§1Parties
This Data Processing Agreement (“DPA”) is entered into between:
- NodrahWeb(“Processor”), the provider of the NodrahWeb AI WhatsApp automation platform; and
- The Customer(“Controller”), identified by the account-holder email address on file at the effective date.
This DPA supplements the NodrahWeb Terms of Service and forms an integral part of the agreement between the parties. In case of conflict between this DPA and the Terms, this DPA prevails for data-protection matters.
§2Definitions
Terms used in this DPA have the meanings given to them in the UK GDPR / EU GDPR. In particular:
- Personal Data: any information relating to an identified or identifiable natural person processed under the Terms of Service.
- Processing: any operation performed on Personal Data, including collection, storage, transmission, or deletion.
- Data Subject: the natural person to whom the Personal Data relates (typically the Customer's end customers messaging the Customer on WhatsApp).
- Sub-processor: any third party engaged by NodrahWeb to process Personal Data on the Customer's behalf.
§3Scope and roles
The Customer is the Controller and NodrahWeb is the Processor. NodrahWeb processes Personal Data solely on the documented instructions of the Customer, as set out in the Terms of Service, this DPA, and the Customer's configuration within the NodrahWeb dashboard (e.g. AI persona, auto-reply settings, retention preferences).
The categories of Data Subjects whose Personal Data is processed are the Customer's end-customers who message the Customer's WhatsApp Business number.
The types of Personal Data processed include:
- Phone number, display name, profile photo (as provided by WhatsApp's Meta Cloud API)
- Message content (inbound and outbound)
- Conversation metadata (timestamps, delivery status)
- Optional contact fields the Customer adds via dashboard or CSV import (e.g. tags, notes, custom attributes)
NodrahWeb will not process Personal Data for any purpose other than performing the Services. NodrahWeb will not sell, rent, or license Personal Data to any third party.
§4Processor obligations
NodrahWeb commits to:
- Process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law.
- Ensure that personnel authorized to process Personal Data are under a written confidentiality obligation.
- Implement appropriate technical and organisational measures to protect Personal Data (see Annex 1).
- Assist the Customer in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, portability, restriction, objection).
- Notify the Customer without undue delay (and in any case within 72 hours) after becoming aware of a Personal Data breach.
- On termination of the Services, delete or return all Personal Data to the Customer at the Customer's choice, within 30 days. Backup copies are purged within 90 days unless applicable law requires longer retention.
§5Sub-processors
The Customer authorises NodrahWeb to engage Sub-processors for the provision of the Services. NodrahWeb maintains the following Sub-processors as of the effective date:
| Sub-processor | Purpose | Location |
|---|---|---|
| Meta Platforms, Inc. | WhatsApp Cloud API message delivery | EU, US |
| Google (Gemini) | AI reply generation (only message content sent) | US |
| Stripe Payments Europe | Billing & subscription management | EU, US |
| Vercel Inc. | Web application hosting | EU, US (multi-region) |
| Railway Corp. | Backend API + database hosting | US (default); EU available on Scale plan |
| Brevo SAS | Transactional email (password reset, invoices) | EU |
NodrahWeb will provide the Customer with at least 30 days' written notice (via email to the account-holder address) of any intended changes to this list. The Customer may object to the addition of a Sub-processor on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection or the Customer may terminate the Services with pro-rata refund.
§6International transfers
Where Personal Data is transferred from the UK / EEA to a third country, NodrahWeb relies on:
- Standard Contractual Clauses (Module 2: Controller-to-Processor) as approved by the European Commission and the UK ICO; and
- For US transfers, the EU-US Data Privacy Framework where applicable (NodrahWeb's US Sub-processors are listed).
The Customer on the Scale plan may elect EU-only data residency for the backend services (Railway → AWS Frankfurt) — see the dashboard → Settings → Data Residency.
§7Data Subject requests
The Customer is responsible for responding to Data Subject requests directly. NodrahWeb provides the following dashboard tools to assist:
- Right to access / portability: Customer can export any contact's message history as JSON via the dashboard or the
/api/contacts/{id}/exportendpoint. - Right to erasure: Customer can delete any contact + their messages via the dashboard or our /data-deletion endpoint. Deletion propagates to all Sub-processors within 30 days.
- Right to rectification: Customer can edit contact fields directly.
§8Audit rights
The Customer may audit NodrahWeb's compliance with this DPA once per calendar year by:
- Reviewing our published security documentation;
- Requesting (in writing, 30 days' notice) a remote walk-through of our security controls with the NodrahWeb security team; or
- Receiving a copy of our SOC 2 Type I report (available Q3 2026) under NDA.
Physical inspection of NodrahWeb facilities is not offered (NodrahWeb operates a fully remote infrastructure on hyperscaler providers).
§9Liability and indemnity
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except for breach of confidentiality or willful misconduct, where the Terms' limits do not apply.
NodrahWeb maintains professional indemnity insurance covering data-protection liabilities up to USD 1,000,000 per incident.
§10Term and termination
This DPA is effective on the Customer's acceptance of the Terms of Service and continues until termination of the Services. The obligations regarding deletion / return of Personal Data (clause 4.6) survive termination.
§A1Annex 1 — Technical and organisational measures
NodrahWeb maintains the following measures:
- Encryption: TLS 1.3 in transit; AES-256 at rest for the message store; encrypted Postgres backups.
- Access control: Role-based access on the dashboard (admin, manager, agent); production database access limited to two named engineers under MFA.
- Network: Cloudflare-fronted; WAF rules blocking common attack patterns; rate limiting on every public endpoint.
- Audit logging: Every dashboard action logged to the audit-log table; logs retained for 12 months.
- Backups: Postgres daily snapshot + 7-day point-in-time recovery; tested quarterly.
- Incident response: 24h breach-notification SLA; documented runbook; post-incident report shared with the Customer.
- Personnel: All staff sign confidentiality + acceptable-use policies; security training annually.
§A2Annex 2 — Sub-processor notification
Sub-processor changes are notified by email to the account-holder email address. Customers can subscribe to the changelog at /blog/rss.xml to receive notifications in their feed reader.