Data Processing Agreement (DPA)
This Data Processing Agreement (DPA) governs the processing of personal data that Nuntio Technologies Limited carries out on the customer's behalf when providing the Nuntio service, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR). It forms part of the service contract and prevails over it in matters of data protection. It applies whenever Nuntio processes personal data for which the customer is the controller.
On this page
- 1Parties and definitions
- 2Subject matter, nature, purpose and duration of the processing
- 3Types of personal data and categories of data subjects
- 4Controller's obligations: lawfulness, information, consent and WhatsApp rules
- 5Processor's obligations
- 6Sub-processors
- 7International transfers
- 8Security measures
- 9Assistance to the controller
- 10Personal data breach notification
- 11Deletion or return of the data on termination
- 12Audits and inspections
- 13California residents (CCPA/CPRA)
- 14Liability and applicable law
- 15Annex: list of sub-processors
1. Parties and definitions#
The Controller is the customer that contracts the Nuntio service: the business that decides the purposes and means of processing its own end customers' data.
The Processor is Nuntio Technologies Limited, a company registered in Ireland under number 810417, with its registered office at The Black Church, St. Mary's Place, Dublin 7, D07 P4AX (Ireland). Contact: support@nuntio.ai · Tel.: +353 1 969 2059 / +353 1 233 7942.
«GDPR» is Regulation (EU) 2016/679. The terms «personal data», «processing», «data subject», «controller», «processor», «sub-processor» and «personal data breach» have the meaning given to them by the GDPR.
This DPA applies to the processing of the personal data of the business's end customers. With respect to the data of website visitors and of the customer's own account, Nuntio acts as controller under its Privacy Policy, and that processing falls outside the scope of this agreement.
2. Subject matter, nature, purpose and duration of the processing#
The subject matter of the processing is the provision of the Nuntio service: AI-based operational assistance that handles and manages the business's conversations with its end customers, mainly through WhatsApp via Meta's WhatsApp Business Platform (official Cloud API, registered through Embedded Signup).
The nature of the processing comprises the reception, storage, organization, consultation, analysis by artificial-intelligence models, and transmission of the data needed to answer end customers, prepare quotes, manage appointments and orders, and carry out the other operational tasks the customer configures.
The purpose of the processing is solely to provide the contracted service in accordance with the controller's instructions. Nuntio does not process this data for its own purposes, does not sell it, and does not use it to train its own or third-party artificial-intelligence models.
The duration of the processing matches the term of the service contract. On termination, the data is deleted or returned in accordance with clause 11.
3. Types of personal data and categories of data subjects#
The categories of data subjects are the end customers and contacts of the business who communicate with it through the connected channels.
- Identification and contact data: name and WhatsApp phone number.
- The content of WhatsApp conversations held with the business, including files the data subject sends.
- Appointment, booking or order data: dates, times, services or products requested, and associated notes.
- Any other personal data the data subject voluntarily provides in the conversation or that the controller decides to process through the tools it connects.
The controller must refrain from configuring the service to process special categories of data (Art. 9 GDPR) unless it has an adequate legal basis for doing so and notifies Nuntio in advance. The controller determines what data is entered into the service and warrants that it has a legal basis (Art. 6 GDPR) for its processing.
4. Controller's obligations: lawfulness, information, consent and WhatsApp rules#
As controller, the customer warrants that it has a valid legal basis (Art. 6 GDPR) to process its end customers' data through Nuntio and that it has fulfilled its information duties (Arts. 13 and 14 GDPR), giving data subjects clear information about the processing, about the use of an AI-based assistant, and about Nuntio's involvement as processor.
When the controller starts conversations or sends messages through the WhatsApp Business Platform, it undertakes to comply with Meta's and WhatsApp Business's policies. In particular, it must obtain from each data subject a prior, explicit and independent consent (opt-in) to be contacted by WhatsApp, obtained by a means other than the WhatsApp channel itself and keeping proof of that consent.
- The opt-in must identify the business that will contact the data subject and the purpose, and cannot be presumed from the mere fact that the data subject has the business's number.
