Data Processing Addendum

Data Processing Addendum

Last updated: 2026-07-16

This data processing addendum applies to the website, products and services offered under the brand WAAPI, operated by WAAPI (“we”, “us”, “our”), acting as the business. By accessing or using our services you agree to this data processing addendum. If you do not agree, please discontinue use of the services.

This Addendum forms part of the Terms & Conditions between you (“Controller” / “Data Fiduciary”) and WAAPI (“Processor”), and applies whenever we process personal data on your behalf. It is drafted to satisfy Article 28 of the GDPR and the processor obligations of the DPDP Act, 2023.

1. Subject matter & duration

We process personal data to provide the services for as long as your account is active, plus the retention windows in our Data Retention Policy.

2. Nature & purpose

Hosting, storing, transmitting and displaying the data you upload; delivering and receiving messages through the channels you connect; generating AI output you request; and producing analytics for you.

3. Categories of data & data subjects

Data subjects: your staff who use the panel, and your customers and contacts whom you message. Data: names, phone numbers, email addresses, message and media content, and any custom fields you choose to store.

4. Our obligations

  • Process personal data only on your documented instructions, including for transfers, unless law requires otherwise (in which case we tell you first, unless prohibited).
  • Ensure personnel with access are bound by confidentiality.
  • Implement the security measures in our Data Security Policy.
  • Engage sub-processors only under the terms of clause 5.
  • Assist you with data-subject requests, security, breach notification and impact assessments, taking into account the information available to us.
  • Delete or return personal data at the end of the services, subject to legal retention.
  • Make available the information reasonably needed to demonstrate compliance, and allow audits as set out in clause 7.

5. Sub-processors

You give general authorisation for the sub-processors listed in our Third-Party Services & Sub-processors register. We impose data-protection terms on each that are no less protective than this Addendum, and we remain fully liable to you for their performance. We will give you 30 days’ notice before adding or replacing a sub-processor; you may object on reasonable data-protection grounds, and if we cannot accommodate the objection you may terminate the affected service.

6. International transfers

Where personal data is transferred out of its country of origin we rely on an adequacy decision where one exists, and otherwise on the EU Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated into this Addendum by reference.

7. Audit

On reasonable written notice, and no more than once in any 12-month period (unless a regulator or a breach requires otherwise), we will respond to a security questionnaire and provide available third-party reports. On-site audits are available where legally mandated, at your cost, subject to confidentiality and to not disrupting other customers.

8. Breach notification

We notify you without undue delay, and in any case within 72 hours of becoming aware of a personal-data breach affecting your data, per our Data Breach & Incident Notification Policy.

9. Liability

Each party’s liability under this Addendum is subject to the limitations of liability in the Terms & Conditions.

Governing law & jurisdiction

This document is governed by the laws of India. For operators in India this includes the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Consumer Protection Act, 2019. Where we serve customers in other jurisdictions we honour applicable local requirements, including the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), to the extent they apply. Courts at India have exclusive jurisdiction, subject to any non-waivable consumer rights in your country of residence.

Contact us

WAAPI is operated by WAAPI. For any question about this document, contact us: