Skip to main content
Back to Home

Data Processing Agreement

Pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679

Effective date: February 11, 2026

1. Parties

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between:

Data Controller ("Controller"):

The customer who has accepted the MoltFlow Terms of Service and uses MoltFlow to process personal data of their WhatsApp contacts.

Data Processor ("Processor"):

WaiFlow

Email: [email protected]

The Controller and Processor are each a "Party" and together the "Parties." This DPA is incorporated into and subject to the terms of the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of personal data.

2. Definitions

Unless otherwise defined herein, capitalized terms shall have the meaning given to them in the GDPR or the Agreement:

  • "GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by the Processor on behalf of the Controller in connection with the Service.
  • "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA. In the context of MoltFlow, Data Subjects primarily include the Controller's WhatsApp contacts.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries, as set out in Commission Implementing Decision (EU) 2021/914.
  • "Service" means the MoltFlow platform and all associated services provided by WaiFlow to the Controller under the Agreement.

3. Scope and Purpose of Processing

3.1 Subject Matter

The Processor processes Personal Data on behalf of the Controller in connection with the provision of MoltFlow, a WhatsApp automation platform. The processing is necessary for the performance of the Service as described in the Agreement.

3.2 Nature and Purpose of Processing

The Processor processes Personal Data for the following purposes:

  • Receiving, storing, and delivering WhatsApp messages on behalf of the Controller
  • Providing AI-powered features including auto-responses, lead detection, sentiment analysis, and smart labeling
  • Style training (Learn Mode) when opted into by the Controller
  • Knowledge base document storage, embedding, and retrieval-augmented generation (RAG)
  • Review collection and management
  • Analytics and usage reporting
  • Scheduled message delivery and bulk messaging

3.3 Categories of Data Subjects

  • The Controller's WhatsApp contacts (message senders and recipients)
  • Individuals who submit reviews via the Controller's review collectors

3.4 Types of Personal Data

  • Phone numbers and contact names
  • Message content (first 500 characters stored as previews)
  • Message metadata (timestamps, delivery status, read receipts)
  • AI-derived data (lead scores, sentiment labels, auto-generated labels)
  • Review content and reviewer identifiers
  • Knowledge base documents uploaded by the Controller

3.5 Duration of Processing

Processing shall continue for the duration of the Agreement. Upon termination, the Processor shall delete or return Personal Data in accordance with Section 11 of this DPA.

4. Processor Obligations

In accordance with Article 28(3) of the GDPR, the Processor shall:

4.1 Documented Instructions

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest. The Controller's instructions are documented in the Agreement and this DPA. Additional instructions require written agreement between the Parties.

4.2 Confidentiality

Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to personnel who require such access to perform their duties in connection with the Service.

4.3 Security Measures

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR. The specific security measures are described in Section 7 of this DPA.

4.4 Sub-processor Engagement

Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller. The Controller hereby provides general written authorization for the Processor to engage Sub-processors listed in Section 5 of this DPA. The Processor shall:

  • Notify the Controller at least 30 days in advance of any intended addition or replacement of Sub-processors, giving the Controller the opportunity to object
  • Impose the same data protection obligations as set out in this DPA on each Sub-processor by way of a contract
  • Remain fully liable to the Controller for the performance of each Sub-processor's obligations

4.5 Data Subject Rights

Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, data portability, and objection).

4.6 Assistance with Compliance

Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with data protection impact assessments and prior consultations with supervisory authorities where required.

4.7 Deletion or Return of Data

At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data. See Section 11 for details.

4.8 Audit and Demonstration of Compliance

Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. See Section 10 for details.

5. Sub-Processors

5.1 Authorized Sub-Processors

The Controller hereby authorizes the Processor to engage the following Sub-processors:

Sub-ProcessorPurposeLocationTransfer Mechanism
OpenAI, LLCAI text generation, voice transcription, message analysis, embedding generationUSAStandard Contractual Clauses (SCCs)
Stripe, Inc.Payment processing, subscription management, invoicingUSAStandard Contractual Clauses (SCCs)
Hetzner Online GmbHInfrastructure hosting (servers, databases, storage)Germany (EU)EU-based (no transfer required)
Twilio SendGridTransactional email delivery (notifications, alerts)USAStandard Contractual Clauses (SCCs)

5.2 Notification of Changes

The Processor shall notify the Controller at least 30 days before adding or replacing a Sub-processor. The notification shall include the Sub-processor's name, the nature of the processing, and the location of processing. The Controller may object to the addition or replacement within the 30-day notice period. If the Processor cannot reasonably accommodate the Controller's objection, the Controller may terminate the Agreement.

