Data Processing Agreement

1. Definitions

In this DPA:

• “Controller” means the customer who determines the purposes and means of processing personal data through the August AI service.
• “Processor” means August AI, which processes personal data on behalf of the Controller.
• “Personal Data” means any information relating to an identified or identifiable natural person processed through the Service.
• “Processing” means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.
• “Sub-processor” means any third party engaged by the Processor to process personal data on behalf of the Controller.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

2. Scope and Purpose

2.1 Subject Matter. This DPA governs the processing of personal data by August AI when providing CRM automation services through the WhatsApp Business API.

2.2 Categories of Data Subjects. The personal data processed relates to:

• The Controller's sales representatives (names, email addresses, phone numbers, WhatsApp identifiers)
• The Controller's CRM contacts (names, email addresses, phone numbers, company information, deal details)

2.3 Types of Personal Data. The following categories of personal data may be processed:

• Contact information (names, email addresses, phone numbers)
• Professional information (job titles, company names)
• CRM records (deal names, amounts, stages, notes)
• WhatsApp message content (commands, responses, nudge messages)
• WhatsApp identifiers (phone numbers, Linked IDs)
• Usage and interaction logs

2.4 Purpose. Processing is carried out solely to provide the August AI service as described in the Terms of Service, including: delivering CRM nudges, processing rep commands, updating CRM records, and maintaining the admin dashboard.

3. Processor Obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller, unless required by applicable law
• Ensure that persons authorised to process personal data are bound by obligations of confidentiality
• Implement appropriate technical and organisational security measures (see Section 7)
• Not engage another processor without prior written authorisation of the Controller (see Section 5)
• Assist the Controller in responding to data subject requests (see Section 6)
• Assist the Controller in ensuring compliance with obligations regarding security, breach notification, and data protection impact assessments
• Delete or return all personal data upon termination of the Service (see Section 11)
• Make available all information necessary to demonstrate compliance and allow for audits (see Section 10)

4. Controller Obligations

The Controller shall:

• Ensure there is a lawful basis for processing personal data through the Service
• Provide all necessary privacy notices to data subjects
• Obtain any required consents from data subjects (e.g. WhatsApp opt-in)
• Ensure that instructions to the Processor comply with applicable data protection law
• Maintain appropriate records of processing activities

5. Sub-processors

5.1 Current Sub-processors. The Controller authorises the use of the sub-processors listed on our Sub-processor page.

5.2 Notification of Changes. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor, providing the opportunity to object.

5.3 Right to Object. If the Controller objects to a new sub-processor on reasonable data protection grounds, the parties will work in good faith to find an alternative. If no alternative is found, the Controller may terminate the affected services.

5.4 Sub-processor Obligations. The Processor shall impose the same data protection obligations on sub-processors as set out in this DPA, by way of a contract or other legal act.

5.5 Liability. The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.

6. Data Subject Rights

6.1 Assistance. The Processor shall assist the Controller in fulfilling its obligation to respond to data subject requests to exercise their rights under GDPR (access, rectification, erasure, restriction, portability, objection).

6.2 Notification. If the Processor receives a request from a data subject directly, it will promptly notify the Controller and will not respond unless instructed to do so.

6.3 Technical Capability. The Service supports data export (JSON format) and data deletion at the tenant and individual level, enabling the Controller to fulfil data subject requests.

7. Security Measures

The Processor implements the following technical and organisational measures:

7.1 Encryption

• AES-256-GCM encryption of OAuth tokens and sensitive credentials at rest
• Database-level encryption via AWS KMS (Neon)
• TLS encryption for all data in transit
• Dual-key decryption support for encryption key rotation

7.2 Access Control

• PBKDF2-SHA256 password hashing (100,000 iterations)
• HMAC-SHA256 signed session cookies (HttpOnly, Secure, SameSite=Strict)
• Login lockout after 5 failed attempts (15-minute cooldown)
• 2-hour idle session timeout
• Session invalidation on password change

7.3 Tenant Isolation

• PostgreSQL Row-Level Security (RLS) on all tenant tables
• Application-level tenant context enforcement on every query
• Tenant-scoped API access through OAuth tokens

7.4 Webhook Security

• Mandatory HMAC-SHA256 signature validation on Meta webhooks
• Mandatory authentication header on WAHA webhooks
• Replay protection (reject requests with timestamps older than 5 minutes)

7.5 Monitoring

• Comprehensive audit logging (actor, action, resource, IP, timestamp)
• 12-month audit log retention
• Security headers on all responses (HSTS, CSP, X-Frame-Options, etc.)

8. Data Breach Notification

8.1 Notification Timeline. The Processor shall notify the Controller of a Data Breach without undue delay, and in any event within 72 hours of becoming aware of it.

8.2 Notification Content. The notification shall include:

• The nature of the breach, including categories and approximate number of data subjects and records affected
• The name and contact details of the Processor's point of contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach and mitigate its effects

8.3 Cooperation. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

9. International Transfers

9.1 Transfer Mechanisms. Where personal data is transferred outside the UK or EEA, the Processor relies on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
• Adequacy decisions where available

9.2 Supplementary Measures. The Processor implements supplementary technical measures (encryption, access controls, pseudonymisation) to ensure adequate protection of transferred data.

9.3 Transfer Locations. Data may be processed in the US (Neon database, Stripe, Meta, HubSpot, Resend) and globally at Cloudflare and Vercel edge locations.

10. Audit Rights

10.1 Information. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA.

10.2 Audits. The Controller (or an authorised third-party auditor) may conduct an audit of the Processor's processing activities, subject to:

• Reasonable advance notice (at least 30 days)
• Audits conducted during normal business hours
• No more than one audit per 12-month period (unless required by a supervisory authority or triggered by a Data Breach)
• Auditor bound by confidentiality obligations

10.3 Cooperation. The Processor shall cooperate fully with any audit and provide reasonable access to relevant facilities, systems, and personnel.

11. Data Deletion

11.1 On Termination. Upon termination of the Service, the Processor shall:

• Cease all processing of Controller personal data
• At the Controller's choice, return or delete all personal data within 30 days
• Provide written confirmation of deletion upon request

11.2 Retention Exceptions. The Processor may retain personal data where required by applicable law (e.g. billing records for tax purposes), in which case the data will be isolated and protected until deletion is possible.

11.3 Deletion Scope. Deletion covers all tenant data across all systems, including:

• Database records (tenant settings, rep mappings, sessions, nudge history)
• WhatsApp message logs
• Audit logs related to the tenant
• Cached data and temporary files

12. Duration and Termination

12.1 Duration. This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller.

12.2 Termination. This DPA terminates automatically when the Service agreement terminates, subject to the Processor's data deletion obligations in Section 11.

12.3 Survival. Obligations regarding confidentiality, data deletion, and liability shall survive termination of this DPA.