Data Processing Agreement
Last updated: April 30, 2026 · This DPA forms part of the Terms of Service
This Data Processing Agreement ("DPA") describes how Sevenoways Relay ("Processor") processes personal data on behalf of customers ("Controllers") in the course of providing the messaging platform service.
1. Definitions
- Controller: The customer who determines the purposes and means of processing personal data
- Processor: Sevenoways Relay, which processes personal data on behalf of the Controller
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data (collection, storage, use, transmission, deletion)
- Data Subject: The individual whose personal data is being processed (e.g., message recipients)
2. Subject Matter & Nature of Processing
The Processor facilitates the transmission of WhatsApp messages on behalf of the Controller. Processing includes:
- Temporary buffering of message content in the send queue
- Storing message delivery metadata (recipient type, status, timestamp)
- Storing WhatsApp authentication credentials for connected phone numbers
- Processing IP addresses for security and rate limiting purposes
3. Data Categories Processed
| Category | Purpose | Retention |
|---|
| Account credentials (email, password hash) | Authentication | Until account deletion |
| WhatsApp session credentials | Maintaining WA connection | Until instance deletion |
| Message content (preview only) | Logging & audit | 90 days |
| Recipient identifiers (group/phone) | Message delivery | 90 days |
| IP addresses | Security, rate limiting | 30 days |
| Queue data | Reliable delivery | Purged after send/fail |
4. Controller Obligations
The Controller agrees to:
- Ensure they have a lawful basis for processing any personal data of message recipients
- Obtain any necessary consents from recipients before sending messages
- Comply with all applicable data protection laws (GDPR, CCPA, etc.)
- Not instruct the Processor to process data in a way that violates applicable law
- Notify the Processor of any data subject rights requests relating to data processed on their behalf
5. Processor Obligations
The Processor agrees to:
- Process personal data only on documented instructions from the Controller
- Ensure persons authorised to process personal data are bound by confidentiality
- Implement appropriate technical and organisational security measures (encryption, access controls)
- Assist the Controller with data subject rights requests where technically feasible
- Delete or return all personal data at the end of the service relationship
- Make available all information necessary to demonstrate compliance with this DPA
- Notify the Controller without undue delay upon becoming aware of a personal data breach
6. Sub-processors
The Processor uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|
| Cloudflare | CDN, DDoS protection, TLS termination | Global (US-based) |
| Amazon Web Services (SES) | Transactional email delivery | US East |
| VPS Provider | Server infrastructure, data storage | As configured |
7. International Data Transfers
Where personal data is transferred outside the EEA, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses where required by applicable law.
8. Security Measures
The Processor implements the following technical and organisational measures:
- AES-256-GCM encryption for session data at rest
- bcrypt password hashing (12 rounds)
- HTTPS (TLS 1.2+) for all data in transit via Cloudflare
- HTTP security headers (HSTS, CSP, X-Frame-Options)
- IP-based rate limiting and brute-force protection
- Firewall (ufw) restricting inbound ports to 22, 80, 443
- fail2ban for SSH intrusion prevention
- Access limited to authenticated administrator only
9. Data Breach Notification
In the event of a personal data breach, the Processor will notify the affected Controller within 72 hours of becoming aware of the breach, and will provide information about the nature of the breach, categories and approximate number of individuals affected, and recommended mitigation measures.
10. Term & Termination
This DPA is effective for the duration of the service agreement. Upon termination, all personal data processed on behalf of the Controller will be deleted within 30 days, except where retention is required by law.
This DPA is incorporated into and forms part of the Terms of Service. In case of conflict, the DPA shall prevail for matters relating to personal data processing.