Data Processing Agreement
Effective date: 17 May 2025 · Last updated: 17 May 2025
1. Parties and scope
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Narayana Nexus (“Waaru”, “Processor”), and the business or individual (“Customer”, “Controller”) accessing the Waaru platform at waaru.app.
This DPA covers the processing of personal data performed by Waaru on behalf of the Customer in connection with the provision of the Waaru WhatsApp automation platform. By accepting Waaru’s Terms of Service, the Customer accepts this DPA.
2. Nature and purpose of processing
Waaru processes personal data to provide the following services on behalf of the Customer:
- Receiving, storing, and routing WhatsApp messages between the Customer’s WhatsApp Business number and their contacts
- Running automation flows triggered by incoming or outgoing messages
- Storing contact records, conversation history, and form submissions in the Customer’s workspace
- Processing message content through AI models to provide automated responses, where the Customer has enabled this feature
- Delivering outbound messages (broadcasts, notifications) to opted-in contacts
3. Categories of personal data processed
Depending on the Customer’s use of the platform, Waaru may process the following categories of data belonging to the Customer’s end contacts:
- WhatsApp phone number
- Display name as provided to or by WhatsApp
- Message content (text, media, documents)
- Structured form responses submitted via WhatsApp Flows
- Message timestamps and delivery status
Waaru does not knowingly process special category data (health, financial, biometric) unless the Customer explicitly configures workflows to collect such data. In that case, the Customer remains the Controller and is solely responsible for maintaining a lawful basis for that processing.
4. Data processing obligations
Waaru agrees to:
- Process personal data only on documented instructions from the Customer, as configured in the Waaru platform
- Ensure that personnel with access to personal data are bound by confidentiality obligations
- Implement and maintain appropriate technical and organisational security measures as described in Section 5
- Assist the Customer in responding to data subject access, correction, and erasure requests to the extent technically feasible
- Delete personal data in accordance with the retention periods in Section 8
- Notify the Customer without undue delay upon becoming aware of a personal data breach that affects the Customer’s data
5. Security measures
Waaru implements the following technical and organisational security measures:
- Encryption of data in transit using TLS 1.2 or higher on all connections
- Encryption of data at rest via AES-256 encryption on the underlying database
- Row-level workspace isolation — no Customer’s data is accessible to another Customer’s workspace
- Webhook signature verification using timing-safe comparison on all incoming events
- Role-based access control with principle of least privilege
- Short-lived authenticated sessions with JWT token expiry
6. Sub-processors
Waaru uses the following sub-processors to deliver the service. By accepting the Terms of Service, the Customer provides general authorisation for these sub-processors:
| Sub-processor | Role | Data processed |
|---|---|---|
| Meta Platforms Ireland Limited | WhatsApp Cloud API — message delivery and receipt | Message content, phone numbers, media |
| Amazon Web Services (AWS), ap-south-1 (Mumbai) | Cloud infrastructure, PostgreSQL database, and storage | All Customer workspace data |
| Vercel Inc. | Application hosting and deployment | Session data, request logs |
| Anthropic PBC | AI-powered automated responses (Claude) where the Customer has enabled this feature | Message content sent to the AI model. Per Anthropic’s API terms, data submitted via the API is not used for model training. |
| Google LLC | AI-powered automated responses (Gemini) where selected by the Customer; Google OAuth authentication | Message content where Gemini is selected; customer name and email for authentication |
| OpenAI LLC | AI-powered automated responses (GPT models) where selected by the Customer | Message content sent to the AI model. Per OpenAI’s API terms, data is not used for model training by default. |
| Razorpay Software Private Limited | Payment processing | Billing and subscription data |
| Resend Inc. | Transactional and authentication email delivery | Customer email addresses |
| Cloudflare Inc. | DNS proxy, DDoS protection, and security filtering, where applicable | IP addresses, request metadata |
Waaru will notify Customers via email at legal@waaru.app at least 14 days before any new sub-processor begins processing Customer data.
7. International data transfers
Waaru’s primary database and infrastructure is hosted on Amazon Web Services in the Mumbai region (ap-south-1), within India. Some sub-processors listed above operate outside India and may process data internationally as part of delivering their services. Waaru ensures that such transfers are subject to appropriate contractual safeguards in accordance with the Digital Personal Data Protection Act, 2023.
No claims are made regarding processing within any specific jurisdiction outside India.
8. Data retention and deletion
Waaru retains Customer data for the duration of the active subscription. After account cancellation or termination, data is retained for 30 days after the billing period ends, then permanently deleted.
Customers can delete individual contacts, conversations, or their entire workspace from the dashboard at any time. Requests for earlier deletion can be submitted to legal@waaru.app.
Billing records are retained for 7 years as required by Indian accounting law, regardless of account status.
9. Changes to this DPA
Material changes to this DPA will be communicated by email at least 14 daysbefore they take effect, consistent with Waaru’s Terms of Service.
10. Contact
For questions about this DPA, data subject requests, or to report a security incident:
Email: legal@waaru.app
Narayana Nexus, Gondia, Maharashtra, India