Effective Date: May 1, 2026
This Data Processing Agreement (“DPA”) is entered into between:
ChatReach, a general partnership (Vennootschap Onder Firma), registered with the Dutch Chamber of Commerce under number 98527029, with its registered office at Kazernestraat 17, 5928 NL Venlo, The Netherlands (“Processor”),
and
The customer of ChatReach using the Platform (“Controller”).
Processor and Controller are hereinafter collectively referred to as the “Parties”.
This DPA applies to all processing of personal data carried out by Processor on behalf of Controller in connection with the use of the ChatReach platform.
This DPA forms an integral part of the Terms of Service between the Parties. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with regard to the processing of personal data.
Processing shall be carried out in accordance with the General Data Protection Regulation (GDPR) and applicable Dutch data protection laws.
Controller determines the purposes and means of the processing of personal data.
Processor processes personal data solely on behalf of Controller and in accordance with Controller’s documented instructions, including as set out in this DPA and the Terms of Service.
Processor shall not process personal data for its own purposes.
Processor provides a SaaS platform that enables Controller to communicate with End Users through messaging channels, including WhatsApp.
Processing activities include the collection, storage, organization, transmission, and analysis of personal data in order to facilitate messaging, automation workflows, campaign delivery, and related analytics.
The duration of the processing is limited to the term of the Agreement, unless otherwise required by law.
The categories of personal data processed may include names, phone numbers, email addresses, message content, communication metadata, and any additional data provided by Controller.
The categories of data subjects include customers, leads, subscribers, and other End Users with whom Controller communicates via the Platform.
Controller acknowledges that it is solely responsible for determining which personal data is processed via the Platform.
Processor shall process personal data only on documented instructions from Controller, including those provided through the use of the Platform.
Controller hereby instructs Processor to process personal data as necessary to provide the Services.
If Processor believes that an instruction infringes applicable data protection laws, it shall inform Controller without undue delay.
Controller warrants that it:
Controller is solely responsible for the accuracy, quality, and legality of personal data and the means by which it is obtained.
Processor shall ensure that persons authorized to process personal data are subject to a duty of confidentiality or are under an appropriate statutory obligation of confidentiality.
Access to personal data shall be limited to those personnel who require it for the performance of the Services.
Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Such measures include, but are not limited to, encryption of data in transit, access controls, authentication mechanisms, regular security updates, and internal policies designed to protect personal data against unauthorized access, loss, or disclosure.
Processor shall periodically review and update its security measures.
Processor may engage sub-processors to perform processing activities on behalf of Controller.
Processor shall ensure that any sub-processor is bound by data protection obligations that are no less protective than those set out in this DPA.
A current list of sub-processors shall be made available upon request.
Controller hereby grants general authorization for the use of sub-processors, including but not limited to infrastructure providers and Meta Platforms Ireland Ltd. for WhatsApp services.
Processor may transfer personal data outside the European Economic Area where necessary for the provision of the Services.
In such cases, Processor shall ensure that appropriate safeguards are in place, including Standard Contractual Clauses, adequacy decisions, or participation in recognized data transfer frameworks.
Processor shall, taking into account the nature of the processing, assist Controller in fulfilling its obligations under the GDPR, including:
Such assistance shall be provided within reasonable limits.
Processor shall notify Controller without undue delay after becoming aware of a personal data breach.
Such notification shall include all relevant information reasonably available to Processor.
Controller shall be responsible for any required notifications to supervisory authorities or data subjects.
Upon termination of the Agreement, Processor shall, at the choice of Controller, delete or return all personal data, unless retention is required by law.
Controller acknowledges that data may remain available for export for a limited period following termination.
Processor shall make available to Controller all information reasonably necessary to demonstrate compliance with this DPA.
Controller may request an audit, provided that such audit:
Processor may satisfy audit obligations through documentation, certifications, or third-party reports where available.
Liability under this DPA shall be subject to the limitations set out in the Terms of Service.
Each Party shall be responsible for its own compliance with applicable data protection laws.
This DPA remains in force for as long as Processor processes personal data on behalf of Controller.
Termination of the Agreement shall automatically terminate this DPA, subject to obligations relating to data deletion and confidentiality.
This DPA shall be governed by and construed in accordance with Dutch law.
ChatReach
Kazernestraat 17
5928 NL Venlo
The Netherlands
Email: hello@chatreach.com
