Data Processing Agreement
Last updated: July 15, 2026
Between:
Mediaplatforms B.V., registered in the Netherlands with the Chamber of Commerce under number 82415889, hereinafter referred to as the "Processor";
and
The legal entity utilizing Easy Flow Builder, hereinafter referred to as the "Controller".
Whereas:
- The Controller uses the "Easy Flow Builder" platform provided by the Processor to facilitate WhatsApp communication flows;
- The Controller determines which personal data is processed and for what purposes;
- The Processor processes personal data solely on behalf of the Controller;
- The parties wish to document the processing of personal data in this Data Processing Agreement ("DPA");
1. Subject of Processing
The Processor processes the following personal data on behalf of the Controller:
- Name;
- Phone number;
- WhatsApp messages and conversation metadata.
The Controller may extend the scope of processed personal data at its discretion, such as including email or address information. The Processor solely facilitates the technical processing and does not determine which additional personal data is processed.
2. Purpose of Processing
Personal data is processed exclusively for the execution of WhatsApp communication flows as configured by the Controller. No automated decision-making with legal or similarly significant effects is applied based on this data.
3. Duration of Processing
Personal data is retained as long as the Controller's account remains active. Upon account deletion, all data is automatically deleted within 30 days. Users may modify, correct, or delete their data during their active subscription.
4. Sub-processors
The Processor engages the following sub-processors:
- Supabase (database hosting and authentication) — Subject to the Supabase Data Processing Addendum;
- Meta (WhatsApp Cloud API)(WhatsApp message delivery) — Subject to Meta's Business Terms and Data Processing Terms;
- Stripe (payment processing) — Subject to the Stripe Data Processing Agreement;
- Resend(transactional email) — Subject to Resend's Data Processing Agreement.
The Processor will inform the Controller of any intended changes to sub-processors. The Controller may object to such changes on reasonable grounds relating to data protection.
5. Security Measures
The Processor has implemented appropriate technical and organizational measures to protect personal data, including:
- Access management and role-based permissions;
- Encryption of sensitive data at rest and in transit;
- Audit logs;
- DDoS protection;
- Backups and disaster recovery procedures.
The Processor takes reasonable measures to ensure data continuity and integrity.
6. Data Subject Rights
The Processor will support the Controller in responding to data subject requests, including access, correction, and deletion requests. Data can only be deleted provided that account functionality is maintained. A WhatsApp phone number is necessary for a fully functional account. Users may anonymize their name to preserve privacy.
7. International Data Transfers
As some sub-processors (including Supabase, Meta, Stripe, and Resend) may process data outside the European Economic Area, personal data may be transferred internationally. The Processor and its sub-processors apply Standard Contractual Clauses (SCCs) and other appropriate safeguards to comply with GDPR requirements.
8. Liability
The Processor's liability is limited to the amount paid by the Controller for the use of the platform in the past twelve months. The Processor shall not be liable for indirect damages, loss of profit, or damages resulting from the Controller's use of Easy Flow Builder.
9. Governing Law and Dispute Resolution
- This DPA is governed by the laws of the Netherlands;
- Any disputes shall be exclusively submitted to the competent court in the Netherlands;
- This DPA is an integral part of the agreement between the Processor and the Controller and becomes effective upon the Controller's acceptance of the platform's Terms and Conditions.