WBM
Legal
Last updated: November 4, 2025

Data Processing Addendum (DPA)

This Data Processing Addendum forms part of the Agreement between you and Gravbox for your use of WBM and governs our processing of personal data on your behalf.

Processor commitments
We process personal data solely under your documented instructions.
Security measures
Administrative and technical safeguards designed to protect data.
International transfers
Appropriate safeguards applied where required by law.

1) Overview

This Addendum applies to personal data processed in connection with your use of WBM. Terms not defined here have the meanings in the Agreement. Where applicable laws (such as GDPR) apply, this Addendum ensures appropriate data protection obligations.

2) Roles & Responsibilities

  • You act as the data controller (or business); we act as the data processor (or service provider).
  • For account administration, billing, and platform security we may act as an independent controller.
  • Each party will comply with applicable data protection laws for its respective processing activities.

3) Scope of Processing

  • Subject matter: operation of WBM features such as inbox, automation, broadcasts, and API.
  • Duration: the term of the Agreement plus any post-termination retention required by law.
  • Nature/purpose: storage, transmission, and processing of WhatsApp messages, media, and related metadata to provide the Service.

4) Data & Data Subjects

  • Categories of data: contact info, conversation content, media, message metadata, tags/attributes, and operational logs.
  • Data subjects: your customers, prospects, end users, and team members.
  • You will not submit special categories of data unless expressly permitted and protected by appropriate safeguards.

5) Processing Instructions

  • We will process personal data only on your documented instructions, including those set out in the Agreement and your use of WBM settings.
  • If an instruction violates applicable law, we will notify you unless prohibited.
  • We may aggregate or de-identify data for security, analytics, and Service improvement in compliance with law.

6) Subprocessors

  • We may engage subprocessors for infrastructure, storage, analytics, and support under written agreements imposing data protection obligations.
  • We remain responsible for each subprocessor’s obligations and will provide notice of material changes where required.
CategoryPurpose
Cloud infrastructureHosting, databases, and media storage
Monitoring & loggingReliability, incident analysis, and performance
Support toolingTicketing, email handling, and customer help

7) Security Measures

  • Access controls, least-privilege roles, and audit logging for administrative actions.
  • Encryption in transit and at rest where supported by underlying services.
  • Segregation of environments, vulnerability management, and employee confidentiality obligations.
  • Business continuity and disaster recovery practices proportionate to the Service.

8) International Transfers

  • Where data are transferred internationally, we implement appropriate safeguards as required by law.
  • Upon request, we will provide information about transfer mechanisms in use for relevant processing.

9) Data Subject Requests

  • We will assist you, insofar as possible, with responses to requests to exercise rights of access, rectification, deletion, restriction, and portability.
  • You are responsible for verifying the requester’s identity and providing instructions through WBM or support channels.

10) Security Incidents

  • We will notify you without undue delay after becoming aware of a personal data breach affecting your data.
  • We will provide information reasonably available for you to meet applicable notification obligations.

11) Audit & Compliance

  • We will make available information necessary to demonstrate compliance with this Addendum.
  • Where required by law, audits may be conducted subject to reasonable notice, scope limits, and confidentiality.

12) Return & Deletion

  • Upon termination or on your written request, we will delete or return personal data, unless retention is required by law.
  • Backups are deleted in the ordinary course of the retention schedule.

13) Term & Termination

  • This Addendum remains in force for the duration of the Agreement and thereafter as long as we process your personal data.
  • Applicable provisions survive as necessary to fulfill legal obligations.

14) Changes to this Addendum

We may update this Addendum to reflect legal or operational changes. For material updates, we may provide notice. Continued use of WBM after the effective date constitutes acceptance.

15) Contact

Questions about data processing can be sent to support@gravbox.com.