Data Processing Agreement (DPA)
Last updated: 8 April 2026
This Data Processing Agreement governs how Charter Companion processes personal data on behalf of charter companies ("Controllers") when providing the AI-assisted WhatsApp guest communication service.
The DPA supplements your Service Agreement and complies with Art. 28 GDPR. It covers the processing of Charter Guest personal data (WhatsApp messages, phone numbers, session data) by Charter Companion as your data processor.
Key Terms
Subject Matter
AI-assisted guest communication via WhatsApp. The Processor handles Charter Guest messages on behalf of the Controller (your charter company).
Data Types Processed
WhatsApp phone numbers (E.164), message content, location queries, and session metadata. No sensitive or special-category data.
Retention
90-day automatic retention for all conversation data (messages, sessions, escalations). Anonymised aggregates retained indefinitely. Shorter periods available on request.
Sub-processors
Authorised sub-processors are listed in Annex B of the DPA. Prior written authorisation model with 30-day objection window for changes.
Breach Notification
The Processor notifies the Controller within 48 hours of becoming aware of a personal data breach. Notification includes nature, scope, consequences, and remediation measures.
Erasure
Hard deletion of all Charter Guest data within 72 hours of receiving a documented erasure instruction. Covers messages, sessions, escalations, and analytics profiles.
Audit Rights
The Controller may request compliance documentation once per year and conduct on-site or remote audits with 30 days' written notice.
International Transfers
Transfers to US-based sub-processors are covered by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework (DPF).
Download
Download the full DPA template for review by your legal team. The DPA requires countersignature by both parties before it takes effect.
To execute the DPA, download the template, complete your company details in the Controller section, sign, and return to [email protected].
Related Documents
- Sub-processor List — full details of all authorised sub-processors
- Privacy Policy — how we collect, use, and protect personal data
- Terms of Service
Governing Law
This DPA is governed by the laws of the Republic of Lithuania, with exclusive jurisdiction in the courts of Vilnius.