Data Processing Addendum

1. Roles

• Customer is the data controller / "data user" for Customer Data.
• Provider is the data processor for Customer Data.

Provider is a controller for Provider's own business data (billing, account administration, marketing) as described in the Privacy Notice (Provider).

2. Scope, Subject Matter, Duration

Provider processes Customer Data only to provide, maintain, secure, and support the Service, and as configured or instructed by Customer, for the duration of the subscription term.

3. Processing Details

3.1 Categories of Data Subjects

• Customer's customers/leads/contacts
• Customer's staff/Authorized Users

3.2 Types of Personal Data

May include:

• WhatsApp identifiers (phone numbers), message content, timestamps, metadata
• contact fields entered by Customer (name, email, tags, notes)
• attachments/media if uploaded or linked via WhatsApp/Service

3.3 Purpose of Processing

• messaging and conversation management
• routing/escalation and notifications
• AI-assisted drafting/classification (if enabled)
• reporting, audit logs, and support troubleshooting

4. Customer Instructions

Provider will process Customer Data only on Customer's documented instructions, including those provided through configuration and normal use of the Service.

5. Confidentiality

Provider will ensure persons authorized to process Customer Data are subject to confidentiality obligations.

6. Security Measures

Provider will implement reasonable technical and organizational security measures appropriate to the nature of the data and risks.

Minimum baseline (example):

• encryption in transit (TLS) and at rest (where supported)
• access controls and least-privilege
• tenant/workspace separation
• audit logging for key admin actions
• vulnerability management and secure SDLC practices
• backups with controlled access

7. Sub-processors

Customer authorizes Provider to use sub-processors to deliver the Service (e.g., hosting, messaging platform, AI provider, monitoring).

Provider will:

• maintain an up-to-date sub-processor list (URL: https://wharm.chat/subprocessors),
• remain responsible for sub-processors' performance under this DPA,
• provide notice of material sub-processor changes where practicable.

8. Cross-Border Transfers

Customer acknowledges Customer Data may be processed/stored outside Malaysia depending on:

• WhatsApp/Meta processing,
• Customer-selected configurations,
• Provider's hosting/sub-processors.

Provider will implement reasonable safeguards and provide information reasonably requested to support Customer's compliance obligations (including Section 129 where applicable).

9. Assistance with Data Subject Requests

Taking into account the nature of processing, Provider will provide reasonable assistance to Customer to support:

• access/correction requests,
• deletion requests,

to the extent such actions are feasible via Service features or support.

10. Incident & Breach Notification

Provider will notify Customer without undue delay after becoming aware of a security incident affecting Customer Data and will provide available information reasonably required for Customer's assessment and response. Provider will take reasonable steps to contain, investigate, and remediate the incident.

11. Data Retention, Return, and Deletion

• During the subscription term, Customer may access and export Customer Data via the Service (where available).
• Upon termination, Provider will delete or return Customer Data within 7 days upon Customer's request, except:
  • where retention is required by law, or
  • for backups retained on a rolling basis for up to 30 days.

12. Audits / Compliance Evidence

Upon request, Provider will provide reasonable information to demonstrate compliance (e.g., security overview, sub-processor list, policies). On-site audits (if any) require mutual agreement on scope, timing, and confidentiality.

13. Order of Precedence

If there is conflict between this DPA and other Platform Terms, this DPA governs matters relating to processing of Customer Data.

14. Contact

DPA inquiries: