Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service betweenWebifyd Technology LLC ("Processor", "we", "us") and you ("Controller", "Customer") for the Chatifyd WhatsApp Business API platform services.

This DPA applies where and to the extent we process Personal Data on your behalf in the course of providing our Services. This DPA is designed to ensure compliance with:

UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021)
EU General Data Protection Regulation (GDPR)
Meta/WhatsApp Business Platform requirements
Other applicable data protection laws

2. Definitions

In this DPA:

"Personal Data" means any information relating to an identified or identifiable natural person
"Processing" means any operation performed on Personal Data
"Data Subject" means the individual to whom Personal Data relates
"Sub-processor" means any third party engaged by us to process Personal Data
"Controller" means the entity that determines the purposes and means of processing
"Processor" means the entity that processes Personal Data on behalf of the Controller
"Data Breach" means a breach of security leading to destruction, loss, alteration, or unauthorized disclosure of Personal Data

3. Scope and Roles

3.1 Controller and Processor Relationship

You (the Customer) are the Controller for Personal Data relating to your End-Users and communications. We act as a Processor, processing such data only on your behalf and in accordance with your documented instructions.

3.2 Processing Details

Subject Matter	Provision of WhatsApp Business API services
Duration	Duration of your subscription plus retention period
Nature of Processing	Collection, storage, transmission, and deletion
Purpose	Enable WhatsApp messaging between you and your End-Users
Categories of Data Subjects	Your employees, End-Users, customers
Types of Personal Data	Phone numbers, message content, metadata, names, identifiers

4. Processor Obligations

We shall:

Process Personal Data only on your documented instructions, unless required by law
Ensure persons authorized to process the data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Respect the conditions for engaging sub-processors
Assist you in responding to Data Subject requests
Assist you with data protection impact assessments and prior consultations
Delete or return all Personal Data upon termination, subject to legal requirements
Make available all information necessary to demonstrate compliance
Allow for and contribute to audits conducted by you or your mandated auditor
Notify you without undue delay of any Personal Data Breach

5. Controller Obligations

You shall:

Ensure you have a lawful basis for processing Personal Data
Provide appropriate privacy notices to Data Subjects
Obtain any required consents for processing
Respond to Data Subject requests
Comply with all applicable data protection laws
Ensure your instructions to us are lawful
Implement appropriate security measures for data you control
Notify us of any changes affecting our processing

6. Sub-processors

6.1 Authorization

You provide general authorization for us to engage sub-processors for the processing of Personal Data. We maintain a list of current sub-processors below.

6.2 Current Sub-processors

Sub-processor	Service	Location
Meta Platforms, Inc.	Message delivery and WhatsApp platform services	United States / European Union
Amazon Web Services (AWS)	Data hosting and processing	Multiple regions (EU, US, UAE)
Stripe, Inc.	Subscription billing and payment handling	United States

6.3 Changes to Sub-processors

We will notify you of any intended changes to sub-processors at least 30 days before engaging a new sub-processor. You may object to such changes within 14 days of notification.

7. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
Access controls and authentication mechanisms
Regular security testing and assessments
Intrusion detection and prevention systems
Logging and monitoring of processing activities
Business continuity and disaster recovery procedures
Regular security training for personnel
Physical security of data centers
Incident response procedures

8. Data Subject Requests

If we receive a request from a Data Subject regarding their Personal Data, we will:

Promptly notify you of the request
Not respond directly unless authorized or required by law
Provide reasonable assistance to enable you to respond
Comply with your instructions regarding the request

9. Data Breach Notification

9.1 Notification

We will notify you without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data Breach affecting data we process on your behalf.

9.2 Notification Content

Our notification will include:

Description of the nature of the breach
Categories and approximate number of Data Subjects affected
Categories and approximate number of records affected
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact point for further information

10. International Transfers

Personal Data may be transferred to countries outside the UAE and EEA. For such transfers, we implement appropriate safeguards:

Standard Contractual Clauses (SCCs) approved by relevant authorities
Binding Corporate Rules where applicable
Adequacy decisions from competent authorities
Additional technical and organizational measures as necessary

Upon request, we will provide a copy of the applicable transfer mechanisms.

