Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Controller” or “Business”) and CipherHQ LLC, doing business as Waaiio (“Processor” or “Waaiio”), and governs the processing of personal data by Waaiio on behalf of the Controller. This DPA applies to the extent that GDPR (EU), UK GDPR, NDPR (Nigeria), or Ghana DPA (Act 843) applies to the processing.

1. Roles and Definitions

• Data Controller: You, the business owner who determines the purposes and means of processing personal data of your customers through Waaiio.
• Data Processor: CipherHQ LLC (d/b/a Waaiio), which processes personal data on your behalf to deliver the Services.
• Data Subjects: Your customers, contacts, and end users whose personal data is processed through Waaiio.
• Personal Data: Any information relating to an identified or identifiable natural person, as defined by applicable data protection law.
• Sub-processor: A third-party entity engaged by Waaiio to assist in processing personal data on behalf of the Controller.

2. Scope and Purpose of Processing

Waaiio processes personal data solely for the purpose of providing the Services you have subscribed to, including:

• Delivering and receiving WhatsApp messages on behalf of your business
• Processing bookings, appointments, orders, and reservations
• Processing payment transactions (via integrated payment gateways)
• Generating and delivering event tickets with QR codes
• Maintaining conversation history and customer records
• AI-powered intent detection and language translation
• Sending transactional emails (booking confirmations, receipts)
• Generating reports and analytics on your business operations

Waaiio does not sell personal data, use it for its own marketing purposes, or process it for any purpose other than providing the Services as instructed by the Controller.

Categories of Personal Data Processed

• Contact information: names, phone numbers, email addresses
• Transactional data: booking details, order items, payment amounts, gateway references
• Communication data: WhatsApp messages, timestamps, media files
• Contract data: e-signature records
• Technical data: IP addresses, device identifiers (for website visitors)

3. Data Processing Instructions

Waaiio shall process personal data only in accordance with documented instructions from the Controller, unless required to do so by applicable law. If Waaiio is required to process personal data for any purpose other than as instructed, Waaiio shall inform the Controller of that legal requirement prior to processing, unless prohibited by law.

If Waaiio believes that an instruction from the Controller infringes applicable data protection law, Waaiio shall promptly notify the Controller.

4. Confidentiality

Waaiio shall ensure that all personnel authorized to process personal data are bound by appropriate confidentiality obligations. Access to personal data is restricted to personnel who require it to perform the Services.

5. Sub-processors

Waaiio uses the following sub-processors to deliver the Services. Each sub-processor is bound by data processing agreements providing protections consistent with this DPA.

Waaiio shall notify the Controller of any intended changes to the list of sub-processors at least 14 days in advance, giving the Controller an opportunity to object. If the Controller objects on reasonable data protection grounds, the parties shall discuss the objection in good faith. If no resolution can be reached, the Controller may terminate the affected Services.

6. Technical and Organizational Security Measures

Waaiio implements appropriate technical and organisational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security (RLS) policies ensuring complete data isolation between business accounts
• Secure authentication via Supabase Auth with bcrypt password hashing
• HMAC signature verification on all payment gateway webhooks
• API rate limiting (60 writes / 120 reads per minute per IP)
• CSRF protection via origin header validation
• Regular access reviews and least-privilege access controls
• Automated vulnerability scanning and dependency updates
• Input validation and sanitization on all user-facing endpoints
• Secure session management with automatic expiration

7. Data Breach Notification

In the event of a personal data breach, Waaiio shall:

• Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach (as required by GDPR Article 33 and NDPR)
• Provide details including: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and a description of measures taken or proposed to mitigate the breach
• Provide the Controller with a designated contact point for further information
• Cooperate fully with the Controller and any supervisory authority in investigating, remediating, and reporting the breach
• Document all personal data breaches, including the facts, effects, and remedial actions taken

8. Assistance with Data Subject Requests

Waaiio shall assist the Controller in fulfilling data subject requests under applicable privacy laws, including:

• Access: Providing a copy of the data subject’s personal data
• Rectification: Correcting inaccurate or incomplete personal data
• Erasure: Deleting personal data (“right to be forgotten”)
• Portability: Providing data in a structured, machine-readable format (JSON/CSV export)
• Restriction: Limiting processing in certain circumstances
• Objection: Ceasing certain types of processing upon objection

As the Data Controller, you are responsible for responding to data subject requests directly. If Waaiio receives a request from a data subject, Waaiio shall promptly forward it to you and shall not respond to the request directly unless instructed to do so by you. Waaiio provides self-service tools (data export, account deletion) to assist you in fulfilling these requests.

9. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), the United Kingdom, Nigeria, or Ghana to a jurisdiction that does not benefit from an adequacy decision, Waaiio ensures appropriate safeguards through:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
• UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs for UK-originating transfers
• EU-US Data Privacy Framework certification (where applicable)
• Contractual obligations on all sub-processors requiring equivalent data protection safeguards

Waaiio shall promptly notify the Controller if it becomes aware that it can no longer comply with the transfer safeguards, and shall cooperate with the Controller to identify alternative transfer mechanisms.

10. Audit Rights

Waaiio shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to the following conditions:

• The Controller shall provide at least 30 days’ written notice of any audit
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt Waaiio’s operations
• The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by Waaiio
• All information obtained through audits shall be treated as confidential
• Audits shall be limited to no more than one per calendar year, unless required by a supervisory authority or following a data breach

Where Waaiio holds third-party certifications or audit reports (e.g., SOC 2, ISO 27001) relevant to the Services, these may be provided to satisfy audit requirements.

11. Data Retention and Deletion

Waaiio retains personal data only for as long as necessary to provide the Services. Upon termination of the Controller’s account:

• Waaiio shall delete or anonymize all personal data within 30 days, unless retention is required by applicable law
• The Controller may request a data export (JSON or CSV) prior to account deletion
• Payment records may be retained for up to 7 years to comply with tax and financial reporting obligations
• Anonymized aggregate data may be retained indefinitely for analytics purposes

Upon request, Waaiio shall certify in writing that it has deleted or returned all personal data in accordance with this section.

12. Data Protection Impact Assessments

Waaiio shall provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required under applicable data protection law, taking into account the nature of the processing and the information available to Waaiio.

13. Term and Termination

This DPA shall remain in effect for the duration of the Controller’s use of the Services and shall automatically terminate when the Controller’s account is deleted or the Terms of Service are terminated, subject to the data retention obligations described in Section 11.

Sections that by their nature should survive termination (including Sections 4, 7, 10, and 11) shall survive the termination of this DPA.

14. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party’s liability for breaches of applicable data protection law to the extent such limitation would not be permitted by law.

15. Contact

For questions about this Data Processing Agreement, contact:

• Data Protection Officer: dpo@waaiio.com
• Privacy inquiries: privacy@waaiio.com
• Legal: legal@waaiio.com
• Company: CipherHQ LLC (d/b/a Waaiio)
• Location: United States