5.3 Sub-Processor Obligations

The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.

6. International Data Transfers

6.1 Primary Hosting

The Service's primary infrastructure is hosted in the European Union (Germany) by Hetzner Online GmbH. All databases, application servers, and persistent storage are located within the EU.

6.2 Transfers to Third Countries

Personal Data may be transferred to the United States when processed by Sub-processors (OpenAI, Stripe, SendGrid) as described in Section 5. All such transfers are subject to appropriate safeguards in accordance with Chapter V of the GDPR.

6.3 Transfer Safeguards

For transfers of Personal Data to countries outside the European Economic Area (EEA) that have not received an adequacy decision from the European Commission, the Processor relies on the following safeguards:

  • Standard Contractual Clauses (SCCs): Commission Implementing Decision (EU) 2021/914, incorporated into contracts with each US-based Sub-processor
  • Supplementary measures: Encryption in transit (TLS 1.3) and at rest, access controls, and contractual obligations on Sub-processors to resist unlawful government access requests
  • Transfer Impact Assessments: The Processor has conducted transfer impact assessments for each Sub-processor to evaluate the legal framework in the recipient country

6.4 Data Minimization in Transfers

The Processor applies data minimization principles to international transfers. Only the minimum Personal Data necessary for the Sub-processor to perform its function is transferred. For example, Stripe receives only billing-related data, not message content; OpenAI receives message content only when AI features are actively enabled by the Controller.

7. Technical and Organizational Security Measures

Pursuant to Article 32 of the GDPR, the Processor implements the following technical and organizational measures to ensure a level of security appropriate to the risk:

7.1 Encryption

  • In transit: All data transmitted between the Controller, the Service, and Sub-processors is encrypted using TLS 1.3 (or TLS 1.2 minimum). All API endpoints enforce HTTPS.
  • At rest: Sensitive fields including message content, contact information, and personal identifiers are encrypted at the application layer using AES encryption. Database volumes are encrypted at the infrastructure level.

7.2 Access Control

  • Authentication: User authentication via JWT tokens with configurable expiration. API keys are hashed using SHA-256 before storage (never stored in plaintext).
  • Multi-tenant isolation: Strict tenant-level data isolation ensures that each Controller's data is logically separated. All database queries are scoped to the authenticated tenant.
  • Role-based access: Administrative functions are restricted to authorized personnel with appropriate role assignments.
  • Principle of least privilege: Access to production systems and Personal Data is limited to personnel who require it for the performance of their duties.

7.3 Audit Logging

  • Security-relevant actions (authentication events, data access, configuration changes) are logged with timestamps and actor identification.
  • AI processing events are logged in audit trails for transparency and accountability.
  • Logs are retained for a period sufficient to support incident investigation and compliance verification.

7.4 Automated Data Retention

  • Message previews are automatically deleted after 90 days.
  • Message metadata is retained for up to 1 year, then automatically purged.
  • Collected reviews are automatically deleted after 90 days.
  • Consent records are retained for 7 years as required by law.
  • Database backups containing deleted data are purged within 30 days of source data deletion.

7.5 Network Security

  • Rate limiting with atomic operations to prevent abuse and brute-force attacks.
  • Security headers (HSTS, CSP, X-Frame-Options) enforced on all responses.
  • Internal service communication within isolated Docker networks.

7.6 Availability and Resilience

  • Infrastructure hosted on Hetzner dedicated servers in Germany with redundant components.
  • Automated database backups with point-in-time recovery capability.
  • Health monitoring and automated alerting for service degradation.

8. Data Breach Notification

8.1 Notification Obligation

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller. Where it is not possible to provide full information within 72 hours, the Processor shall provide initial notification with the information available and supplement it as further information becomes known.

8.2 Notification Content

The breach notification shall include, to the extent available:

  • A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned
  • The name and contact details of the Processor's point of contact for further information
  • A description of the likely consequences of the Data Breach
  • A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects

8.3 Cooperation

The Processor shall cooperate with the Controller and take reasonable steps as directed by the Controller to assist in the investigation, mitigation, and remediation of each Data Breach. The Processor shall assist the Controller in meeting the Controller's obligation to notify the supervisory authority (Article 33 GDPR) and affected Data Subjects (Article 34 GDPR) where applicable.