- The controller must offer and respect a simple opt-out mechanism. The service recognizes the cancellation keywords «BAJA» and «STOP»: when a data subject sends them, communications to that number must stop.
- The controller is solely responsible for the content it configures and for ensuring that templates and campaigns comply with WhatsApp's rules and applicable commercial-communications law.
- Where the legal basis is consent (Art. 7 GDPR), the controller must be able to demonstrate it and allow its withdrawal at any time, as easily as it was given.
Nuntio makes available to the controller the technical functions needed to record opt-outs and honor the «BAJA»/«STOP» keywords, but obtaining and managing consents, and the lawfulness of the communications, are the controller's responsibility.
5. Processor's obligations#
In accordance with Article 28(3) GDPR, Nuntio undertakes to:
- Process the personal data only on the controller's documented instructions, including for international transfers, unless required to do otherwise by law; in that case, Nuntio will inform the controller before processing, unless the law prohibits it on important public-interest grounds.
- Ensure that persons authorized to process the data have committed to confidentiality or are under a statutory confidentiality obligation.
- Adopt the appropriate technical and organizational measures required by Article 32 GDPR (clause 8).
- Respect the conditions for engaging sub-processors set out in clause 6.
- Assist the controller, by appropriate technical and organizational measures, in fulfilling its obligation to respond to data-subject rights requests (clause 9).
- Help the controller meet its obligations on security, breach notification, impact assessments (DPIAs) and prior consultations with the supervisory authority (clauses 9 and 10).
- At the controller's choice, delete or return all personal data at the end of provision, and delete existing copies, unless legally required to retain them (clause 11).
- Make available to the controller all information necessary to demonstrate compliance with the obligations of this agreement and allow and contribute to the audits and inspections provided for in clause 12.
- Not process the data for its own purposes or use it to train artificial-intelligence models.
If Nuntio considers that a controller instruction infringes the GDPR or other Union or Member State data-protection law, it will inform the controller immediately and may suspend execution of the instruction until the controller confirms, amends or withdraws it.
6. Sub-processors#
The controller generally authorizes Nuntio to engage the sub-processors listed in the Annex to clause 15 to provide the service. Nuntio enters into a contract with each sub-processor imposing data-protection obligations equivalent to those in this agreement and remains fully liable to the customer for those sub-processors' compliance.
Nuntio will inform the controller of any intended change concerning the addition or replacement of sub-processors, giving it the opportunity to object to such changes. If the controller objects on reasonable data-protection grounds and the objection cannot be resolved, it may terminate the contract with respect to the affected functions.
7. International transfers#
Nuntio prioritizes processing within the European Economic Area. Where a sub-processor processes personal data outside the EEA, that transfer relies on one of the safeguards provided for in Chapter V of the GDPR (Arts. 44 et seq.): an adequacy decision of the European Commission (including the EU–US Data Privacy Framework, where applicable) or the standard contractual clauses adopted by the European Commission, supplemented, where appropriate, with additional measures following the corresponding assessment of the destination country's safeguards.
Nuntio will only carry out international data transfers on the controller's behalf when these safeguards are in place, unless the controller documents an instruction to the contrary.
8. Security measures#
Nuntio applies appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These include:
- Encryption of data in transit via TLS/HTTPS.
- Encryption of data at rest at the infrastructure-provider level.
- Access control restricted to authorized staff and administrators, under the principle of least privilege.
- Two-factor authentication (2FA) for administrative access.
- Logging of system access and activity monitoring.
- Minimization of the data processed and limitation to what is necessary to provide the service (Art. 5 GDPR).
- Procedures to restore the availability of and access to the data in the event of an incident, and to periodically assess the effectiveness of the measures.
Communications through WhatsApp travel end-to-end encrypted in transit by Meta's own platform; this does not constitute end-to-end encryption of the data once stored in the service. Nuntio does not claim to hold third-party security certifications. The above measures are those actually applied and may evolve to maintain or improve the level of security, without reducing it.
