Data Processing Addendum
Effective date: June 30, 2026
1. Parties and Scope
This DPA is effective as of June 30, 2026. It applies to the extent Dualhook processes personal data on behalf of the customer in connection with the service. The customer is the controller, or a processor acting on behalf of another controller. Dualhook is the processor, or subprocessor where the customer is itself a processor.
For personal data Dualhook processes as controller, including account, billing, support, security, fraud prevention, service analytics, and administrative communications, the Privacy Policy applies instead of this DPA.
2. Customer Instructions
Dualhook will process customer personal data only on documented instructions from the customer, including the Terms, this DPA, product configuration, dashboard settings, API requests, support requests, and other written instructions accepted by Dualhook, unless required by law.
Customer instructions must comply with applicable law, Meta and WhatsApp policies, and the customer's own obligations to end users. Dualhook is not responsible for determining whether a customer's WhatsApp use, notices, consent, lawful basis, downstream systems, or retention choices are legally sufficient.
3. Processing Details
- Subject matter: providing Dualhook's WhatsApp webhook routing, monitoring, Platform API, operational alerting, support, and related SaaS functionality.
- Duration: for the term of the customer's use of Dualhook and any post-termination period needed for deletion, legal, security, billing, dispute, audit, or backup purposes.
- Nature and purpose: hosting, storing, transmitting, securing, monitoring, troubleshooting, exporting, and supporting customer-controlled operational data.
- Data subjects: customer users, organization members, tenant contacts or admins where provided through Platform API workflows, and limited WhatsApp business/end-user identifiers where present in operational metadata.
- Data categories: account identifiers, organization identifiers, connection configuration, webhook metadata, health checks, template metadata, tenant metadata, support data, audit logs, and related operational metadata.
4. WhatsApp and Meta
Meta / WhatsApp is a customer-selected third-party platform. Dualhook uses Meta APIs to configure customer-selected WhatsApp Business assets and related integrations. In the standard Webhook Override flow, message-path webhooks are routed by Meta to the customer endpoint configured in Dualhook.
Meta / WhatsApp is not listed as a Dualhook subprocessor for customer message content in the standard Webhook Override flow. Customers remain responsible for their WhatsApp Business Account, Meta assets, end-user notices, opt-ins, lawful basis, message handling, and downstream processing.
5. Confidentiality and Personnel
Dualhook will ensure that persons authorized to process customer personal data are subject to confidentiality obligations or an appropriate statutory obligation of confidentiality. Access is limited to personnel and systems with a service, support, security, legal, or operational need.
6. Security Measures
Dualhook will maintain technical and organizational measures designed to protect customer personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The current measures are described in the Security / TOMs annex.
Dualhook may update its measures as the service evolves, provided the overall level of protection is not materially reduced.
7. Subprocessors
The customer authorizes Dualhook to use subprocessors listed on the Subprocessors page. Dualhook will impose data protection obligations on subprocessors that are substantially similar to the obligations in this DPA, taking into account the nature of the services provided.
Dualhook will provide at least 30 days' notice before adding or replacing a subprocessor, unless urgent security, availability, legal, or provider-continuity needs require a shorter period. Customers may object on reasonable data protection grounds by contacting contact@dualhook.com.
8. Assistance
Taking into account the nature of processing and the information available to Dualhook, Dualhook will provide reasonable assistance for data subject requests, security obligations, data protection impact assessments, prior consultation, and customer audits required under applicable data protection law.
Customers should first use available dashboard controls, exports, and retention settings. Additional assistance may be subject to reasonable limits and fees where permitted by law.
9. Security Incidents
Dualhook will notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data processed by Dualhook under this DPA. Notice may be provided by email, dashboard notice, or another reasonable channel.
The notice will include information reasonably available to Dualhook, such as the nature of the incident, affected data, likely consequences, mitigation measures, and a contact point for follow-up.
10. International Transfers
Customer personal data may be processed in countries outside the customer's location. Where GDPR transfer rules apply, the parties agree that the European Commission's Standard Contractual Clauses apply as needed: Module Two for controller-to-processor transfers, and Module Three for processor-to-subprocessor transfers.
The processing details in this DPA, the Subprocessors page, and the Security / TOMs annex form the relevant annex information for those clauses to the extent applicable.
11. Deletion and Return
At the end of the service, or upon a valid deletion instruction, Dualhook will delete or return customer personal data it controls as a processor, unless retention is required for legal, billing, security, fraud-prevention, dispute, audit, backup, or similar obligations.
Dashboard retention settings apply to webhook logs and health checks. Support attachment blobs are deleted 7 days after a support ticket is closed.
12. Audit
Dualhook will make available information reasonably necessary to demonstrate compliance with this DPA. Customers may request additional audit information no more than once per year unless an incident or regulator request reasonably requires more frequent review.
Any audit must be reasonable, confidential, limited to relevant controls, avoid disruption to Dualhook or other customers, and protect third-party confidential information.
13. Order of Precedence
If there is a conflict between this DPA and the Terms about processing customer personal data as processor, this DPA controls. For all other matters, the Terms control.