Data Processing Agreement

3.1 Types of Personal Data Processed

• Contact Information: Names, email addresses, phone numbers, mailing addresses, business information, social media handles (WhatsApp, Instagram, Facebook, TikTok usernames), profile pictures and avatars
• Conversation Data: Message content (text, images, audio, video), conversation history and metadata, timestamps, sender/recipient information, delivery and read status, attachments and files
• Behavioral & Interaction Data: Usage patterns and interaction frequency, conversation duration and engagement metrics, workflow automation triggers, AI feature usage history
• Business Data: Opportunities, pipeline stages, deal values, custom field values, labels, tags, appointment and calendar information
• System & Technical Data: IP addresses and device identifiers, login times and access logs, API usage and rate limiting data, error and debugging logs

3.2 Purpose of Processing

Be Digital processes personal data to:

• Provide multi-channel messaging functionality (WhatsApp, Instagram, Facebook, TikTok)
• Execute automation workflows and scheduled tasks
• Deliver AI-powered suggestions and response generation
• Maintain conversation history and contact databases
• Enable real-time messaging via Socket.IO
• Process background jobs via Inngest
• Provide analytics and reporting
• Authenticate users and manage workspace access
• Ensure platform security and prevent fraud
• Comply with legal obligations

3.3 Duration of Processing

• Active Processing: Data is processed and stored while your workspace is active
• Backup Retention: Backup data is retained for 30 days after deletion for disaster recovery
• Legal Retention: Data may be retained longer if required by law
• Termination: Upon workspace termination, personal data is deleted or anonymized within 30 days

5.1 Right of Access

• Data subjects may request copies of their personal data
• You must respond to such requests within 30 days
• Be Digital will assist by providing tools for data export

5.2 Right to Rectification

• Data subjects may request correction of inaccurate data
• You may update contact information within the Platform
• Be Digital will facilitate corrections upon your request

5.3 Right to Erasure ("Right to be Forgotten")

• Data subjects may request deletion of their personal data
• You must submit deletion requests to Be Digital
• Be Digital will delete data (except backup and legally required retention) within 30 days
• Deletion applies to active storage; backups follow retention schedules

5.4 Right to Restrict Processing

• You may request limitation of data processing
• Be Digital will restrict processing upon your written request
• Restricted data is retained but not actively processed

5.5 Right to Data Portability

• Data subjects may request their personal data in a structured, machine-readable format
• You may export workspace data in JSON format
• Be Digital will facilitate export within 30 days

5.6 Right to Object

• Data subjects may object to processing for marketing or legitimate interest purposes
• You must honor such objections
• Be Digital will assist by disabling relevant features per your request

5.7 Rights Related to Automated Decision-Making

• Be Digital's AI features provide suggestions; you make final decisions
• Users are not subject to purely automated decisions with legal consequences
• You may request human review of automation-based decisions

6.1 Infrastructure & Storage

• PostgreSQL Database — Primary data storage
• DigitalOcean Spaces — File and media storage
• Redis — Real-time messaging cache

6.2 Communication & Messaging

• Meta WhatsApp Cloud API v23.0 — WhatsApp messaging (contact info, messages, media)
• Meta Instagram API — Instagram messaging (contact info, messages, media)
• Meta Facebook API — Facebook messaging (contact info, messages, media)
• TikTok Messaging API — TikTok messaging (contact info, messages, media)

6.3 AI & Automation

• Inngest — Background job execution (workflow data, triggers)
• Claude / OpenAI / Gemini — AI-powered suggestions (message content, if enabled)

6.4 Payment Processing

• Stripe — Payment processing (billing data, transaction records)

6.5 Email & Notifications

• SMTP Provider — Email notifications (email addresses, notification content)

6.6 Changes to Sub-Processors

• We may add or change Sub-Processors to improve services
• We will notify you 30 days before material changes
• You may object to new Sub-Processors in writing
• Continued use after the change period implies consent

7.1 Geographic Scope

Be Digital processes data primarily within the European Union. Depending on your jurisdiction, data may be transferred internationally:

