Data Processing Agreement (DPA)
Between Filova LTD ("Processor") and the Tenant ("Controller")
Last updated: 27 June 2026
1. Definitions
- "Controller": the Tenant who determines the purposes and means of processing Personal Data of their end-users.
- "Processor": Filova LTD, which processes Personal Data on behalf of the Controller.
- "Personal Data": any information relating to an identified or identifiable natural person.
- "Processing": any operation performed on Personal Data (collection, storage, use, disclosure, deletion, etc.).
- "Data Subject": the natural person to whom Personal Data relates (i.e., the end-user messaging via WhatsApp).
- "Sub-processor": a third party engaged by the Processor to carry out specific Processing activities on behalf of the Controller.
- "Supervisory Authority": the Information Commissioner's Office (ICO) for UK personal data; the relevant EU data protection authority for EU personal data.
2. Scope and Duration
This DPA applies to all Personal Data processed by Filova LTD on behalf of the Tenant in connection with the Wava service. Duration: co-terminus with the Wava Terms of Service. Upon termination of the Terms of Service, this DPA also terminates, subject to the data deletion obligations in Section 11.
3. Nature and Purpose of Processing
Processor processes Personal Data solely to provide the Wava WhatsApp customer support service, including: receiving and processing end-user WhatsApp messages, generating AI-powered responses via Anthropic Claude, storing conversation history, and providing analytics via the dashboard.
4. Categories of Personal Data and Data Subjects
| Category | Details |
|---|---|
| Data subjects | End-users of Tenant's WhatsApp channel |
| Personal data categories | WhatsApp phone number (hashed), message content, conversation metadata (timestamps, state) |
| Special category data | None intentionally processed. Tenant must not send special category data (Art. 9 GDPR / Art. 6 UK GDPR) via the Wava service. |
5. Controller's Instructions
Processor shall process Personal Data only on documented instructions from Controller (these Terms and this DPA). Controller instructs Processor to: (a) process data to provide the Service; (b) delete data per retention schedules; (c) assist with data subject rights requests. If Processor is required by law to process Personal Data beyond these instructions, Processor will inform Controller before such processing, unless prohibited by law.
6. Processor Obligations (GDPR Art. 28(3))
- Process Personal Data only on Controller's documented instructions.
- Ensure that persons authorised to process Personal Data are under appropriate confidentiality obligations.
- Implement appropriate technical and organisational security measures in accordance with Art. 32 GDPR / UK GDPR.
- Respect the conditions for engaging Sub-processors (Art. 28(2) GDPR / UK GDPR).
- Assist Controller in responding to Data Subject rights requests under Arts. 15–22 GDPR / UK GDPR.
- Assist Controller with obligations under Arts. 32–36 GDPR / UK GDPR (security, DPIA, prior consultation).
- Delete or return all Personal Data at the end of the service, and delete existing copies unless retention is required by law.
- Make available all information necessary to demonstrate compliance and allow for audits (Art. 28(3)(h)).
7. Sub-processors
Controller provides general authorisation for Processor to engage Sub-processors listed at wava.app/alt-islemciler. Processor will notify Controller of any intended changes (additions or replacements) with 30 days' notice. Controller may object in writing within 14 days of such notice. Current Sub-processors:
- Meta Platforms, Inc. (United States) — WhatsApp message delivery
- Anthropic, Inc. (United States) — AI response generation
- Supabase Inc. (EU-central-1) — Database and authentication
- Vercel Inc. (United States) — Application hosting
- Sentry (Functional Software, Inc.) (United States) — Error monitoring
8. Security Measures (Art. 32)
- (a) Encryption in transit (TLS 1.2+) and at rest.
- (b) Phone number hashing (SHA-256 + salt); raw phone numbers are not stored in plaintext.
- (c) Message content is not written to production logs.
- (d) Access controls, role-based permissions, and multi-factor authentication for staff.
- (e) Regular security testing and vulnerability assessments.
- (f) Documented incident response procedures.
9. Data Breach Notification
Processor shall notify Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Controller's data. Notification shall include: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences of the breach, and measures taken or proposed to address the breach and mitigate its possible adverse effects.
10. Data Subject Rights
Processor shall assist Controller in responding to Data Subject requests under GDPR / UK GDPR Arts. 15–22 (right of access, rectification, erasure, restriction of processing, data portability, and objection). Controller remains solely responsible for responding to Data Subjects. Processor will action verified instructions from Controller within 30 days of receipt.
11. Data Deletion / Return
Upon termination of the Wava service, Processor shall, at Controller's election: (a) delete all Personal Data within 30 days, or (b) provide a data export in JSON format within 30 days. After 30 days from the termination date, all Personal Data shall be securely deleted from all systems (including backups). Processor shall provide written certification of deletion upon request.
12. International Transfers
Where Processor transfers Personal Data to third countries (US-based Sub-processors: Anthropic, Meta, Vercel, Sentry), Processor relies on the following transfer mechanisms:
- EU personal data: Standard Contractual Clauses (EU Commission Implementing Decision 2021/914).
- UK personal data: UK Addendum to the EU SCCs (issued by the ICO, in force March 2022) and/or the UK–US Data Bridge where applicable.
- Turkish personal data: Standard commitment form under KVKK Art. 9(2)(b) with notification to the Personal Data Protection Board (KVKK Kurulu).
13. Audit Rights
Controller may, upon 30 days' prior written notice, conduct (or commission a qualified third-party auditor to conduct) an audit of Processor's compliance with this DPA, no more than once per calendar year and at Controller's own expense. Processor will cooperate fully and provide access to relevant documentation and personnel. Audit findings shall be treated as confidential.
14. Entire Agreement
This DPA supplements and forms part of the Wava Terms of Service. In the event of conflict between this DPA and the Terms of Service with respect to data protection matters, this DPA shall prevail.
15. Governing Law
This DPA is governed by the laws of England and Wales. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
16. Contact
For DPA-related enquiries, please contact: privacy@filova.io
Filova LTD · 71-75 Shelton Street, London WC2H 9JQ, UK · Company No: 17263134