Whitrack
Legal

Data Processing Addendum

Last updated: April 23, 2026

This Data Processing Addendum (“DPA”) forms part of our Terms of Service and applies whenever Whitrack processes personal data on your behalf. You can execute a counter-signed copy by emailing legal@whitrack.com.

1. Roles

You are the Controller of customer personal data (“Customer Data”). Whitrack is the Processor. We only process Customer Data on your documented instructions (the Service itself) and as required by law.

2. Confidentiality and security

We bind all staff with access to Customer Data to confidentiality obligations. Technical and organizational measures include TLS 1.2+ in transit, AES-256 at rest, bcrypt for password hashing, SSO for internal access, least-privilege role-based access, and audit logging.

3. Subprocessors

You authorize the following subprocessors:

  • Amazon Web Services (US/EU) — hosting and storage
  • Stripe, Inc. — payments
  • Twilio, Inc. — SMS/voice
  • WhatsApp/Meta — WhatsApp Business messaging
  • Resend — transactional email
  • Anthropic, PBC — AI drafting/response generation
  • OpenAI, L.L.C. — AI drafting/response generation

We will provide at least 30 days' notice of any new subprocessor. You may object in writing; if we cannot resolve the objection we will let you terminate the affected Service at no penalty.

4. International transfers

Where personal data is transferred outside the EEA/UK, we rely on the Standard Contractual Clauses (EU Commission 2021/914) and, where applicable, the UK Addendum. A signed copy is available on request.

5. Data subject rights

We will assist you in responding to data-subject requests at no additional cost, via self-service tools in the dashboard or email support for complex cases.

6. Breach notification

We will notify you of any personal-data breach affecting your Customer Data without undue delay, and in any case within 72 hours of confirming the breach.

7. Audits

We will make available summaries of our annual security and compliance audits. On-site audits are available to Enterprise customers under NDA once per year.

8. Return and deletion

On termination, we return or delete all Customer Data within 30 days, except backups held under our standard retention cycle, which are then purged.

9. Contact

Data Protection contact: dpo@whitrack.com.