in this DPA.
  • Data Minimization: Company’s systems and processes are designed following the principle of data minimization. The platform allows Customer to control what Personal Data is input; only data necessary for the defined purposes is collected and processed. Customer has controls (through the interface or API) to remove or redact data that is not needed. Company does not create new Personal Data beyond what Customer or end-users provide, except metadata needed for operation. If test/development environments use production data, such data is sanitized or masked where feasible to avoid using real Personal Data.
  • Data Quality: Company relies on Customer to provide accurate data and offers features that allow Customer to update or correct data. Within its processing, Company maintains data integrity by validation rules and checks (for example, ensuring expected data formats). Errors or inconsistencies in Personal Data that are detected (e.g., during processing) may trigger alerts for review. The AI models and logic undergo regular evaluation to ensure responses are accurate and relevant, thereby indirectly ensuring quality of processed outputs.
  • Limited Retention and Deletion: Company does not retain Customer Personal Data longer than necessary. The Services may include functionality for Customer to delete data (such as removing a lead or conversation history) at its discretion. Upon termination of Service, Company follows data deletion procedures to purge Personal Data, as described in the DPA. Regular purges of outdated data may be performed (for instance, logs older than a certain number of days are automatically deleted or archived securely).
  • Incident Response: Company has an incident response plan for handling security incidents and Personal Data Breaches. The plan designates internal team roles and communication pathways, including prompt escalation procedures. In the event of a suspected breach, Company’s team will investigate, mitigate, and remediate the issue. The plan includes procedures for notifying affected parties (including Customer and possibly authorities) in line with Section 5.3 of the DPA. Lessons learned from any incidents are used to improve preventive measures.
  • Testing and Auditing: Company periodically tests, assesses, and evaluates the effectiveness of its security measures. This may include vulnerability scanning, penetration testing by independent experts, and security audits. Identified issues are prioritized and remediated. Additionally, Company maintains relevant security certifications or compliance audits (if any) and supplies results to Customers as noted in Section 8.4 of the DPA.

These measures collectively ensure a robust level of security appropriate to the risk of the Personal Data processed, in accordance with Article 32 of GDPR. Company is committed to continuously improving its security posture to protect Customer Personal Data.

EXHIBIT D – UK GDPR Addendum (UK International Data Transfer Addendum)

This Exhibit D applies only to the extent that the UK GDPR (and UK Data Protection Act 2018) governs the transfer of Personal Data under the Agreement (i.e., where Customer is established in the UK or where Company processes Personal Data subject to UK GDPR on behalf of Customer). It sets forth the information required by the UK Addendum to the EU SCCs, issued by the UK Information Commissioner’s Office (ICO) under s.119A of the Data Protection Act 2018, effective March 21, 2022. This UK Addendum is appended to the EU SCCs as incorporated in Section 6.2 of the DPA, and is hereby entered into and made binding between the parties.

Table 1: Parties – The identities and contact details of the “Exporter” (Customer) and “Importer” (Company) are as set forth in Exhibit B, Section 1 above. The start date of the UK Addendum is the same as the effective date of the DPA (and the Agreement). The roles of the parties are as described in the DPA (Customer as Controller or Processor; Company as Processor).

Table 2: Selected SCCs, Modules, and Clauses – The UK Addendum applies in conjunction with the “Approved EU SCCs” referenced in Section 6.2 of the DPA. The parties confirm that Module Two or Module Three (as applicable) of the EU SCCs (Commission Decision 2021/914) are the relevant SCCs. No modifications to these SCCs other than as stated in Section 6.3 of the DPA and this Exhibit. The UK Addendum is appended to those SCCs.

Table 3: Appendix Information – The Appendix Information for the purposes of the UK Addendum is set out in:

  • Annex 1A (List of Parties): See Exhibit B, Section 1.
  • Annex 1B (Description of Transfer): See Exhibit B, Section 2 (and Exhibit A for further details).
  • Annex II (Technical and Organizational Measures): See Exhibit C.
  • Annex III (List of Sub-Processors): See Exhibit B, Section 4 (incorporating the Sub-Processor List maintained by Company).

Table 4: Ending the UK Addendum when the Approved Addendum Changes – The parties agree that if the ICO issues new standard data transfer clauses (“Approved Addendum”) that replace or amend the current version, Neither Party may unilaterally terminate the UK Addendum pursuant to Section 19 of the UK Addendum. Instead, the UK Addendum will remain in force until the parties agree to amend it or adopt a new version as required.

Additional Provisions: By incorporating the UK Addendum, the EU SCCs are deemed amended to the minimum extent necessary so as to give effect to the parties’ chosen configurations in Tables 1-4 above. This includes, without limitation, that: (a) references to “Member State” in the SCCs shall be interpreted to include the United Kingdom where applicable; (b) references to the “GDPR” shall be taken to include the UK GDPR, and references to authorities and laws of the EU shall be taken to include the equivalent UK authorities and laws where applicable; (c) Clause 13 of the SCCs is interpreted such that the ICO is the competent authority; (d) Clause 17 Option 1 of the SCCs is governed by the laws of England and Wales, and Clause 18(b) disputes shall be resolved before the courts of England and Wales, insofar as the data transfers fall under UK jurisdiction.

The UK Addendum, thus completed, is hereby incorporated into this DPA and the Agreement. Signing the Agreement and DPA by the parties includes signature of this UK Addendum, with the intention that the transfer of Personal Data from the UK to non-UK countries (including to Company in the US) is conducted in compliance with UK GDPR.

If you have any questions, please contact us atcontact@wazzap.ai

Questions about our DPA?

Our team is here to help you understand our data protection practices.

Contact us