1. Introduction
This Data Processing Agreement (“DPA”) forms part of the agreement between Outreach Camel (“Processor,” “we,” “us”) and the customer (“Controller,” “you”) for the provision of WhatsApp outreach services.
This DPA ensures compliance with Article 28 of the General Data Protection Regulation (GDPR) and other applicable data protection laws.
2. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person processed in connection with the Services.
- “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- “Data Subject” means the individual to whom Personal Data relates.
- “Sub-processor” means any third party engaged by Outreach Camel to process Personal Data on behalf of the Controller.
- “Services” means the WhatsApp outreach services provided by Outreach Camel, including WhatsApp session hosting, lead validation, warmup, sequencing, and unified inbox.
3. Scope of Processing
3.1 Categories of Data Subjects
Personal Data processed under this DPA may relate to: – Your employees, contractors, and authorized users – Your customers and prospective customers – Recipients of WhatsApp messages sent through our platform
3.2 Types of Personal Data
- Contact information (names, phone numbers, email addresses)
- Message content and metadata
- Profile information from WhatsApp accounts
- Usage data and interaction history
- Lead validation results
3.3 Purpose of Processing
Personal Data is processed solely to provide the Services, including: sending and receiving WhatsApp messages, validating lead phone numbers, managing contact lists, executing automated sequences, hosting WhatsApp sessions, and providing analytics and reporting.
4. Processor Obligations
Outreach Camel agrees to: – Process Personal Data only on documented instructions from the Controller, unless required by law – Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations – Implement appropriate technical and organizational security measures – Assist the Controller in responding to Data Subject requests – Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations – Delete or return all Personal Data upon termination of services, at the Controller’s choice – Make available all information necessary to demonstrate compliance and allow for audits
5. Controller Obligations
The Controller agrees to: – Ensure that there is a lawful basis for the processing of Personal Data – Provide clear and documented instructions for processing – Ensure that Data Subjects have been informed about the processing and their rights – Comply with all applicable data protection laws in the use of the Services – Obtain all necessary consents required for WhatsApp messaging activities
6. Security Measures
Outreach Camel implements and maintains appropriate technical and organizational measures to protect Personal Data, including: – Encryption of data in transit (TLS 1.3) and at rest (AES-256) – Access controls and authentication mechanisms – Regular security assessments and penetration testing – Incident response and disaster recovery procedures – Employee training on data protection and security – Physical security measures at data center facilities
7. Sub-processors
The Controller grants general authorization to Outreach Camel to engage Sub-processors. Outreach Camel will: – Maintain a list of current Sub-processors available upon request – Notify the Controller of any intended changes to Sub-processors – Ensure Sub-processors are bound by data protection obligations no less protective than those in this DPA – Remain liable for the acts and omissions of its Sub-processors
8. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), Outreach Camel ensures appropriate safeguards: – Standard Contractual Clauses (SCCs) approved by the European Commission – Adequacy decisions where applicable – Additional technical and organizational measures as required
9. Data Subject Rights
Outreach Camel will assist the Controller in responding to requests from Data Subjects exercising their rights, including: – Right of access – Right to rectification – Right to erasure – Right to restriction of processing – Right to data portability – Right to object to processing
10. Data Breach Notification
In the event of a Personal Data breach, Outreach Camel will: – Notify the Controller without undue delay and within 48 hours of becoming aware of the breach – Provide all information necessary for the Controller to comply with breach notification obligations – Cooperate with the Controller in investigating and mitigating the breach – Document the breach, its effects, and remedial actions taken
11. Audit Rights
Outreach Camel will make available to the Controller all information necessary to demonstrate compliance and allow for audits, subject to: – Reasonable advance notice (at least 30 days) – Execution of appropriate confidentiality agreements – Minimizing disruption to operations – Controller bearing the costs of such audits
12. Data Retention and Deletion
Upon termination or expiration of the Services: – Outreach Camel will delete or return all Personal Data within 30 days, at the Controller’s choice – Controller may request data export in a commonly used format prior to termination – Outreach Camel may retain Personal Data where required by applicable law, with appropriate safeguards
13. Term and Termination
This DPA remains in effect for the duration of the Services agreement. Obligations regarding confidentiality, data deletion, and audit rights survive termination.
14. Contact Information
For questions regarding this DPA:
Data Protection Officer Email: dpa@outreachcamel.com