Data Processing and Security Addendum
Last updated: March 2026
This Data Processing and Security Addendum ("DPSA") forms part of the agreement between TNT The Next Tech Ltd, trading as ChatDaddy ("Processor", "we", "us") and you ("Controller", "Customer") for the provision of the ChatDaddy Service. This DPSA sets out the terms under which the Processor processes personal data on behalf of the Controller in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.
1. Definitions
In this DPSA, the following terms have the meanings set out below. Capitalised terms not defined here have the meanings given in the GDPR or the main service agreement.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
- "Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
- "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
- "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
2. Scope and Purpose of Processing
2.1 Subject Matter
The Processor processes Personal Data solely for the purpose of providing the ChatDaddy Service to the Controller, as described in the main service agreement and these Terms.
2.2 Categories of Data Subjects
- The Controller's employees and team members who use the Service.
- The Controller's customers, prospects, and end users who communicate via WhatsApp or other channels through the Service.
2.3 Types of Personal Data
- Contact information (names, phone numbers, email addresses).
- Message content (text messages, media files, documents).
- Account and authentication data.
- Usage and interaction data.
- Any other Personal Data submitted by the Controller through the Service.
2.4 Duration of Processing
Processing continues for the duration of the service agreement and for such additional period as necessary to comply with the obligations set out in this DPSA (including data return or deletion).
3. Obligations of the Controller
The Controller shall:
- Ensure that it has a lawful basis for the processing of Personal Data and that all necessary consents have been obtained from Data Subjects.
- Provide the Processor with documented instructions for the processing of Personal Data.
- Ensure that the Personal Data provided to the Processor is accurate and up to date.
- Comply with all applicable data protection laws in connection with its use of the Service.
- Inform the Processor without undue delay if it becomes aware of any circumstances that could affect the Processor's ability to comply with this DPSA.
4. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law).
- Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain the technical and organisational security measures described in Section 6.
- Comply with the conditions for engaging Sub-Processors as set out in Section 5.
- Assist the Controller in responding to Data Subject requests as described in Section 8.
- Assist the Controller in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation.
- At the Controller's choice, delete or return all Personal Data upon termination of the Service, as described in Section 12.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPSA.
5. Sub-Processors
5.1 General Authorisation
The Controller provides general written authorisation for the Processor to engage Sub-Processors. The Processor maintains a current list of Sub-Processors, which is available upon request at support@chatdaddy.tech.
5.2 Obligations Regarding Sub-Processors
When engaging a Sub-Processor, the Processor shall:
- Enter into a written agreement with the Sub-Processor imposing data protection obligations no less protective than those in this DPSA.
- Remain fully liable to the Controller for the performance of the Sub-Processor's obligations.
- Conduct appropriate due diligence on the Sub-Processor's security and privacy practices.
5.3 Changes to Sub-Processors
The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of a Sub-Processor. The Controller may object to a new Sub-Processor on reasonable grounds by notifying the Processor in writing within 14 days of receiving notice. If the Controller objects, the parties shall discuss the concern in good faith. If a resolution cannot be reached, the Controller may terminate the affected portion of the Service without penalty.
5.4 Current Sub-Processors
The Processor's current Sub-Processors include, but are not limited to:
| Sub-Processor | Purpose | Location |
|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | Various (configurable regions) |
| Google Cloud Platform | Cloud services and data processing | Various (configurable regions) |
| Meta Platforms (WhatsApp) | WhatsApp Business API messaging | United States / Global |
| Stripe | Payment processing | United States |
6. Security Measures
The Processor implements and maintains the following technical and organisational measures to ensure a level of security appropriate to the risk:
6.1 Encryption
- Encryption of data in transit using TLS 1.2 or higher.
- Encryption of data at rest using AES-256 or equivalent.
- Encryption key management with regular key rotation.
6.2 Access Control
- Role-based access control (RBAC) with the principle of least privilege.
- Multi-factor authentication (MFA) for all administrative access.
- Unique user accounts for all personnel; no shared credentials.
- Regular access reviews and prompt revocation upon role change or termination.
6.3 Network Security
- Firewalls, intrusion detection, and intrusion prevention systems.
- Network segmentation to isolate customer environments.
- DDoS protection and rate limiting.
