Data Processing Agreement
How Waaiio processes personal data on behalf of business customers.
Last updated: April 14, 2026
1. Roles & Definitions
- Data Controller: You, the business owner who determines the purposes and means of processing personal data of your customers.
- Data Processor: Waaiio Limited, which processes personal data on your behalf to deliver WhatsApp automation services.
- Data Subjects: Your customers and contacts whose personal data is processed through Waaiio.
2. Scope of Processing
Waaiio processes personal data solely to provide the services you have subscribed to, including but not limited to: delivering WhatsApp messages, processing bookings and orders, handling payments, and maintaining conversation history. We do not sell personal data or use it for our own marketing purposes.
3. Sub-processors
We use the following sub-processors to deliver our services. Each sub-processor is bound by data processing agreements that provide protections consistent with this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Meta Platforms / WhatsApp | Message delivery via WhatsApp Business API | US / Global |
| Gupshup | WhatsApp Business API provider | US / India |
| Supabase (AWS) | Database hosting, authentication, real-time infrastructure | US |
| Paystack | Payment processing (Africa) | Nigeria |
| Stripe | Payment processing (UK, Canada) | US |
| Square | Payment processing (United States) | US |
| Flutterwave | Payment processing (Africa, alternative) | Nigeria |
| Vercel | Application hosting and edge functions | US / Global |
We will notify you of any intended changes to the list of sub-processors, giving you an opportunity to object.
4. Data Security Measures
Waaiio implements appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row-level security (RLS) policies ensuring data isolation between business accounts
- Regular access reviews and least-privilege access controls
- Automated vulnerability scanning and dependency updates
- Secure authentication via Supabase Auth with bcrypt hashing
5. Breach Notification
In the event of a personal data breach, Waaiio will:
- Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
- Provide details of the nature of the breach, the categories and approximate number of data subjects affected, and the likely consequences
- Describe the measures taken or proposed to address the breach and mitigate its effects
- Cooperate with you and any supervisory authority in investigating and resolving the breach
6. Data Subject Rights
Waaiio will assist you in fulfilling data subject requests under applicable privacy laws, including rights of:
- Access — obtaining a copy of their personal data
- Rectification — correcting inaccurate data
- Erasure — deleting personal data (“right to be forgotten”)
- Portability — receiving data in a machine-readable format
- Restriction — limiting how data is processed
- Objection — objecting to certain types of processing
As the data controller, you are responsible for responding to data subject requests. Waaiio will provide reasonable assistance and tooling to help you comply.
7. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, Waaiio relies on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA) for UK-originating transfers
- Adequacy decisions where available (e.g., EU-US Data Privacy Framework)
8. Data Retention & Deletion
Waaiio retains personal data only for as long as necessary to provide our services to you. Upon termination of your account, we will delete or anonymise all personal data within 30 days, unless retention is required by law.
Contact
For questions about this DPA, email our Data Protection Officer at dpo@waaiio.com.