• EU to Non-EU: May require Standard Contractual Clauses (SCCs) or Binding Corporate Rules
• California/Other States: Subject to applicable state privacy laws
• Other Jurisdictions: Transfer mechanisms per applicable law

7.2 Standard Contractual Clauses

For international transfers, Be Digital relies on:

• EU Standard Contractual Clauses (SCCs) for GDPR compliance
• Supplementary safeguards as required by regulation
• Adequacy decisions where applicable

8.1 Messaging Consent

You are responsible for obtaining consent before:

• Messaging customers on WhatsApp, Instagram, Facebook, or TikTok
• Collecting contact information from customers
• Using conversation data for marketing or secondary purposes

8.2 AI Processing Consent

• If you enable AI features, personal data may be processed by external AI providers
• You must obtain data subject consent for AI processing
• AI processing is clearly labeled in the Platform
• You may disable AI features anytime

8.3 Proof of Consent

• You must maintain records of customer consent
• Be Digital does not provide consent tracking
• You are responsible for compliance with anti-spam laws (CAN-SPAM, GDPR, CASL, LGPD, etc.)

9.1 Security Measures

Be Digital implements:

• Encryption: Data encrypted in transit (TLS/SSL) and at rest
• Access Control: Role-based access (ADMIN/MEMBER) with workspace isolation
• Authentication: JWT-based authentication with secure token storage
• Rate Limiting: 500 req/min general; 5 login attempts/min per IP
• Monitoring: Real-time monitoring and logging of access
• Incident Response: Security incident response plan and notification procedures
• Regular Audits: Security audits and penetration testing

9.2 Your Responsibility

You must:

• Maintain strong passwords and protect credentials
• Limit access to authorized users only
• Use the ADMIN role sparingly
• Monitor and audit user activity
• Comply with your own security policies

9.3 Data Breach Notification

• In case of a data breach, Be Digital will notify you without undue delay
• Notification will include details of the breach and affected data
• You are responsible for notifying affected data subjects per legal requirements

11.1 GDPR Compliance

• Be Digital processes personal data in compliance with GDPR (EU Regulation 2016/679)
• We assist in fulfilling data subject rights
• We maintain records of processing activities

11.2 CCPA / California Privacy Rights Act

• Be Digital complies with the CCPA (California Consumer Privacy Act)
• California residents have rights to access, delete, and opt-out
• We honor consumer requests per CPRA requirements

11.3 Other Privacy Laws

• LGPD (Brazil)
• PIPEDA (Canada)
• Other applicable privacy regulations in your jurisdiction

12.1 Active Data Retention

• Personal data is retained while your workspace is active
• You may delete individual records, conversations, or contacts anytime
• Deleted data is removed from active systems immediately

12.2 Backup Retention

• Deleted data may be retained in backups for 30 days
• Backups are used solely for disaster recovery
• Backup data is not accessible via the Platform interface

12.3 Workspace Termination

• Upon workspace termination, personal data is deleted within 30 days
• Backup data is purged per standard backup retention
• Legally required data may be retained longer

12.4 Data Subject Deletion Requests

• You must submit data subject deletion requests within 30 days
• Be Digital will delete personal data within 30 days of receipt
• Deletion does not apply to legally required retention

13.1 Your Audit Rights

• You have the right to audit our processing of personal data
• We will cooperate with audits and inspections
• You may request proof of GDPR/CCPA compliance
• Audits may be conducted no more than once per year unless legally required

13.2 Regulatory Audits

• We will cooperate with data protection authorities and regulatory agencies
• We will notify you of regulatory requests where legally permitted

16.1 Data Breach Response

Be Digital has a documented incident response plan including:

• Incident detection and investigation
• Containment and remediation
• Notification procedures
• Documentation and reporting

16.2 Your Notification Obligations

• We will inform you of breaches affecting your data
• You are responsible for notifying data subjects and authorities
• You are responsible for assessing breach risk and compliance

17.1 Workspace Termination

• Upon termination, we will securely delete all active personal data
• We will follow data retention schedules for backups
• We will provide documentation of deletion

17.2 Request for Deletion Certification

• You may request a deletion certificate upon termination
• Be Digital will provide certification within 30 days of request