Data Processing Agreement

    Our commitment to protecting your data and ensuring compliance

    Last Updated: March 1, 2024

    Introduction

    This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and Greenbubble.io ("Processor") for the use of our WhatsApp business messaging platform services.

    This DPA addresses the requirements of the European General Data Protection Regulation ("GDPR"), California Consumer Privacy Act ("CCPA"), and other applicable data protection laws regarding the processing of personal data.

    By using our services, you acknowledge that Greenbubble.io will process personal data on your behalf and agree to the terms set forth in this agreement.

    Definitions

    Personal Data

    Any information relating to an identified or identifiable natural person processed through our platform, including phone numbers, names, message content, and any other data submitted through WhatsApp conversations.

    Processing

    Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, or combination.

    Data Controller

    The Customer (you) who determines the purposes and means of processing personal data.

    Data Processor

    Greenbubble.io, which processes personal data on behalf of the Data Controller.

    Processing Details

    Nature and Purpose of Processing

    • Facilitating WhatsApp business messaging between Customer and end users
    • Providing chatbot and automation services
    • Analytics and reporting on message performance
    • Customer support and platform maintenance

    Categories of Personal Data

    • Phone numbers and WhatsApp identifiers
    • Names and profile information (when shared)
    • Message content and media files
    • Conversation metadata and timestamps
    • Device and technical information

    Categories of Data Subjects

    • End customers communicating with Customer via WhatsApp
    • Customer's employees and authorized users
    • Prospective customers and leads

    Security Measures

    We implement appropriate technical and organizational measures to ensure the security of personal data:

    Technical Measures

    • End-to-end encryption for data in transit
    • AES-256 encryption for data at rest
    • Multi-factor authentication for system access
    • Regular security audits and penetration testing
    • Automated backup and disaster recovery procedures

    Organizational Measures

    • Role-based access controls and principle of least privilege
    • Employee privacy and security training programs
    • Confidentiality agreements for all personnel
    • Incident response and breach notification procedures
    • Regular compliance audits and certifications

    Data Subject Rights

    We support the Customer in fulfilling data subject rights under applicable privacy laws:

    • Right of Access
    • Right to Rectification
    • Right to Erasure
    • Right to Restrict Processing
    • Right to Data Portability
    • Right to Object
    • Right to Withdraw Consent
    • Right to Lodge a Complaint

    International Data Transfers

    Our primary data processing occurs within the European Economic Area (EEA) and United States. Where data transfers to third countries occur, we ensure appropriate safeguards are in place:

    • EU-US Data Privacy Framework compliance
    • Standard Contractual Clauses (SCCs) where applicable
    • Adequacy decisions by relevant supervisory authorities

    Data Retention

    We retain personal data only for as long as necessary to fulfill the purposes outlined in this DPA:

    Message Data

    Retained according to Customer's configured retention settings, up to a maximum of 7 years for compliance purposes.

    Analytics Data

    Aggregated and anonymized data may be retained indefinitely for service improvement purposes.

    Account Data

    Deleted within 30 days of account termination, unless longer retention is required by law.

    Data Breach Notification

    In the event of a personal data breach, we will:

    1. Notify the Customer without undue delay, and in any case within 72 hours of becoming aware
    2. Provide all relevant information about the breach, including its nature and likely consequences
    3. Describe the measures taken or proposed to address the breach
    4. Assist the Customer in meeting their notification obligations to supervisory authorities and data subjects

    Audit and Compliance

    We maintain comprehensive records of our processing activities and undergo regular compliance audits:

    • SOC 2 Type II certification
    • ISO 27001 compliance
    • Annual third-party security assessments
    • Customer audit rights upon reasonable request

    Data Protection Contact

    For any questions regarding this DPA or our data processing practices, please contact our Data Protection Officer:

    Email: dpo@greenbubble.io

    Address: Greenbubble.io Data Protection Officer
    30N Gould St, Sheridan
    Sheridan, Wyoming 82801, USA

    Response Time: Within 5 business days