1. Scope and Hierarchy
This Data Processing Agreement (“DPA”) forms an integral part of the Agreement between the Client and WatsBridge and governs the processing of personal data carried out by WatsBridge on behalf of the Client.
In the event of conflict between this DPA and other contractual documents, this DPA shall prevail with respect to data protection matters.
2. Roles and Allocation of Responsibilities
The Client acts as the data controller and determines the purposes and means of processing personal data.
WatsBridge acts as a data processor when processing personal data on behalf of the Client.
Notwithstanding the foregoing, WatsBridge may act as an independent data controller for strictly limited purposes, including but not limited to:
- security monitoring,
- fraud prevention,
- service integrity,
- billing,
- compliance obligations,
- system analytics.
Such processing shall remain strictly segregated from processing carried out on behalf of the Client.
3. Nature and Purpose of Processing
Processing activities include, without limitation:
- transmission of communications,
- storage and routing of messages,
- metadata processing,
- logging and monitoring,
- system optimization,
- security enforcement.
Processing shall be limited to what is necessary for the provision of the Services.
4. Instructions from the Client
WatsBridge shall process personal data only on documented instructions from the Client, including those expressed through configuration, API usage, or interaction with the Services.
Where an instruction is deemed unlawful or technically unfeasible, WatsBridge reserves the right to suspend execution.
5. Confidentiality
WatsBridge shall ensure that persons authorized to process personal data are bound by confidentiality obligations, whether contractual or statutory.
6. Security Measures
WatsBridge shall implement appropriate technical and organizational measures aligned with industry standards, including but not limited to:
- encryption in transit,
- access control,
- authentication mechanisms,
- logging and monitoring,
- anomaly detection.
These measures constitute obligations of means and may evolve over time.
7. Subprocessors
The Client hereby authorizes WatsBridge to engage subprocessors necessary for the provision of the Services.
Such subprocessors may include, without limitation:
- cloud infrastructure providers,
- API providers (including Meta),
- payment processors,
- monitoring and analytics services.
WatsBridge shall ensure that such subprocessors are subject to data protection obligations substantially equivalent to those set forth in this DPA.
8. International Data Transfers
Personal data may be transferred to jurisdictions outside the European Economic Area.
Where required, such transfers shall be governed by Standard Contractual Clauses (SCC), which are incorporated by reference and deemed executed.
The Client expressly authorizes such transfers.
9. Data Subject Rights
WatsBridge shall provide reasonable assistance to the Client in responding to requests from data subjects, to the extent technically feasible and proportionate.
10. Personal Data Breaches
In the event of a personal data breach affecting Client data, WatsBridge shall notify the Client without undue delay, taking into account the nature of the incident and operational constraints.
11. Return and Deletion of Data
Upon termination of the Services, personal data may be deleted or rendered inaccessible, unless retention is required for legal, evidentiary, or security purposes.
Deletion may be subject to technical constraints, including backup retention cycles.
12. Liability
Liability under this DPA shall be subject to the limitations set forth in the Terms of Use and Terms of Sale.
