Data Processing Addendum

This DPA is between Secuno LLC ("Processor") and the business customer who orders paid or enterprise services ("Controller"). It applies when Processor processes personal data on behalf of Controller in connection with the WAPing service (the "Service") and where Controller determines the purposes and means of that processing.

If Controller is a processor on behalf of its own clients, Controller remains responsible for its instructions and for obtaining authority to engage Processor. Controller's agreement with WAPing (including order form or online terms) incorporates this DPA by reference.

Capitalized terms follow the GDPR where applicable. "Personal data," "processing," "controller," "processor," and "data subject" have the meanings in applicable data protection law.

• Subject matter: Processing of personal data submitted by or on behalf of Controller through the Service (for example account data, message metadata, and content Controller chooses to route through WAPing).
• Duration: For the term of the agreement and until deletion in accordance with the agreement and Privacy Policy, unless a longer retention is required by law.
• Nature: Hosting, storage, transmission, logging, security, support, and related operations needed to provide the Service.
• Purpose: Providing the Service strictly in accordance with Controller's documented instructions and applicable law.

Categories of data subjects: Controller's end users, customers, employees, or other individuals whose data Controller uploads or causes to be processed through the Service, as determined by Controller.

Processor will process personal data only on documented instructions from Controller, including with regard to transfers to third countries, unless required by Union or Member State law to which Processor is subject — in which case Processor will inform Controller of that legal requirement before processing, unless prohibited by law.

Instructions are provided through the Service configuration, APIs, account settings, and written communications (including support tickets). Controller is responsible for the lawfulness of its instructions.

Processor ensures that persons authorized to process personal data are bound by appropriate confidentiality obligations.

Processor implements technical and organizational measures appropriate to the risk, including as described in our Security documentation. Measures may include encryption in transit, access controls, segmentation, logging, vulnerability handling, and reasonable continuity planning. Processor does not warrant perfection and does not provide third-party audit reports (for example SOC 2 or ISO 27001) it does not hold.

Controller acknowledges shared responsibility and must configure the Service securely (API keys, access policies, webhook endpoints, WhatsApp session stewardship).

Controller authorizes Processor to engage sub-processors to support the Service. Processor will impose data protection terms on sub-processors that are substantially similar to this DPA. Processor remains liable for sub-processor performance.

Processor will provide notice of new sub-processors (e.g. via email or in-product notice) and allow Controller a reasonable objection period where commercially reasonable and required by contract. A current list of sub-processor categories is available upon request to enterprise customers.

Taking into account the nature of the processing, Processor will assist Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Controller's obligation to respond to requests from data subjects exercising GDPR rights.

If Processor receives a request directly, it will forward it to Controller unless prohibited by law. Controller is responsible for verifying identity and responding within statutory timelines.

Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Controller data, and will provide information reasonably necessary for Controller to meet regulatory obligations, subject to legitimate restrictions (e.g. law enforcement).

At the end of the Service provision, Processor will, at Controller's choice, delete or return personal data unless storage is required by law. Deletion may follow secure wiping and backup rotation schedules.

Processor will make available information reasonably necessary to demonstrate compliance with Article 28 GDPR—for example responses to written questionnaires and summaries of practices—subject to confidentiality and security requirements. On-site or intrusive audits, penetration-test reports, or standing rights to audit more than once in twelve (12) months require advance written agreement; Processor does not maintain SOC 2 or ISO reports to hand over.

Where a genuine personal-data breach, regulatory inquiry, or material security incident involves Controller data, Processor will cooperate on reasonable supplemental information within the scope of the incident.

Where personal data originating in the EEA, UK, or Switzerland is transferred to countries without an adequacy decision, Processor will use appropriate safeguards such as Standard Contractual Clauses and supplementary measures as required.

This DPA remains in effect for the duration of processing and until Processor has deleted or returned personal data in accordance with the agreement.

For online customers, accepting the Terms or checking out with reference to this DPA constitutes signature. Enterprise customers may request a countersigned PDF for procurement records.

To request a signed copy or custom enterprise terms: [email protected] or use our contact form with "DPA request" in the subject. Plan limits and commercial terms are on Pricing.