Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between you (“Customer” or “Controller”) and BttrLabs Private Limited, doing business as “Watari” (“Processor”), and forms part of and is incorporated into the Terms of Service (the “Agreement”) for any Watari customer whose use of the Service involves the processing of personal data subject to the GDPR, UK GDPR, India's DPDP Act 2023, or other applicable data-protection law.

This DPA is automatically binding on use of the Service. A counter-signed PDF copy is available on request to privacy@watari.ai.

1. Definitions

Capitalised terms not defined here have the meanings given in the Agreement.

• Customer Personal Data means Personal Data contained in Customer Content that Watari processes on behalf of Customer in connection with the Service.
• Data Protection Lawsmeans GDPR; UK GDPR + UK Data Protection Act 2018; India's Digital Personal Data Protection Act 2023 (“DPDP Act”); the California Consumer Privacy Act, as amended; and other equivalent data-protection laws of jurisdictions where Customer Personal Data originates.
• GDPR means Regulation (EU) 2016/679.
• Personal Data, Processing, Controller, Processor, Data Subject, and Personal Data Breach have the meanings given under GDPR. The Indian-equivalent terms (Data Principal, Data Fiduciary, etc.) map to those terms.
• Sub-processor means any third party engaged by Watari to process Customer Personal Data, as listed in Exhibit B.
• SCCs means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
• UK Addendummeans the International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner's Office (Version B1.0, in force 21 March 2022).

2. Roles & processing

For Customer Personal Data, Customer is the Controller (Data Fiduciary) and Watari is the Processor (Data Processor). Watari processes Customer Personal Data only on Customer's documented instructions, including those set out in this DPA, the Agreement, and the Customer's use of the Service's configurable features.

Watari will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

The details of Processing (subject matter, duration, nature, purpose, categories of Personal Data and Data Subjects) are set out in Exhibit A.

3. Confidentiality

Watari shall ensure that personnel authorised to Process Customer Personal Data are bound by a duty of confidentiality (whether contractual or statutory) and are trained on their obligations under this DPA.

4. Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, Watari shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures are described in Exhibit C.

5. Sub-processors

Customer authorises Watari to engage the Sub-processors listed in Exhibit B. The current list of Sub-processors is also published at watari.ai/legal/subprocessors.

Watari will provide Customer with at least 30 days' prior notice of the addition or replacement of any Sub-processor (the “Notice Period”) by updating Exhibit B / the public Sub-processors page and notifying subscribers to subprocessors@watari.ai. Customer may object on reasonable data-protection grounds during the Notice Period by emailing privacy@watari.ai. Where Watari is unable to accommodate the objection within a further 14 days, Customer may terminate the affected portion of the Service on written notice without further liability beyond fees accrued.

Watari will impose data-protection obligations on each Sub-processor no less protective than those set out in this DPA, and Watari remains liable for the acts and omissions of its Sub-processors as if they were its own.

6. International transfers

Customer Personal Data may be transferred outside the European Economic Area, United Kingdom, or India to the Sub-processors listed in Exhibit B. For such transfers, the parties agree:

• From the EEA: the SCCs are incorporated by reference. Where Customer is the Controller (Module Two applies); where Watari is engaged by Customer as a Processor for onward processing (Module Three applies). Clauses are populated as follows: Clause 7 (docking) — applicable; Clause 9 (sub-processor authorisation) — Option 2 (general authorisation); Clause 11 (independent dispute resolution) — not selected; Clause 17 (governing law) — law of Ireland; Clause 18 (forum) — courts of Ireland.
• From the UK: the UK Addendum is incorporated by reference, modifying the SCCs as set out in the Addendum.
• From India: transfers will be made in accordance with the standard contractual clauses or equivalent transfer mechanism notified under the DPDP Act 2023 when in force. Pending notification, transfers are made on the basis of equivalent contractual protections substantively reflecting the EU SCCs.

The parties have considered the relevant Transfer Impact Assessment and the supplementary measures described in Exhibit C are sufficient to ensure an essentially equivalent level of protection.

7. Data Subject rights

Taking into account the nature of the Processing, Watari shall assist Customer with appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligation to respond to requests from Data Subjects exercising their rights (including under GDPR Articles 15-22, DPDP §11-14, CCPA §1798.100-1798.150).

Where Watari receives a request from a Data Subject in respect of Customer Personal Data, Watari will (a) not respond directly (except to confirm the request has been received and refer the Data Subject to Customer); and (b) notify Customer of the request within 5 business days.

