Data Processing Addendum
The contract for how we handle the personal data your customers share with you.
Last updated: 2026-06-01
This DPA forms part of the agreement between you (Customer / Controller) and ChatBolt (Processor) and applies whenever we process personal data on your behalf. If your business is subject to the GDPR, UK GDPR, CCPA/CPRA or comparable laws, the terms here apply alongside our Terms of Service and Privacy Policy.
1. Roles
You are the Controller of the personal data you upload or send through the service (your customers' phone numbers, message content, profile names, metadata). We are the Processor and act only on documented instructions from you (which include your configured settings and the features you choose to use).
2. Purpose & scope
We process the data solely to provide and improve the service you've subscribed to (deliver messages, store conversation history, train your own knowledge base, generate reports). We do not process the data for our own marketing, profiling, or model-training for other tenants.
3. Categories of data
Phone numbers, messages, message metadata (timestamps, delivery status), display names provided by WhatsApp, contact details you upload, and any custom fields you choose to store on contacts.
4. Sub-processors
The current list of sub-processors is in our Privacy Policy. We will give 30 days' notice before adding a new sub-processor; you may object in writing.
5. Security measures
- Per-tenant database isolation.
- AES-256-GCM encryption at rest for sensitive credentials.
- TLS in transit for all client connections and webhooks.
- Role-based access controls on staff side.
- Access logs and change auditing for platform-staff actions.
- Backups encrypted and access-controlled.
6. Data-subject requests
If one of your customers exercises a data-subject right (access, correction, deletion), you are the primary respondent. We will assist you with reasonable measures (e.g. data export, deletion of a specific contact) on request.
7. Audit rights
We will provide on request a summary of our security controls and any independent audit reports we have. Live audits of our infrastructure may be arranged for paid plans with reasonable notice and a confidentiality agreement.
8. Personal data breach
We will notify you without undue delay and in any case within 72 hours of becoming aware of a personal-data breach that affects your data, with the information you need to meet your own notification duties.
9. Return & deletion
On termination, you may export your data within 30 days. After that we delete it from primary storage. Backups roll off according to schedule (no more than 90 days).
10. International transfers
Where personal data is transferred across borders, we rely on appropriate safeguards (standard contractual clauses or equivalent) as required by applicable law.
11. Contact & signature
This DPA is incorporated by reference into your acceptance of our Terms of Service. If your procurement requires a counter-signed copy, email contact@chatbolt.app.