6.4 Application Security
- Secure software development lifecycle (SDLC) practices.
- Regular vulnerability assessments and penetration testing.
- Automated security scanning in CI/CD pipelines.
- Timely patching and updating of systems and dependencies.
6.5 Organisational Measures
- Information security policies and procedures reviewed at least annually.
- Security awareness training for all employees.
- Confidentiality agreements for all personnel with access to Personal Data.
- Incident response plan with designated response team.
- Business continuity and disaster recovery plans with regular testing.
6.6 Physical Security
- Data centre facilities with physical access controls, surveillance, and environmental protections.
- All infrastructure hosted with providers maintaining SOC 2 Type II and/or ISO 27001 certifications.
7. Data Breach Notification
7.1 Notification to Controller
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Data Breach affecting the Controller's Personal Data. The notification shall include:
- A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records affected.
- The name and contact details of the Processor's point of contact for further information.
- A description of the likely consequences of the Data Breach.
- A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its adverse effects.
7.2 Cooperation
The Processor shall cooperate with the Controller and provide all reasonable assistance to:
- Investigate and remediate the Data Breach.
- Comply with any notification obligations the Controller may have to supervisory authorities or Data Subjects.
- Mitigate the effects of the Data Breach.
8. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable data protection law, including the rights of access, rectification, erasure, restriction, portability, and objection.
Where a Data Subject makes a request directly to the Processor, the Processor shall promptly forward the request to the Controller and shall not respond to the Data Subject directly unless instructed to do so by the Controller.
The Processor shall implement appropriate technical and organisational measures to assist the Controller in responding to such requests, including through self-service features within the Service where practicable.
9. International Data Transfers
The Processor shall not transfer Personal Data outside the European Economic Area (EEA) or the United Kingdom unless:
- The transfer is to a country that has been deemed to provide an adequate level of data protection by the European Commission or the UK Secretary of State, as applicable.
- Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) as adopted by the European Commission (Module 2: Controller to Processor), supplemented by additional technical and organisational measures where necessary.
- A derogation under Article 49 GDPR applies.
The Processor shall conduct transfer impact assessments as required and make such assessments available to the Controller upon request.
10. Data Protection Impact Assessments
The Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments ("DPIAs") and prior consultations with supervisory authorities, to the extent that such assistance is necessary and relates to the Processing carried out by the Processor.
11. Audit Rights
11.1 Information and Audit
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPSA. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to the following conditions:
- The Controller shall provide at least 30 days' prior written notice of any audit request.
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
- The Controller shall bear the costs of any audit unless the audit reveals a material breach by the Processor.
- Audits shall be limited to once per year unless a Data Breach or regulatory investigation necessitates an additional audit.
- The auditor shall be bound by appropriate confidentiality obligations.
11.2 Certifications and Reports
Where available, the Processor may satisfy audit requests by providing:
- Relevant third-party audit reports (e.g., SOC 2 Type II).
- Certifications from recognised security standards (e.g., ISO 27001).
- Completed security questionnaires or assessments.
12. Data Retention and Deletion
Upon termination or expiry of the service agreement, or upon the Controller's written request, the Processor shall:
- Cease all Processing of the Controller's Personal Data, except as required by applicable law.
- At the Controller's election, return or securely delete all Personal Data within 30 days, including any copies held by Sub-Processors.
- Provide written confirmation of deletion upon the Controller's request.
The Processor may retain Personal Data to the extent required by applicable law, provided that the Processor ensures the confidentiality of such data and processes it only for the purposes required by law.
13. Liability
Each party's liability arising out of or in connection with this DPSA is subject to the limitations and exclusions of liability set out in the main service agreement (Terms of Service). Nothing in this DPSA limits either party's liability for obligations that cannot be limited under applicable data protection law.
14. Term and Termination
This DPSA takes effect on the date the Controller first uses the Service and continues for the duration of the Processor's processing of Personal Data on behalf of the Controller. Provisions that by their nature should survive termination (including Sections 7, 8, 11, 12, and 13) shall survive.
15. Contact
For questions regarding this DPSA or to exercise any rights hereunder, contact:
TNT The Next Tech Ltd (trading as ChatDaddy)
Email: support@chatdaddy.tech
Website: chatdaddy.tech