9. Data Subject Rights

9.1 Assistance with Requests

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to Data Subject requests under Chapter III of the GDPR, including:

  • Right of access (Art. 15): Providing the Controller with the ability to export Personal Data associated with a Data Subject
  • Right to rectification (Art. 16): Enabling the Controller to correct inaccurate Personal Data through the Service dashboard
  • Right to erasure (Art. 17): Enabling the Controller to delete Personal Data, or upon request, deleting Personal Data associated with a specific Data Subject
  • Right to restriction (Art. 18): Supporting the Controller in restricting processing of specific Data Subject records
  • Right to data portability (Art. 20): Providing Personal Data in a structured, commonly used, and machine-readable format
  • Right to object (Art. 21): Enabling the Controller to cease processing for specific Data Subjects upon request

9.2 Direct Requests

If the Processor receives a request directly from a Data Subject regarding their Personal Data, the Processor shall promptly redirect the Data Subject to the Controller and notify the Controller of the request. The Processor shall not respond to the Data Subject directly unless authorized by the Controller or required by applicable law.

9.3 Response Timeline

The Processor shall respond to the Controller's requests for assistance with Data Subject rights without undue delay, and in any event within 10 business days of receiving the Controller's request, to enable the Controller to meet its obligations under the GDPR.

10. Audit Rights

10.1 Right to Audit

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

10.2 Audit Procedure

Audits shall be subject to the following conditions:

  • The Controller shall provide at least 30 days' written notice before conducting an audit
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
  • The Controller or its mandated auditor shall comply with the Processor's reasonable security and confidentiality requirements
  • Audits shall be limited to once per twelve-month period, unless a Data Breach has occurred or a supervisory authority requires additional audits
  • The Controller shall bear the costs of any audit it initiates, unless the audit reveals material non-compliance by the Processor

10.3 Compliance Reports

The Processor may satisfy audit requests by providing the Controller with relevant compliance certifications, audit reports, or summaries prepared by qualified third-party auditors, provided such documentation reasonably addresses the Controller's audit objectives.

10.4 Obligation to Inform

The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other Union or Member State data protection provisions.

11. Term and Termination

11.1 Duration

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiry of the Agreement, except for obligations that by their nature survive termination.

11.2 Data Deletion on Termination

Upon termination of the Agreement, the Processor shall, at the Controller's choice:

  • Return: Provide the Controller with a copy of all Personal Data in a structured, commonly used, and machine-readable format within 30 days of the termination date
  • Delete: Delete all Personal Data and existing copies within 30 days of the termination date, and certify such deletion in writing to the Controller

11.3 Exceptions to Deletion

The Processor may retain Personal Data to the extent required by applicable Union or Member State law. In such cases, the Processor shall ensure the confidentiality of the retained Personal Data and shall process it only for the purpose required by law. Specifically:

  • Consent records may be retained for up to 7 years as required by law
  • Data in automated backups shall be deleted within 30 days of the source data deletion
  • Aggregated, anonymized data that cannot be used to identify a natural person may be retained indefinitely

11.4 Transition Assistance

Upon reasonable request, the Processor shall provide reasonable assistance to the Controller to facilitate the transition of processing activities to another processor or to the Controller, subject to reimbursement of reasonable costs.

12. Liability

12.1 Liability Allocation

Each Party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement (Terms of Service), except that no limitation shall apply to liabilities that cannot be limited under applicable data protection law.

12.2 Controller Responsibility

The Controller shall be solely responsible for: (a) the lawfulness of its instructions to the Processor; (b) compliance with data protection laws applicable to the Controller in its capacity as Data Controller; (c) ensuring it has a valid legal basis for processing Personal Data and for transferring such data to the Processor; and (d) informing Data Subjects about the processing carried out through the Service.

12.3 Processor Responsibility

The Processor shall be liable for damages caused by processing only where it has not complied with obligations of the GDPR specifically directed at processors, or where it has acted outside of or contrary to the lawful instructions of the Controller.

13. Contact

For questions, requests, or notifications relating to this Data Processing Agreement, please contact:

WaiFlow — Privacy Team

Email: [email protected]

For Data Breach notifications, the Controller should use the email address above with the subject line "Data Breach Notification" to ensure prompt handling.

This Data Processing Agreement is incorporated into and forms part of the Terms of Service. By using MoltFlow, the Controller accepts the terms of this DPA. This DPA should be read in conjunction with the Privacy Policy.

This DPA is governed by the same governing law as the Agreement, without prejudice to the mandatory application of the GDPR and other applicable data protection laws.