Effective Date: 1 January 2025 | Last Updated: 20 May 2025
This Data Processing Agreement ("DPA") is incorporated into and forms part of the FaidaAI Terms of Service. It applies when Sahan Labs ("Processor") processes personal data on behalf of the Customer ("Controller") in order to provide the FaidaAI service.
1. Definitions
- Controller: The Customer (you, the business) who determines the purpose and means of processing personal data
- Processor: Sahan Labs / FaidaAI, who processes personal data on behalf of the Controller
- Personal Data: Any information relating to an identified or identifiable natural person — including your end customers' names, phone numbers, and message content
- Processing: Any operation performed on personal data — collection, storage, use, transmission, or deletion
- Data Subject: The individual whose personal data is being processed — your WhatsApp customers
- Sub-processor: A third party engaged by FaidaAI to assist in processing personal data
2. Roles & Responsibilities
The Customer acts as the Data Controller for all personal data of their end customers processed through FaidaAI. The Customer is responsible for:
- Ensuring they have a lawful basis to collect and process their customers' data via WhatsApp
- Obtaining any necessary consents or opt-ins from their WhatsApp customers
- Complying with applicable data protection laws in their jurisdiction
- Providing FaidaAI with instructions for how to process that data
Sahan Labs acts as the Data Processor and processes personal data only on documented instructions from the Controller, only for the purpose of delivering the FaidaAI service.
3. Nature & Purpose of Processing
- Nature: Automated processing of WhatsApp messages to generate AI responses, store conversation history, manage orders, and provide analytics
- Purpose: Delivery of the FaidaAI WhatsApp automation service
- Categories of data: Customer names, phone numbers, WhatsApp message content, order details
- Categories of data subjects: End customers who contact your business via WhatsApp
- Duration: For the term of the Customer's subscription, plus 90 days after termination
4. Processor Obligations
As Data Processor, Sahan Labs agrees to:
- Process personal data only on documented instructions from the Controller
- Ensure that all personnel who access personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 5)
- Not engage sub-processors without prior written authorisation from the Controller (general authorisation is granted for those listed in Section 6)
- Assist the Controller in responding to data subject rights requests within 72 hours of receipt
- Notify the Controller of any personal data breach within 72 hours of becoming aware of it
- Delete or return all personal data upon termination of the agreement
- Make available all information necessary to demonstrate compliance with this DPA
5. Security Measures
FaidaAI implements the following technical and organisational measures:
- Encryption: TLS 1.3 for data in transit; AES-256 encryption for data at rest
- Access Control: Role-based access controls; principle of least privilege; MFA for administrative access
- Authentication: bcrypt password hashing (cost factor 12); JWT tokens with short expiry
- Infrastructure: Enterprise cloud providers (Railway, Supabase) with SOC 2 / ISO 27001 certification
- Monitoring: Real-time security monitoring, intrusion detection, and automated alerts
- Backups: Daily automated backups with 30-day retention, encrypted at rest
- Testing: Regular penetration testing and vulnerability scanning
6. Approved Sub-processors
The Customer grants general authorisation to use the following sub-processors. We will notify Customers of any changes to this list with at least 14 days' notice.
| Sub-processor | Location | Purpose |
|---|---|---|
| Meta / WhatsApp | USA / Global | WhatsApp message delivery via Business API |
| OpenAI | USA | AI response generation (GPT models) |
| Supabase | USA (AWS) | PostgreSQL database hosting |
| Railway | USA | Backend application hosting |
| Vercel | USA / Global | Frontend hosting and CDN |
| Sentry | USA | Error monitoring (no personal data in payloads) |
7. International Transfers
Personal data may be transferred to and processed in countries outside of Kenya or the EEA by our sub-processors (listed above). Such transfers are governed by appropriate safeguards including Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring an equivalent level of protection.
8. Data Subject Rights
When a data subject exercises their rights (access, deletion, correction, portability) directly with FaidaAI, we will redirect them to the Controller (the Customer) within 48 hours. We will assist the Controller in fulfilling data subject requests by providing the necessary tools and data exports.
9. Data Breach Notification
In the event of a confirmed personal data breach affecting Customer data, FaidaAI will:
- Notify the Controller within 72 hours of becoming aware of the breach
- Provide details of the nature, scope, and likely consequences of the breach
- Describe the measures taken or proposed to address the breach
- Cooperate fully with the Controller's incident response process
10. Termination & Data Deletion
Upon termination of the Customer's FaidaAI account, all personal data will be deleted within 90 days, except where retention is required by law. The Customer may request a full data export prior to deletion.
11. Contact
For DPA-related enquiries or to request a signed DPA for enterprise compliance:
Email: hello@faidaai.com
Address: Sahan Labs, Nairobi, Kenya
