Waaru
Legal

Data Processing Agreement

Effective date: 17 May 2025 · Last updated: 17 May 2025

1. Parties and scope

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Narayana Nexus (“Waaru”, “Processor”), and the business or individual (“Customer”, “Controller”) accessing the Waaru platform at waaru.app.

This DPA covers the processing of personal data performed by Waaru on behalf of the Customer in connection with the provision of the Waaru WhatsApp automation platform. By accepting Waaru’s Terms of Service, the Customer accepts this DPA.

2. Nature and purpose of processing

Waaru processes personal data to provide the following services on behalf of the Customer:

  • Receiving, storing, and routing WhatsApp messages between the Customer’s WhatsApp Business number and their contacts
  • Running automation flows triggered by incoming or outgoing messages
  • Storing contact records, conversation history, and form submissions in the Customer’s workspace
  • Processing message content through AI models to provide automated responses, where the Customer has enabled this feature
  • Delivering outbound messages (broadcasts, notifications) to opted-in contacts

3. Categories of personal data processed

Depending on the Customer’s use of the platform, Waaru may process the following categories of data belonging to the Customer’s end contacts:

  • WhatsApp phone number
  • Display name as provided to or by WhatsApp
  • Message content (text, media, documents)
  • Structured form responses submitted via WhatsApp Flows
  • Message timestamps and delivery status

Waaru does not knowingly process special category data (health, financial, biometric) unless the Customer explicitly configures workflows to collect such data. In that case, the Customer remains the Controller and is solely responsible for maintaining a lawful basis for that processing.

4. Data processing obligations

Waaru agrees to:

  • Process personal data only on documented instructions from the Customer, as configured in the Waaru platform
  • Ensure that personnel with access to personal data are bound by confidentiality obligations
  • Implement and maintain appropriate technical and organisational security measures as described in Section 5
  • Assist the Customer in responding to data subject access, correction, and erasure requests to the extent technically feasible
  • Delete personal data in accordance with the retention periods in Section 8
  • Notify the Customer without undue delay upon becoming aware of a personal data breach that affects the Customer’s data

5. Security measures

Waaru implements the following technical and organisational security measures:

  • Encryption of data in transit using TLS 1.2 or higher on all connections
  • Encryption of data at rest via AES-256 encryption on the underlying database
  • Row-level workspace isolation — no Customer’s data is accessible to another Customer’s workspace
  • Webhook signature verification using timing-safe comparison on all incoming events
  • Role-based access control with principle of least privilege
  • Short-lived authenticated sessions with JWT token expiry

6. Sub-processors

Waaru uses the following sub-processors to deliver the service. By accepting the Terms of Service, the Customer provides general authorisation for these sub-processors:

Sub-processorRoleData processed
Meta Platforms Ireland LimitedWhatsApp Cloud API — message delivery and receiptMessage content, phone numbers, media
Amazon Web Services (AWS), ap-south-1 (Mumbai)Cloud infrastructure, PostgreSQL database, and storageAll Customer workspace data
Vercel Inc.Application hosting and deploymentSession data, request logs
Anthropic PBCAI-powered automated responses (Claude) where the Customer has enabled this featureMessage content sent to the AI model. Per Anthropic’s API terms, data submitted via the API is not used for model training.
Google LLCAI-powered automated responses (Gemini) where selected by the Customer; Google OAuth authenticationMessage content where Gemini is selected; customer name and email for authentication
OpenAI LLCAI-powered automated responses (GPT models) where selected by the CustomerMessage content sent to the AI model. Per OpenAI’s API terms, data is not used for model training by default.
Razorpay Software Private LimitedPayment processingBilling and subscription data
Resend Inc.Transactional and authentication email deliveryCustomer email addresses
Cloudflare Inc.DNS proxy, DDoS protection, and security filtering, where applicableIP addresses, request metadata

Waaru will notify Customers via email at legal@waaru.app at least 14 days before any new sub-processor begins processing Customer data.

7. International data transfers

Waaru’s primary database and infrastructure is hosted on Amazon Web Services in the Mumbai region (ap-south-1), within India. Some sub-processors listed above operate outside India and may process data internationally as part of delivering their services. Waaru ensures that such transfers are subject to appropriate contractual safeguards in accordance with the Digital Personal Data Protection Act, 2023.

No claims are made regarding processing within any specific jurisdiction outside India.

8. Data retention and deletion

Waaru retains Customer data for the duration of the active subscription. After account cancellation or termination, data is retained for 30 days after the billing period ends, then permanently deleted.

Customers can delete individual contacts, conversations, or their entire workspace from the dashboard at any time. Requests for earlier deletion can be submitted to legal@waaru.app.

Billing records are retained for 7 years as required by Indian accounting law, regardless of account status.

9. Changes to this DPA

Material changes to this DPA will be communicated by email at least 14 daysbefore they take effect, consistent with Waaru’s Terms of Service.

10. Contact

For questions about this DPA, data subject requests, or to report a security incident:

Email: legal@waaru.app
Narayana Nexus, Gondia, Maharashtra, India