8. Breach notification

Watari shall notify Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall include, to the extent then known: nature of the breach, categories and approximate number of Data Subjects and records affected, name and contact of the Data Protection contact, likely consequences, and measures taken or proposed.

Watari will cooperate with Customer in good faith in responding to the breach, including providing reasonable assistance to Customer in fulfilling its own notification obligations to supervisory authorities and Data Subjects.

9. Audits

To demonstrate compliance with this DPA, Watari shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA and the obligations of GDPR Article 28. On reasonable prior written request (and no more than once per twelve-month period), Watari shall provide Customer with summaries of independent third-party audit reports relating to Watari's security controls (e.g. SOC 2 Type II once available) under a non-disclosure agreement.

On-site inspections are available only where required by mandatory law (e.g. an EU supervisory authority directs an audit) and will be conducted at Customer's expense, with reasonable prior notice and during business hours, subject to confidentiality and security restrictions.

10. Deletion or return of data

On termination or expiry of the Agreement, Customer may delete its organisation immediately via Settings → Organization → Delete (organization owner only); this triggers an immediate cascade delete of Customer Personal Data. Where the deletion is not initiated by Customer, Customer may request deletion at any time by emailing privacy@watari.ai; Watari will action the request within 30 days. Retention required by applicable law (e.g. Indian tax records retained for 7 years) survives termination, in which case Watari extends the protections of this DPA to the retained Personal Data and limits further Processing to the legal obligation.

Customer may request export of Customer Personal Data in a machine-readable format (JSON / CSV) by emailing privacy@watari.ai. Self-serve export from within the application is on the near-term product roadmap; until shipped, exports are fulfilled manually within 30 days of request.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

12. Conflict & governing law

In the event of any conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict in matters relating to data protection. For transfers from the EEA, the governing-law and forum provisions of the SCCs apply. For all other matters, this DPA is governed by the laws of India, with exclusive jurisdiction of the courts of Bengaluru, Karnataka, India.

Exhibit A — Details of Processing

A.1 Subject matter

Processing of Customer Personal Data contained in customer support tickets and related metadata, for the purpose of extracting bug reports, mapping bugs to code locations, generating draft pull requests, and generating customer-facing root-cause analyses.

A.2 Duration

For the term of the Agreement, plus the deletion period set out in §10.

A.3 Nature and purpose

Collection, storage, organisation, retrieval, use, transmission to Sub-processors, disclosure to Customer's authorised users, and erasure of Customer Personal Data; all for the purpose of providing the Service.

A.4 Categories of Personal Data

• Identifiers: name, email address, IP address, support platform user IDs.
• Communication content: support-ticket bodies, conversation threads, attachments uploaded by Data Subjects.
• Employment data of agents: name, email, role (agent / admin), team assignment.
• Technical data: device, browser, OS metadata in support ticket attachments.

A.5 Categories of Data Subjects

• Customer's end users (the originators of support tickets).
• Customer's personnel (support agents, engineers, admins who interact with the Service).

A.6 Special categories of Personal Data

The Service is not designed to process special categories of Personal Data under GDPR Article 9 or equivalent sensitive categories under other Data Protection Laws. Customer is responsible for not submitting such data unless it has a valid legal basis to do so.

Exhibit B — Sub-processors

The current list of Sub-processors is maintained at watari.ai/legal/subprocessors and is incorporated into this DPA by reference. The list is updated as Sub-processors are added or replaced, with the 30-day Notice Period described in §5.

Exhibit C — Security measures

Watari implements the following technical and organisational measures (TOMs). Detailed descriptions of each control are maintained at watari.ai/security.

• Encryption in transit: TLS 1.3 minimum for all customer-facing endpoints and inter-service traffic where supported by Sub-processors.
• Encryption at rest: AES-256-GCM for OAuth tokens and other sensitive secrets; AES-256 at the storage layer for all Customer Personal Data via Supabase managed encryption.
• Tenant isolation: all Customer Content scoped by organization_id and enforced by Postgres row-level security policies.
• Access control: single sign-on for Watari personnel; least-privilege role-based access; admin actions audit-logged.
• Network controls: private VPC for the primary database; restricted security-group rules; rotation of long-lived service-role credentials.
• Monitoring: centralised application logging, error monitoring (Sentry), uptime and heartbeat checks (Better Stack).
• Backups: automated daily database backups with a rolling 30-day retention window.
• Incident response: documented runbook with breach-notification SLA aligned to §8 (72 hours to Controller).
• Personnel security: employment-contract confidentiality obligations, ongoing privacy and security training.
• Vendor management: Sub-processor selection criteria including DPA execution, equivalent transfer mechanism, and documented security posture.