Data Processing Addendum

§ 01Definitions

Terms have the meanings set out in UK GDPR and EU GDPR. “Personal Data”, “Processing”, “Data Subject”, “Data Controller”, and “Data Processor” are as defined in those regulations.

§ 02Roles

• The Operator is the Data Controller of end-user conversations and customer data
• Zatio is the Data Processor acting on the Operator’s documented instructions

§ 03Subject matter and duration

• Subject matter: processing of end-user personal data to deliver the Services
• Duration: for the term of the Services plus 30 days for data export, then deletion
• Nature and purpose: automated WhatsApp conversation handling, lead qualification, booking, quote generation, and follow-up
• Types of personal data: phone numbers, WhatsApp profile data, message content, metadata, any data provided by the Data Subject during conversation
• Categories of Data Subjects: the Controller’s end users and prospective customers

§ 04Processor obligations

Zatio will:

• Process personal data only on documented instructions from the Controller
• Ensure authorised personnel are bound by confidentiality
• Implement appropriate technical and organisational security measures (Art. 32 GDPR)
• Assist the Controller with data subject rights requests
• Notify the Controller without undue delay of any personal data breach
• Delete or return personal data on termination of the Services
• Make available all information necessary to demonstrate compliance

§ 05Sub-processors

The Controller authorises Zatio to engage the sub-processors listed in the Privacy Policy. We will notify the Controller of any intended changes, giving the Controller the opportunity to object.

§ 06International transfers

Where personal data is transferred outside the UK / EEA, we rely on:

• UK International Data Transfer Agreement (IDTA) or Addendum
• EU Standard Contractual Clauses (SCCs) in their current approved form

§ 07Security measures

• TLS encryption in transit
• Encryption at rest for databases and backups
• Role-based access control, with least-privilege principles
• Multi-factor authentication for all personnel
• Secret management via dedicated vaults
• Regular backups and tested recovery procedures
• Incident response procedures
• Annual review of security posture

§ 08Audit

The Controller may request, once per year and with reasonable notice, evidence of Zatio’s compliance with this DPA. Audits must be proportionate and respect the confidentiality of Zatio’s other customers.

§ 09Data breach notification

Zatio will notify the Controller of a personal data breach without undue delay, and in any event within 72 hours of becoming aware. The notification will include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken.

§ 10Return or deletion

On termination, Zatio will, at the Controller’s choice:

• Export all personal data in a commonly used format, and then
• Delete all personal data within 30 days, unless retention is required by law

§ 11Liability

Liability under this DPA is governed by the limitations set out in the main Terms of Service.

§ 12Contact

• Data Protection Contact (Zatio): privacy@zatio.io
• Supervisory Authority: Information Commissioner’s Office (ICO, UK) and Agencia Española de Protección de Datos (AEPD, Spain)

This DPA is available as a downloadable PDF on request.