9. Assistance to the controller#
Taking into account the nature of the processing, Nuntio will assist the controller by appropriate technical and organizational measures, insofar as possible, so that it can handle requests from data subjects exercising their rights of access, rectification, erasure, objection, restriction and portability. If a data subject sends a request directly to Nuntio, Nuntio will forward it to the controller without undue delay and will not respond on its own account except on the controller's instruction.
Nuntio will also provide the controller, taking into account the information available to it, with reasonable assistance for carrying out data protection impact assessments (DPIAs) and for the prior consultations with the supervisory authority that the controller must make under Articles 35 and 36 GDPR.
10. Personal data breach notification#
Nuntio will notify the controller, without undue delay after becoming aware of it, of any personal data breach affecting the data processed on the controller's behalf.
The notification will describe, as far as possible, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it and mitigate its effects. Nuntio will cooperate with the controller and provide it the information reasonably necessary for it to fulfil, where applicable, its obligations to notify the supervisory authority and the data subjects (Arts. 33 and 34 GDPR). The obligation to notify the supervisory authority and the data subjects lies with the controller, as it determines the purposes of the processing.
11. Deletion or return of the data on termination#
On termination of the service, Nuntio will, at the controller's choice, delete or return to it all personal data processed on its behalf and delete existing copies, unless a legal obligation requires their retention.
The controller may instruct this choice before the end of the contract. Failing an instruction, Nuntio will proceed with deletion after a reasonable period following termination. Backups still containing data will be deleted in accordance with the usual rotation cycles; in the meantime, that data will remain protected by the measures in clause 8 and will not be processed for any other purpose.
12. Audits and inspections#
Nuntio will make available to the controller the information necessary to demonstrate compliance with the obligations of Article 28 GDPR and this agreement, and will allow and contribute to the conduct of audits, including inspections, by the controller or an auditor mandated by it.
Audits will be requested with reasonable notice, carried out during working hours, no more than once a year except in the case of a security incident or a requirement from a supervisory authority, and in a manner that does not compromise the confidentiality of other customers' data or the security of the systems. Nuntio may satisfy these obligations, in whole or in part, by providing the relevant documentation on its security measures and its sub-processors.
13. California residents (CCPA/CPRA)#
Where the controller processes, through Nuntio, personal data of residents of the State of California subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), Nuntio acts as a «service provider» on the controller's behalf.
In that capacity, Nuntio: (i) processes the personal information solely to provide the contracted service and in accordance with the controller's instructions; (ii) does not «sell» or «share» the personal information within the meaning of the CCPA/CPRA; (iii) does not retain, use or disclose it for purposes outside the provision of the service or outside the contractual relationship; and (iv) does not combine the information with data from other sources except as permitted by the CCPA/CPRA to provide the service.
Nuntio will assist the controller, to the extent applicable to it as a service provider, in handling requests from California consumers concerning their right to know, access, correct and delete their personal information, and to opt out of sale/sharing, forwarding to the controller any request it receives directly.
14. Liability and applicable law#
Each party is liable for the damage it causes by breaching the obligations that the GDPR specifically imposes on it or those of this agreement. The liability limits agreed in the service contract also apply to this DPA to the extent permitted by law, without affecting data subjects' rights or liabilities that cannot be limited by law.
This agreement is governed by Irish law. The competent supervisory authority is the Data Protection Commission of Ireland (dataprotection.ie); data subjects resident in Spain may also turn to the Spanish Data Protection Agency (aepd.es).
15. Annex: list of sub-processors#
Nuntio uses the following sub-processors to provide the service:
- Vercel Inc. — hosting and infrastructure of the platform.
- Meta Platforms — WhatsApp Business Platform, through which messages travel under its terms.
- Artificial-intelligence model providers — processing of the service's tasks via AI models.
- Tools the customer chooses to connect — for example, accounting (Holded) or calendar (Google Calendar); in these cases the sub-processor is added by the controller's own decision.
Nuntio does not use third-party analytics providers to process customer data. (The public marketing website uses optional, consent-based Google Analytics for its own visitors — separate from the service and its data; see the site's Cookie Policy.) This list may be updated in accordance with clause 6. The current version is the one published on this page, with the date of last update indicated.