Waveloop
Get Started

Data Processing Agreement

Effective Date: May 14, 2026 · Last updated: May 14, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer" or "Controller") and NextBuild Technologies Pvt. Ltd. operating the Waveloop service ("Waveloop", "we", or "Processor"), and governs the processing of personal data carried out by Waveloop on your behalf.

By using the Waveloop service to collect or process personal data (for example, by capturing email addresses through Instagram DM automations), you accept this DPA. No countersignature is required.

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service or applicable data protection law.

  • Controller, Processor, Data Subject, Personal Data, Processing have the meaning given in the GDPR and equivalent terms under other applicable laws (UK GDPR, CCPA/CPRA, India's DPDP Act 2023, LGPD).
  • Sub-processor means any third party engaged by Waveloop to process personal data on Customer's behalf.
  • Data Protection Laws means all laws and regulations applicable to the processing of personal data under this DPA.

2. Roles and Responsibilities

2.1 Customer (Controller)

You determine the purposes and means of processing. You are responsible for: establishing a lawful basis (including consent) for the data you collect through Waveloop, providing privacy notices to data subjects, ensuring accuracy, restricting use to disclosed purposes, and handling data subject requests addressed directly to you.

2.2 Waveloop (Processor)

We process personal data only on your documented instructions; ensure personnel are bound by confidentiality; implement appropriate technical and organizational security measures (Section 4); engage Sub-processors only under the conditions in Section 5; assist you with data subject rights and breach notifications; notify you of any data breach without undue delay; and delete or return data on termination per Section 9.

3. Details of Processing

3.1 Nature and Purpose

Processing is carried out to provide the Waveloop service: automating Instagram DM responses; storing message templates, automations, and analytics; capturing and storing leads (e.g., email addresses) that you collect through DM flows; and providing dashboard access, export, and technical support.

3.2 Duration

Processing continues for as long as Customer uses the Service, plus up to 90 days post-termination for deletion, unless longer retention is required by law or earlier deletion is requested.

3.3 Types of Personal Data

  • Instagram usernames, profile information, and message content authorized via Meta's Graph API
  • Email addresses and other contact details captured by automations
  • Timestamps, automation logs, and engagement events
  • Custom form fields you configure

3.4 Categories of Data Subjects

  • Instagram users who comment on, message, or otherwise interact with Customer's Instagram account
  • Individuals who submit information (e.g., email) through Customer's automated DM flows

4. Security Measures

4.1 Technical Measures

  • TLS 1.2+ encryption in transit; industry-standard encryption at rest
  • Role-based access controls and multi-factor authentication for administrative access
  • Network segmentation, firewalls, and intrusion detection
  • Routine vulnerability scanning and patching
  • Secure software development practices and code review
  • Encrypted backups with restricted access

4.2 Organizational Measures

  • Confidentiality agreements for all personnel
  • Security awareness training
  • Least-privilege access and periodic access reviews
  • Documented incident response procedures
  • Vendor due diligence and contractual data-protection obligations

For a fuller description see our Security page.

5. Sub-processors

You authorize Waveloop to engage Sub-processors to provide the Service. Each Sub-processor is bound by data protection obligations equivalent to those in this DPA. Waveloop remains liable to Customer for the acts and omissions of its Sub-processors.

Current Sub-processors include:

  • Cloud hosting — application and database hosting
  • Meta Platforms, Inc. — Instagram Graph API integration
  • Stripe, Inc. — payment processing (where applicable)
  • Email delivery provider — transactional and notification email
  • Analytics provider — product analytics and error tracking

We will give at least 30 days' notice (via email or in-product) of any new Sub-processor that processes personal data on your behalf. You may object on reasonable data-protection grounds within that period; if the objection cannot be resolved you may terminate the affected portion of the Service.

6. International Data Transfers

Waveloop is operated from India by NextBuild Technologies Pvt. Ltd. Personal data may be transferred to and processed in jurisdictions where our Sub-processors operate, including the United States and the European Economic Area. Where required, transfers from the EEA, UK, or Switzerland are protected by the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and equivalent mechanisms, supplemented with additional technical and organizational measures.

7. Assistance with Data Subject Requests

Waveloop provides tools and reasonable assistance to help you respond to data subject requests:

  • Access & Rectification: dashboard view and edit of stored data
  • Erasure: per-record and bulk delete
  • Portability: CSV/JSON export of leads and configuration
  • Restriction & Objection: pause or remove automations on request

If a data subject contacts Waveloop directly, we will forward the request to Customer where applicable. We handle requests from Customer within five (5) business days.

8. Personal Data Breach Notification

Waveloop will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer's data. The notice will include, to the extent known: the nature of the breach, categories and approximate numbers of data subjects affected, likely consequences, and remedial measures taken or proposed.

Customer is responsible for assessing any obligation to notify supervisory authorities or data subjects. We will provide reasonable assistance.

9. Deletion and Return of Personal Data

On termination of the Service, or on Customer's written request, Waveloop will delete or return all personal data within 90 days, except where retention is required by applicable law (e.g., billing records). Encrypted backups are deleted on the standard backup retention schedule (typically within 12 months). On request, we will provide written confirmation of deletion.

10. Audits and Compliance

On reasonable written request (no more than once per year, unless required by a supervisory authority or in connection with a breach), Waveloop will make available information reasonably necessary to demonstrate compliance with this DPA, including security policy summaries, Sub-processor lists, and any third-party audit reports or certifications we maintain. Audits beyond reviewing such documentation must be agreed in advance and may be subject to reasonable confidentiality and cost-recovery terms.

11. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions set out in the Terms of Service, except where Data Protection Laws expressly prohibit such limitation. Customer indemnifies Waveloop against claims arising from Customer's failure to comply with its obligations as Controller under applicable Data Protection Laws.

12. Term and Termination

This DPA is effective for the duration of the Service and any subsequent processing of personal data by Waveloop on Customer's behalf. Sections 9 (Deletion), 10 (Audits), and 11 (Liability) survive termination.

13. Governing Law

This DPA is governed by the laws specified in the Terms of Service. For data subjects in the EEA, UK, or Switzerland, mandatory rights under GDPR/UK GDPR remain unaffected.

14. Changes to This DPA

We may update this DPA from time to time. Material changes will be communicated by email or in-product notice at least 30 days before they take effect.

15. Contact

NextBuild Technologies Pvt. Ltd.
Email: [email protected]
Subject line for DPA queries: Data Protection — DPA

This is a working draft of the DPA. Please have your legal counsel review and approve before relying on it in a production agreement.