Data Processing Agreement

Last updated: March 3, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Yapper ("Processor", "we", "us") and you ("Controller", "you"), and governs the processing of personal data by the Processor on behalf of the Controller in connection with the Yapper platform (the "Service").

By using the Service, you agree to this DPA. If you have executed a separate DPA with us, that agreement takes precedence over this one to the extent of any conflict.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, retrieval, transmission, erasure, or destruction.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates, including end users who communicate with the Controller through WhatsApp.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Applicable Data Protection Law" means all applicable laws relating to data protection, including the GDPR (EU), CCPA/CPRA (California), and LFPDPPP (Mexico).

2. Scope and Roles

The Controller determines the purposes and means of processing Personal Data. The Processor processes Personal Data only on behalf of and under the documented instructions of the Controller, except where required by applicable law.

The categories of Personal Data processed include:

• End-user phone numbers and WhatsApp profile names.
• Message content (text and media references).
• Conversation history and timestamps.
• Client profiles derived from conversations (e.g., name, language preference).

The categories of Data Subjects include:

• End users who communicate with the Controller through WhatsApp via the Service.

Processing is carried out for the purpose of providing the Service, including generating AI-powered replies, storing conversation history, and maintaining client profiles.

3. Controller Obligations

The Controller shall:

• Ensure it has a lawful basis for the processing of Personal Data and has provided all necessary notices and obtained all necessary consents from Data Subjects.
• Provide processing instructions that comply with Applicable Data Protection Law.
• Inform the Processor without undue delay of any changes to its processing instructions or applicable legal requirements.
• Disclose to end users that their messages may be processed by AI-powered systems, as required by applicable law.

4. Processor Obligations

The Processor shall:

• Process Personal Data only in accordance with the Controller's documented instructions and for no other purpose.
• Not sell, share, or otherwise make Personal Data available to third parties except as necessary to provide the Service or as required by law.
• Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
• Implement and maintain appropriate technical and organizational security measures, as described in Section 7.
• Assist the Controller in responding to Data Subject requests, as described in Section 6.
• Notify the Controller without undue delay upon becoming aware of a Personal Data breach, as described in Section 8.
• Upon termination of the Agreement, delete or return all Personal Data to the Controller, unless retention is required by applicable law.

5. Sub-processors

The Controller grants general authorization for the Processor to engage Sub-processors to assist in providing the Service. The current list of Sub-processors is:

• Amazon Web Services (AWS) — cloud infrastructure, data storage, and compute (United States).
• Anthropic — AI model provider for generating message replies (United States).
• Meta / WhatsApp — message delivery through the WhatsApp Business API (United States / international).

The Processor shall:

• Notify the Controller at least thirty (30) days before adding or replacing a Sub-processor by updating this page and, where practicable, by email.
• Impose data protection obligations on each Sub-processor that are no less protective than those in this DPA.
• Remain fully liable for the acts and omissions of its Sub-processors.

If the Controller objects to a new Sub-processor, the Controller may terminate the affected Service by providing written notice within thirty (30) days of the notification.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Applicable Data Protection Law, including requests for access, rectification, erasure, restriction, portability, and objection (and ARCO rights under Mexican law).

If the Processor receives a request directly from a Data Subject, it will promptly redirect the request to the Controller, unless legally required to respond directly.

7. Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of data in transit (TLS) and at rest (AES-256).
• Access controls with role-based permissions and authentication.
• Regular security reviews and vulnerability monitoring.
• Logical separation of Customer Data between accounts.
• Secure deletion of data upon termination or upon Controller request.

The Processor shall regularly evaluate and improve these measures to address evolving risks and industry practices.

8. Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and no later than seventy-two (72) hours after becoming aware of the breach. The notification shall include:

• A description of the nature of the breach.
• The categories and approximate number of Data Subjects and records affected.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and mitigate its effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the Controller's jurisdiction. Where such transfers occur, the Processor shall ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• The EU-U.S. Data Privacy Framework, where applicable.
• Any other mechanism recognized under Applicable Data Protection Law.

10. Audits

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable written request (no more than once per year), the Controller may conduct or commission an audit of the Processor's data processing practices, subject to reasonable confidentiality obligations and advance notice of at least thirty (30) days.

11. Duration and Termination

This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, the Processor shall, at the Controller's choice, delete or return all Personal Data within thirty (30) days, except where retention is required by applicable law.

12. Liability

Any liability arising under or in connection with this DPA is subject to the limitations and exclusions set forth in the Agreement, including the Limitation of Liability and Disclaimer of Warranties sections. The Processor's aggregate liability under this DPA, whether in contract, tort, or otherwise, shall not exceed the limits set forth in the Agreement.

13. Controller Indemnification

The Controller shall indemnify, defend, and hold harmless the Processor from and against any claims, liabilities, damages, losses, and expenses (including reasonable attorneys' fees) arising out of or in connection with: (a) the Controller's breach of Applicable Data Protection Law; (b) the Controller's processing instructions that are unlawful or violate the rights of Data Subjects; (c) the Controller's failure to provide required notices to, or obtain required consents from, Data Subjects; or (d) claims by Data Subjects arising from the Controller's use of the Service, except to the extent such claims result from the Processor's breach of this DPA.

14. Governing Law

This DPA is governed by the same law that governs the Agreement. To the extent that Applicable Data Protection Law requires application of a specific jurisdiction's law for data processing matters, that law shall apply to the relevant provisions of this DPA.

15. Contact

For questions about this DPA, contact us at privacy@yapper.vip.