11. Audits

You may audit our compliance with this DPA subject to the following conditions:

Provide at least 30 days advance written notice
Audits shall not unreasonably interfere with our business operations
Auditor must be bound by appropriate confidentiality obligations
Limited to one audit per 12-month period (except in case of breach)
You shall bear the costs of any audit

We may satisfy audit requirements by providing relevant certifications (e.g., ISO 27001, SOC 2 reports) or third-party audit reports.

12. Data Retention and Deletion

Upon termination of your subscription:

You may request return of your Personal Data within 30 days
After 30 days (or upon your instruction), we will securely delete your Personal Data
We may retain data where required by applicable law
We will provide certification of deletion upon request

For retention periods during active subscription, see our Data Retention Policy.

13. WhatsApp/Meta Requirements

As a WhatsApp Business Solution Provider, certain data processing is governed by Meta's requirements:

Message content is retained for a maximum of 30 days for delivery purposes
WhatsApp maintains its own data processing terms with Meta
End-to-end encryption applies to message content
Some processing is necessary to comply with WhatsApp platform requirements

14. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits liability for breaches of data protection law where such limitation is not permitted.

15. Term and Termination

This DPA shall remain in effect for the duration of our processing of Personal Data on your behalf. It shall survive termination of the Terms of Service to the extent necessary to address ongoing processing or retention obligations.

16. Contact

For questions about this DPA or to exercise your rights:

Data Protection Officer

Office 501, RAG Tower, Barsha 1, Dubai, United Arab Emirates

Email: dpo@chatifyd.com

1. Introduction

This DPA applies where and to the extent we process Personal Data on your behalf in the course of providing our Services. This DPA is designed to ensure compliance with:

UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021)
EU General Data Protection Regulation (GDPR)
Meta/WhatsApp Business Platform requirements
Other applicable data protection laws

2. Definitions

In this DPA:

"Personal Data" means any information relating to an identified or identifiable natural person
"Processing" means any operation performed on Personal Data
"Data Subject" means the individual to whom Personal Data relates
"Sub-processor" means any third party engaged by us to process Personal Data
"Controller" means the entity that determines the purposes and means of processing
"Processor" means the entity that processes Personal Data on behalf of the Controller
"Data Breach" means a breach of security leading to destruction, loss, alteration, or unauthorized disclosure of Personal Data

3. Scope and Roles

3.1 Controller and Processor Relationship

3.2 Processing Details

Subject Matter	Provision of WhatsApp Business API services
Duration	Duration of your subscription plus retention period
Nature of Processing	Collection, storage, transmission, and deletion
Purpose	Enable WhatsApp messaging between you and your End-Users
Categories of Data Subjects	Your employees, End-Users, customers
Types of Personal Data	Phone numbers, message content, metadata, names, identifiers

4. Processor Obligations

We shall:

Process Personal Data only on your documented instructions, unless required by law
Ensure persons authorized to process the data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Respect the conditions for engaging sub-processors
Assist you in responding to Data Subject requests
Assist you with data protection impact assessments and prior consultations
Delete or return all Personal Data upon termination, subject to legal requirements
Make available all information necessary to demonstrate compliance
Allow for and contribute to audits conducted by you or your mandated auditor
Notify you without undue delay of any Personal Data Breach

5. Controller Obligations

You shall:

Ensure you have a lawful basis for processing Personal Data
Provide appropriate privacy notices to Data Subjects
Obtain any required consents for processing
Respond to Data Subject requests
Comply with all applicable data protection laws
Ensure your instructions to us are lawful
Implement appropriate security measures for data you control
Notify us of any changes affecting our processing

6. Sub-processors

6.1 Authorization

You provide general authorization for us to engage sub-processors for the processing of Personal Data. We maintain a list of current sub-processors below.

6.2 Current Sub-processors

Sub-processor	Service	Location
Meta Platforms, Inc.	Message delivery and WhatsApp platform services	United States / European Union
Amazon Web Services (AWS)	Data hosting and processing	Multiple regions (EU, US, UAE)
Stripe, Inc.	Subscription billing and payment handling	United States

6.3 Changes to Sub-processors

We will notify you of any intended changes to sub-processors at least 30 days before engaging a new sub-processor. You may object to such changes within 14 days of notification.

7. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
Access controls and authentication mechanisms
Regular security testing and assessments
Intrusion detection and prevention systems
Logging and monitoring of processing activities
Business continuity and disaster recovery procedures
Regular security training for personnel
Physical security of data centers
Incident response procedures

8. Data Subject Requests

If we receive a request from a Data Subject regarding their Personal Data, we will:

Promptly notify you of the request
Not respond directly unless authorized or required by law
Provide reasonable assistance to enable you to respond
Comply with your instructions regarding the request

9. Data Breach Notification

9.1 Notification

We will notify you without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data Breach affecting data we process on your behalf.

9.2 Notification Content

Our notification will include:

Description of the nature of the breach
Categories and approximate number of Data Subjects affected
Categories and approximate number of records affected
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact point for further information

10. International Transfers

Personal Data may be transferred to countries outside the UAE and EEA. For such transfers, we implement appropriate safeguards:

Standard Contractual Clauses (SCCs) approved by relevant authorities
Binding Corporate Rules where applicable
Adequacy decisions from competent authorities
Additional technical and organizational measures as necessary

Upon request, we will provide a copy of the applicable transfer mechanisms.

11. Audits

You may audit our compliance with this DPA subject to the following conditions:

Provide at least 30 days advance written notice
Audits shall not unreasonably interfere with our business operations
Auditor must be bound by appropriate confidentiality obligations
Limited to one audit per 12-month period (except in case of breach)
You shall bear the costs of any audit

We may satisfy audit requirements by providing relevant certifications (e.g., ISO 27001, SOC 2 reports) or third-party audit reports.

12. Data Retention and Deletion

Upon termination of your subscription:

You may request return of your Personal Data within 30 days
After 30 days (or upon your instruction), we will securely delete your Personal Data
We may retain data where required by applicable law
We will provide certification of deletion upon request

For retention periods during active subscription, see our Data Retention Policy.

13. WhatsApp/Meta Requirements

As a WhatsApp Business Solution Provider, certain data processing is governed by Meta's requirements:

Message content is retained for a maximum of 30 days for delivery purposes
WhatsApp maintains its own data processing terms with Meta
End-to-end encryption applies to message content
Some processing is necessary to comply with WhatsApp platform requirements

14. Liability

15. Term and Termination

16. Contact

For questions about this DPA or to exercise your rights:

Data Protection Officer

Office 501, RAG Tower, Barsha 1, Dubai, United Arab Emirates

Email: dpo@chatifyd.com

Data Processing Agreement

Data Processor

1. Introduction

2. Definitions

3. Scope and Roles

3.1 Controller and Processor Relationship

3.2 Processing Details

4. Processor Obligations

5. Controller Obligations

6. Sub-processors

6.1 Authorization

6.2 Current Sub-processors

6.3 Changes to Sub-processors

7. Security Measures

8. Data Subject Requests

9. Data Breach Notification

9.1 Notification

9.2 Notification Content

10. International Transfers

11. Audits

12. Data Retention and Deletion

13. WhatsApp/Meta Requirements

14. Liability

15. Term and Termination

16. Contact

Data Protection Officer

Data Processing Agreement

Data Processor

1. Introduction

2. Definitions

3. Scope and Roles

3.1 Controller and Processor Relationship

3.2 Processing Details

4. Processor Obligations

5. Controller Obligations

6. Sub-processors

6.1 Authorization

6.2 Current Sub-processors

6.3 Changes to Sub-processors

7. Security Measures

8. Data Subject Requests

9. Data Breach Notification

9.1 Notification

9.2 Notification Content

10. International Transfers

11. Audits

12. Data Retention and Deletion

13. WhatsApp/Meta Requirements

14. Liability

15. Term and Termination

16. Contact

Data Protection Officer